increase version

Modify get secrets logic
selectively get user email from service toke/jwt
2025-03-22 01:53:04 +00:00 · 2023-01-12 22:00:06 -08:00 · 2023-01-12 21:58:03 -08:00 · 2023-01-12 16:38:12 -08:00 · 2023-01-12 16:10:02 -08:00 · 2023-01-12 15:56:49 -08:00
339 changed files with 16810 additions and 4117 deletions
--- a/.github/workflows/check-be-pull-request.yml
+++ b/.github/workflows/check-be-pull-request.yml
@ -24,7 +24,7 @@ jobs:
          cache: "npm"
          cache-dependency-path: backend/package-lock.json
      - name: 📦 Install dependencies
-        run: npm ci --only-production --ignore-scripts
+        run: npm ci --only-production
        working-directory: backend
      - name: 🧪 Run tests
        run: npm run test:ci
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -1,4 +1,4 @@
-name: Push to Docker Hub
+name: Push frontend and backend to Dockerhub

 on: [workflow_dispatch]

@ -10,8 +10,9 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
      - name: 🔧 Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: 🐋 Login to Docker Hub
@ -19,9 +20,13 @@ jobs:
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
      - name: 📦 Build backend and export to Docker
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          load: true
          context: backend
          tags: infisical/backend:test
@ -35,11 +40,14 @@ jobs:
        run: |
          docker compose -f .github/resources/docker-compose.be-test.yml down
      - name: 🏗️ Build backend and push
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
          context: backend
-          tags: infisical/backend:latest
+          tags: infisical/backend:${{ steps.commit.outputs.short }}, 
+                infisical/backend:latest
          platforms: linux/amd64,linux/arm64

  frontend-image:
@ -49,8 +57,9 @@ jobs:
    steps:
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      - name: 🔧 Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
      - name: 🔧 Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: 🐋 Login to Docker Hub
@ -58,10 +67,14 @@ jobs:
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
      - name: 📦 Build frontend and export to Docker
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
        with:
          load: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          project: 64mmf0n610
          context: frontend
          tags: infisical/frontend:test
          build-args: |
@ -76,11 +89,14 @@ jobs:
        run: |
          docker stop infisical-frontend-test
      - name: 🏗️ Build frontend and push
-        uses: docker/build-push-action@v3
+        uses: depot/build-push-action@v1
        with:
+          project: 64mmf0n610
          push: true
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          context: frontend
-          tags: infisical/frontend:latest
+          tags: infisical/frontend:${{ steps.commit.outputs.short }}, 
+                infisical/frontend:latest
          platforms: linux/amd64,linux/arm64
          build-args: |
-            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
+            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
--- a/.github/workflows/release_build.yml
+++ b/.github/workflows/release_build.yml
@ -1,4 +1,4 @@
-name: Go releaser
+name: Build and release CLI

 on:
  push:
--- a/.gitignore
+++ b/.gitignore
@ -12,6 +12,8 @@ node_modules
 .DS_Store

 /dist
+/completions/
+/manpages/

 # frontend

--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -6,6 +6,11 @@
 #     - cd cli && go mod tidy
 #     # you may remove this if you don't need go generate
 #     - cd cli && go generate ./...
+before:
+  hooks:
+    - ./cli/scripts/completions.sh
+    - ./cli/scripts/manpages.sh
+
 builds:
  - id: darwin-build
    binary: infisical
@ -44,6 +49,16 @@ builds:
        goarch: "386"
    dir: ./cli

+archives:
+  - format_overrides:
+      - goos: windows
+        format: zip
+    files:
+      - README*
+      - LICENSE*
+      - manpages/*
+      - completions/*
+
 release:
  replace_existing_draft: true
  mode: 'replace'
@ -92,6 +107,15 @@ nfpms:
  - apk
  - archlinux
  bindir: /usr/bin
+  contents:
+    - src: ./completions/infisical.bash
+      dst: /etc/bash_completion.d/infisical
+    - src: ./completions/infisical.fish
+      dst: /usr/share/fish/vendor_completions.d/infisical.fish
+    - src: ./completions/infisical.zsh
+      dst: /usr/share/zsh/site-functions/_infisical
+    - src: ./manpages/infisical.1.gz
+      dst: /usr/share/man/man1/infisical.1.gz
 scoop:
  bucket:
    owner: Infisical
@ -117,7 +141,15 @@ aurs:
      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
      # license
      install -Dm644 "./LICENSE" "${pkgdir}/usr/share/licenses/infisical/LICENSE"
-
+      # completions
+      mkdir -p "${pkgdir}/usr/share/bash-completion/completions/"
+      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
+      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
+      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
+      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
+      # man pages
+      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
 # dockers:
 #   - dockerfile: goreleaser.dockerfile
 #     goos: linux
--- a/README.md
+++ b/README.md
@ -21,7 +21,7 @@
  <a href="https://github.com/infisical/infisical/blob/main/CONTRIBUTING.md">
    <img src="https://img.shields.io/badge/PRs-Welcome-brightgreen" alt="PRs welcome!" />
  </a>
-  <a href="">
+  <a href="https://github.com/Infisical/infisical/issues">
    <img src="https://img.shields.io/github/commit-activity/m/infisical/infisical" alt="git commit activity" />
  </a>
  <a href="https://join.slack.com/t/infisical-users/shared_invite/zt-1kdbk07ro-RtoyEt_9E~fyzGo_xQYP6g">
@ -40,13 +40,15 @@
 - **[Language-Agnostic CLI](https://infisical.com/docs/cli/overview)** that pulls and injects environment variables into your local workflow
 - **[Complete control over your data](https://infisical.com/docs/self-hosting/overview)** - host it yourself on any infrastructure
 - **Navigate Multiple Environments** per project (e.g. development, staging, production, etc.)
- **Personal/Shared** scoping for environment variables
- **[Integrations](https://infisical.com/docs/integrations/overview)** with CI/CD and production infrastructure (Heroku available, more coming soon)
+- **Personal overrides** for environment variables
+- **[Integrations](https://infisical.com/docs/integrations/overview)** with CI/CD and production infrastructure
+- **[Secret Versioning](https://infisical.com/docs/getting-started/dashboard/versioning)** - check the history of change for any secret
+- **[Activity Logs](https://infisical.com/docs/getting-started/dashboard/audit-logs)** - check what user in the project is performing what actions with secrets
+- **[Point-in-time Secrets Recovery](https://infisical.com/docs/getting-started/dashboard/pit-recovery)** - roll back to any snapshot of you secrets
 - 🔜 **1-Click Deploy** to Digital Ocean and Heroku
 - 🔜 **Authentication/Authorization** for projects (read/write controls soon)
 - 🔜 **Automatic Secret Rotation**
 - 🔜 **2FA**
- 🔜 **Access Logs**
 - 🔜 **Slack Integration & MS Teams** integrations

 And more.
@ -65,7 +67,7 @@ To quickly get started, visit our [get started guide](https://infisical.com/docs

 Infisical makes secret management simple and end-to-end encrypted by default. We're on a mission to make it more accessible to all developers, <i>not just security teams</i>.

-According to a [report](https://www.ekransystem.com/en/blog/secrets-management) in 2019, only 10% of organizations use secret management solutions despite all using digital secrets to some extent.
+According to a [report](https://www.ekransystem.com/en/blog/secrets-management), only 10% of organizations use secret management solutions despite all using digital secrets to some extent.

 If you care about efficiency and security, then Infisical is right for you.

@ -270,13 +272,13 @@ We're currently setting the foundation and building [integrations](https://infis
    </tr>
    <tr>
      <td align="left" valign="middle">
-        <a href="https://infisical.com/docs/integrations/frameworks/rails?ref=github.com">
-          ✔️ Ruby on Rails
+        <a href="https://infisical.com/docs/integrations/frameworks/vue?ref=github.com">
+          ✔️ Vue
        </a>
      </td>
      <td align="left" valign="middle">
-        <a href="https://infisical.com/docs/integrations/frameworks/vue?ref=github.com">
-          ✔️ Vue
+        <a href="https://infisical.com/docs/integrations/frameworks/rails?ref=github.com">
+          ✔️ Ruby on Rails
        </a>
      </td>
    </tr>
@ -292,6 +294,16 @@ We're currently setting the foundation and building [integrations](https://infis
        </a>
      </td>
    </tr>
+    <tr>
+      <td align="left" valign="middle">
+        <a href="https://infisical.com/docs/integrations/frameworks/dotnet?ref=github.com">
+          ✔️ .NET
+        </a>
+      </td>
+      <td align="left" valign="middle">
+        And more...
+      </td>
+    </tr>
  </tbody>
 </table>

@ -309,7 +321,7 @@ Looking to report a security vulnerability? Please don't post about it in GitHub

 ## 🚨 Stay Up-to-Date

-Infisical officially launched as v.1.0 on November 21st, 2022. However, a lot of new features are coming very quickly. Watch **releases** of this repository to be notified about future updates:
+Infisical officially launched as v.1.0 on November 21st, 2022. There are a lot of new features coming very frequently. Watch **releases** of this repository to be notified about future updates:

 ![infisical-star-github](https://github.com/Infisical/infisical/blob/main/.github/images/star-infisical.gif?raw=true)

@ -321,4 +333,10 @@ Infisical officially launched as v.1.0 on November 21st, 2022. However, a lot of
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable -->

-<a href="https://github.com/dangtony98"><img src="https://avatars.githubusercontent.com/u/25857006?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/mv-turtle"><img src="https://avatars.githubusercontent.com/u/78047717?s=96&v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/maidul98"><img src="https://avatars.githubusercontent.com/u/9300960?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/gangjun06"><img src="https://avatars.githubusercontent.com/u/50910815?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/reginaldbondoc"><img src="https://avatars.githubusercontent.com/u/7693108?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/SH5H"><img src="https://avatars.githubusercontent.com/u/25437192?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/gmgale"><img src="https://avatars.githubusercontent.com/u/62303146?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/asharonbaltazar"><img src="https://avatars.githubusercontent.com/u/58940073?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/edgarrmondragon"><img src="https://avatars.githubusercontent.com/u/16805946?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/arjunyel"><img src="https://avatars.githubusercontent.com/u/11153289?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/LemmyMwaura"><img src="https://avatars.githubusercontent.com/u/20738858?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/Zamion101"><img src="https://avatars.githubusercontent.com/u/8071263?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/akhilmhdh"><img src="https://avatars.githubusercontent.com/u/31166322?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/naorpeled"><img src="https://avatars.githubusercontent.com/u/6171622?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/jonerrr"><img src="https://avatars.githubusercontent.com/u/73760377?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/adrianmarinwork"><img src="https://avatars.githubusercontent.com/u/118568289?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/arthurzenika"><img src="https://avatars.githubusercontent.com/u/445200?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/hanywang2"><img src="https://avatars.githubusercontent.com/u/44352119?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/tobias-mintlify"><img src="https://avatars.githubusercontent.com/u/110702161?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/wjhurley"><img src="https://avatars.githubusercontent.com/u/15939055?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/0xflotus"><img src="https://avatars.githubusercontent.com/u/26602940?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/wanjohiryan"><img src="https://avatars.githubusercontent.com/u/71614375?v=4" width="50" height="50" alt=""/></a>
+<a href="https://github.com/dangtony98"><img src="https://avatars.githubusercontent.com/u/25857006?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/mv-turtle"><img src="https://avatars.githubusercontent.com/u/78047717?s=96&v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/maidul98"><img src="https://avatars.githubusercontent.com/u/9300960?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/gangjun06"><img src="https://avatars.githubusercontent.com/u/50910815?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/reginaldbondoc"><img src="https://avatars.githubusercontent.com/u/7693108?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/SH5H"><img src="https://avatars.githubusercontent.com/u/25437192?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/gmgale"><img src="https://avatars.githubusercontent.com/u/62303146?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/asharonbaltazar"><img src="https://avatars.githubusercontent.com/u/58940073?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/JoaoVictor6"><img src="https://avatars.githubusercontent.com/u/68869379?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/mocherfaoui"><img src="https://avatars.githubusercontent.com/u/37941426?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/jon4hz"><img src="https://avatars.githubusercontent.com/u/26183582?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/edgarrmondragon"><img src="https://avatars.githubusercontent.com/u/16805946?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/arjunyel"><img src="https://avatars.githubusercontent.com/u/11153289?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/LemmyMwaura"><img src="https://avatars.githubusercontent.com/u/20738858?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/Zamion101"><img src="https://avatars.githubusercontent.com/u/8071263?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/akhilmhdh"><img src="https://avatars.githubusercontent.com/u/31166322?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/naorpeled"><img src="https://avatars.githubusercontent.com/u/6171622?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/jonerrr"><img src="https://avatars.githubusercontent.com/u/73760377?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/adrianmarinwork"><img src="https://avatars.githubusercontent.com/u/118568289?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/arthurzenika"><img src="https://avatars.githubusercontent.com/u/445200?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/hanywang2"><img src="https://avatars.githubusercontent.com/u/44352119?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/tobias-mintlify"><img src="https://avatars.githubusercontent.com/u/110702161?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/wjhurley"><img src="https://avatars.githubusercontent.com/u/15939055?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/0xflotus"><img src="https://avatars.githubusercontent.com/u/26602940?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/wanjohiryan"><img src="https://avatars.githubusercontent.com/u/71614375?v=4" width="50" height="50" alt=""/></a>
+
+## 🌎 Translations
+
+Infisical is currently available in English and Korean. Help us translate Infisical to your language! 
+
+You can find all the info in [this issue](https://github.com/Infisical/infisical/issues/181).
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -4,7 +4,10 @@ WORKDIR /app

 COPY package.json package-lock.json ./

-RUN npm ci --only-production --ignore-scripts
+# RUN npm ci --only-production --ignore-scripts
+# "prepare": "cd .. && npm install"
+
+RUN npm ci --only-production

 COPY . .

--- a/backend/api-documentation.json
+++ b/backend/api-documentation.json
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -1,44 +1,11 @@
 {
-  "dependencies": {
-    "@godaddy/terminus": "^4.11.2",
-    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
-    "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "axios": "^1.1.3",
-    "bigint-conversion": "^2.2.2",
-    "cookie-parser": "^1.4.6",
-    "cors": "^2.8.5",
-    "crypto-js": "^4.1.1",
-    "dotenv": "^16.0.1",
-    "express": "^4.18.1",
-    "express-rate-limit": "^6.7.0",
-    "express-validator": "^6.14.2",
-    "handlebars": "^4.7.7",
-    "helmet": "^5.1.1",
-    "jsonwebtoken": "^9.0.0",
-    "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "mongoose": "^6.7.2",
-    "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
-    "query-string": "^7.1.3",
-    "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
-    "tweetnacl": "^1.0.3",
-    "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
-  },
  "name": "infisical-api",
  "version": "1.0.0",
  "main": "src/index.js",
  "scripts": {
-    "prepare": "cd .. && npm install",
    "start": "npm run build && node build/index.js",
    "dev": "nodemon",
+    "swagger-autogen": "node ./swagger.ts",
    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build",
    "lint": "eslint . --ext .ts",
    "lint-and-fix": "eslint . --ext .ts --fix",
@ -62,6 +29,8 @@
  "devDependencies": {
    "@jest/globals": "^29.3.1",
    "@posthog/plugin-scaffold": "^1.3.4",
+    "@types/bcrypt": "^5.0.0",
+    "@types/bcryptjs": "^2.4.2",
    "@types/cookie-parser": "^1.4.3",
    "@types/cors": "^2.8.12",
    "@types/express": "^4.17.14",
@ -104,5 +73,43 @@
    "suiteNameTemplate": "{filepath}",
    "classNameTemplate": "{classname}",
    "titleTemplate": "{title}"
+  },
+  "dependencies": {
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
+    "axios": "^1.1.3",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.2.2",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "jsonwebtoken": "^9.0.0",
+    "jsrp": "^0.2.4",
+    "libsodium-wrappers": "^0.7.10",
+    "mongoose": "^6.7.2",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "swagger-autogen": "^2.22.0",
+    "swagger-ui-express": "^4.6.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
  }
 }
--- a/backend/src/app.ts
+++ b/backend/src/app.ts
@ -1,11 +1,15 @@
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const { patchRouterParam } = require('./utils/patchAsyncRoutes');

-import express from 'express';
+import express, { Request, Response } from 'express';
 import helmet from 'helmet';
 import cors from 'cors';
 import cookieParser from 'cookie-parser';
 import dotenv from 'dotenv';
+import swaggerUi = require('swagger-ui-express');
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const swaggerFile = require('../api-documentation.json')
+

 dotenv.config();
 import { PORT, NODE_ENV, SITE_URL } from './config';
@ -13,28 +17,38 @@ import { apiLimiter } from './helpers/rateLimiter';

 import {
  workspace as eeWorkspaceRouter,
-  secret as eeSecretRouter
-} from './ee/routes';
-
+  secret as eeSecretRouter,
+  secretSnapshot as eeSecretSnapshotRouter,
+  action as eeActionRouter
+} from './ee/routes/v1';
 import {
-  signup as signupRouter,
-  auth as authRouter,
-  bot as botRouter,
-  organization as organizationRouter,
-  workspace as workspaceRouter,
-  membershipOrg as membershipOrgRouter,
-  membership as membershipRouter,
-  key as keyRouter,
-  inviteOrg as inviteOrgRouter,
-  user as userRouter,
-  userAction as userActionRouter,
-  secret as secretRouter,
-  serviceToken as serviceTokenRouter,
-  password as passwordRouter,
-  stripe as stripeRouter,
-  integration as integrationRouter,
-  integrationAuth as integrationAuthRouter
-} from './routes';
+  signup as v1SignupRouter,
+  auth as v1AuthRouter,
+  bot as v1BotRouter,
+  organization as v1OrganizationRouter,
+  workspace as v1WorkspaceRouter,
+  membershipOrg as v1MembershipOrgRouter,
+  membership as v1MembershipRouter,
+  key as v1KeyRouter,
+  inviteOrg as v1InviteOrgRouter,
+  user as v1UserRouter,
+  userAction as v1UserActionRouter,
+  secret as v1SecretRouter,
+  serviceToken as v1ServiceTokenRouter,
+  password as v1PasswordRouter,
+  stripe as v1StripeRouter,
+  integration as v1IntegrationRouter,
+  integrationAuth as v1IntegrationAuthRouter
+} from './routes/v1';
+import {
+  secret as v2SecretRouter,
+  secrets as v2SecretsRouter,
+  workspace as v2WorkspaceRouter,
+  serviceTokenData as v2ServiceTokenDataRouter,
+  apiKeyData as v2APIKeyDataRouter,
+} from './routes/v2';
+
+import { healthCheck } from './routes/status';

 import { getLogger } from './utils/logger';
 import { RouteNotFoundError } from './utils/errors';
@ -63,34 +77,48 @@ if (NODE_ENV === 'production') {
  app.use(helmet());
 }

-// /ee routers
+// (EE) routes
 app.use('/api/v1/secret', eeSecretRouter);
+app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
 app.use('/api/v1/workspace', eeWorkspaceRouter);
+app.use('/api/v1/action', eeActionRouter);

-// routers
-app.use('/api/v1/signup', signupRouter);
-app.use('/api/v1/auth', authRouter);
-app.use('/api/v1/bot', botRouter);
-app.use('/api/v1/user', userRouter);
-app.use('/api/v1/user-action', userActionRouter);
-app.use('/api/v1/organization', organizationRouter);
-app.use('/api/v1/workspace', workspaceRouter);
-app.use('/api/v1/membership-org', membershipOrgRouter);
-app.use('/api/v1/membership', membershipRouter);
-app.use('/api/v1/key', keyRouter);
-app.use('/api/v1/invite-org', inviteOrgRouter);
-app.use('/api/v1/secret', secretRouter);
-app.use('/api/v1/service-token', serviceTokenRouter);
-app.use('/api/v1/password', passwordRouter);
-app.use('/api/v1/stripe', stripeRouter);
-app.use('/api/v1/integration', integrationRouter);
-app.use('/api/v1/integration-auth', integrationAuthRouter);
+// v1 routes
+app.use('/api/v1/signup', v1SignupRouter);
+app.use('/api/v1/auth', v1AuthRouter);
+app.use('/api/v1/bot', v1BotRouter);
+app.use('/api/v1/user', v1UserRouter);
+app.use('/api/v1/user-action', v1UserActionRouter);
+app.use('/api/v1/organization', v1OrganizationRouter);
+app.use('/api/v1/workspace', v1WorkspaceRouter);
+app.use('/api/v1/membership-org', v1MembershipOrgRouter);
+app.use('/api/v1/membership', v1MembershipRouter);
+app.use('/api/v1/key', v1KeyRouter);
+app.use('/api/v1/invite-org', v1InviteOrgRouter);
+app.use('/api/v1/secret', v1SecretRouter);
+app.use('/api/v1/service-token', v1ServiceTokenRouter); // stop supporting
+app.use('/api/v1/password', v1PasswordRouter);
+app.use('/api/v1/stripe', v1StripeRouter);
+app.use('/api/v1/integration', v1IntegrationRouter);
+app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);

+// v2 routes
+app.use('/api/v2/workspace', v2WorkspaceRouter); // TODO: turn into plural route
+app.use('/api/v2/secret', v2SecretRouter); // stop supporting, TODO: revise
+app.use('/api/v2/secrets', v2SecretsRouter);
+app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
+app.use('/api/v2/api-key-data', v2APIKeyDataRouter);
+
+// api docs 
+app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))
+
+// Server status
+app.use('/api', healthCheck)

 //* Handle unrouted requests and respond with proper error message as well as status code
-app.use((req, res, next)=>{
-  if(res.headersSent) return next();
-  next(RouteNotFoundError({message: `The requested source '(${req.method})${req.url}' was not found`}))
+app.use((req, res, next) => {
+  if (res.headersSent) return next();
+  next(RouteNotFoundError({ message: `The requested source '(${req.method})${req.url}' was not found` }))
 })

 //* Error Handling Middleware (must be after all routing logic)
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,6 +1,7 @@
 const PORT = process.env.PORT || 4000;
 const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
 const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
+const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
 const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
 const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
 const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
@ -47,6 +48,7 @@ export {
  PORT,
  EMAIL_TOKEN_LIFETIME,
  ENCRYPTION_KEY,
+  SALT_ROUNDS,
  JWT_AUTH_LIFETIME,
  JWT_AUTH_SECRET,
  JWT_REFRESH_LIFETIME,
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -4,14 +4,14 @@ import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
-import { User } from '../models';
-import { createToken, issueTokens, clearTokens } from '../helpers/auth';
+import { User } from '../../models';
+import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
 import {
  NODE_ENV,
  JWT_AUTH_LIFETIME,
  JWT_AUTH_SECRET,
  JWT_REFRESH_SECRET
-} from '../config';
+} from '../../config';

 declare module 'jsonwebtoken' {
  export interface UserIDJwtPayload extends jwt.JwtPayload {
--- a/backend/src/controllers/v1/botController.ts
+++ b/backend/src/controllers/v1/botController.ts
@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Bot, BotKey } from '../models';
-import { createBot } from '../helpers/bot';
+import { Bot, BotKey } from '../../models';
+import { createBot } from '../../helpers/bot';

 interface BotKey {
    encryptedKey: string;
--- a/backend/src/controllers/v1/index.ts
+++ b/backend/src/controllers/v1/index.ts
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -2,10 +2,10 @@ import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import axios from 'axios';
 import { readFileSync } from 'fs';
-import { IntegrationAuth, Integration } from '../models';
-import { INTEGRATION_SET, INTEGRATION_OPTIONS, ENV_DEV } from '../variables';
-import { IntegrationService } from '../services';
-import { getApps, revokeAccess } from '../integrations';
+import { IntegrationAuth, Integration } from '../../models';
+import { INTEGRATION_SET, INTEGRATION_OPTIONS, ENV_DEV } from '../../variables';
+import { IntegrationService } from '../../services';
+import { getApps, revokeAccess } from '../../integrations';

 export const getIntegrationOptions = async (
 	req: Request,
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -1,9 +1,9 @@
 import { Request, Response } from 'express';
 import { readFileSync } from 'fs';
 import * as Sentry from '@sentry/node';
-import { Integration, Bot, BotKey } from '../models';
-import { EventService } from '../services';
-import { eventPushSecrets } from '../events';
+import { Integration, Bot, BotKey } from '../../models';
+import { EventService } from '../../services';
+import { eventPushSecrets } from '../../events';

 interface Key {
 	encryptedKey: string;
--- a/backend/src/controllers/v1/keyController.ts
+++ b/backend/src/controllers/v1/keyController.ts
@ -1,8 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key } from '../models';
-import { findMembership } from '../helpers/membership';
-import { GRANTED } from '../variables';
+import { Key } from '../../models';
+import { findMembership } from '../../helpers/membership';

 /**
 * Add (encrypted) copy of workspace key for workspace with id [workspaceId] for user with
@ -26,9 +25,6 @@ export const uploadKey = async (req: Request, res: Response) => {
 			throw new Error('Failed receiver membership validation for workspace');
 		}

-		receiverMembership.status = GRANTED;
-		await receiverMembership.save();
-
 		await new Key({
 			encryptedKey: key.encryptedKey,
 			nonce: key.nonce,
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -1,13 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Membership, MembershipOrg, User, Key } from '../models';
+import { Membership, MembershipOrg, User, Key } from '../../models';
 import {
 	findMembership,
 	deleteMembership as deleteMember
-} from '../helpers/membership';
-import { sendMail } from '../helpers/nodemailer';
-import { SITE_URL } from '../config';
-import { ADMIN, MEMBER, GRANTED, ACCEPTED } from '../variables';
+} from '../../helpers/membership';
+import { sendMail } from '../../helpers/nodemailer';
+import { SITE_URL } from '../../config';
+import { ADMIN, MEMBER, ACCEPTED } from '../../variables';

 /**
 * Check that user is a member of workspace with id [workspaceId]
@ -175,8 +175,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		// already a member of the workspace
 		const inviteeMembership = await Membership.findOne({
 			user: invitee._id,
-			workspace: workspaceId,
-			status: GRANTED
+			workspace: workspaceId
 		});

 		if (inviteeMembership)
@ -205,8 +204,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 		const m = await new Membership({
 			user: invitee._id,
 			workspace: workspaceId,
-			role: MEMBER,
-			status: GRANTED
+			role: MEMBER
 		}).save();

 		await sendMail({
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,14 +1,14 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
-import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
-import { MembershipOrg, Organization, User, Token } from '../models';
-import { deleteMembershipOrg as deleteMemberFromOrg } from '../helpers/membershipOrg';
-import { checkEmailVerification } from '../helpers/signup';
-import { createToken } from '../helpers/auth';
-import { updateSubscriptionOrgQuantity } from '../helpers/organization';
-import { sendMail } from '../helpers/nodemailer';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../variables';
+import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { MembershipOrg, Organization, User, Token } from '../../models';
+import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
+import { checkEmailVerification } from '../../helpers/signup';
+import { createToken } from '../../helpers/auth';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
+import { sendMail } from '../../helpers/nodemailer';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';

 /**
 * Delete organization membership with id [membershipOrgId] from organization
@ -80,14 +80,14 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// TODO

 	let membershipToChangeRole;
-	try {
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change organization membership role'
-		});
-	}
+	// try {
+	// } catch (err) {
+	// 	Sentry.setUser({ email: req.user.email });
+	// 	Sentry.captureException(err);
+	// 	return res.status(400).send({
+	// 		message: 'Failed to change organization membership role'
+	// 	});
+	// }

 	return res.status(200).send({
 		membershipOrg: membershipToChangeRole
@ -115,13 +115,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg) {
 			throw new Error('Failed to validate organization membership');
 		}
-
+		
 		invitee = await User.findOne({
 			email: inviteeEmail
-		});
+		}).select('+publicKey');

 		if (invitee) {
 			// case: invitee is an existing user
+			
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@ -218,12 +219,6 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 		const { email, code } = req.body;

 		user = await User.findOne({ email }).select('+publicKey');
-		if (user && user?.publicKey) {
-			// case: user has already completed account
-			return res.status(403).send({
-				error: 'Failed email magic link verification for complete account'
-			});
-		}

 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
@ -238,6 +233,18 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			code
 		});

+		if (user && user?.publicKey) {
+			// case: user has already completed account
+			// membership can be approved and redirected to login/dashboard
+			membershipOrg.status = ACCEPTED;
+			await membershipOrg.save();
+
+			return res.status(200).send({
+				message: 'Successfully verified email',
+				user,
+			});
+        }
+
 		if (!user) {
 			// initialize user account
 			user = await new User({
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -6,7 +6,7 @@ import {
 	STRIPE_PRODUCT_STARTER,
 	STRIPE_PRODUCT_PRO,
 	STRIPE_PRODUCT_CARD_AUTH
-} from '../config';
+} from '../../config';
 import Stripe from 'stripe';

 const stripe = new Stripe(STRIPE_SECRET_KEY, {
@ -18,10 +18,10 @@ import {
 	Organization,
 	Workspace,
 	IncidentContactOrg
-} from '../models';
-import { createOrganization as create } from '../helpers/organization';
-import { addMembershipsOrg } from '../helpers/membershipOrg';
-import { OWNER, ACCEPTED } from '../variables';
+} from '../../models';
+import { createOrganization as create } from '../../helpers/organization';
+import { addMembershipsOrg } from '../../helpers/membershipOrg';
+import { OWNER, ACCEPTED } from '../../variables';

 const productToPriceMap = {
 	starter: STRIPE_PRODUCT_STARTER,
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -1,13 +1,14 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import crypto from 'crypto';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, Token, BackupPrivateKey } from '../models';
-import { checkEmailVerification } from '../helpers/signup';
-import { createToken } from '../helpers/auth';
-import { sendMail } from '../helpers/nodemailer';
-import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../config';
+import { User, Token, BackupPrivateKey } from '../../models';
+import { checkEmailVerification } from '../../helpers/signup';
+import { createToken } from '../../helpers/auth';
+import { sendMail } from '../../helpers/nodemailer';
+import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';

 const clientPublicKeys: any = {};

--- a/backend/src/controllers/v1/secretController.ts
+++ b/backend/src/controllers/v1/secretController.ts
@ -1,16 +1,16 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { Key, Secret } from '../models';
+import { Key, Secret } from '../../models';
 import {
-	pushSecrets as push,
+	v1PushSecrets as push,
 	pullSecrets as pull,
 	reformatPullSecrets
-} from '../helpers/secret';
-import { pushKeys } from '../helpers/key';
-import { eventPushSecrets } from '../events';
-import { EventService } from '../services';
-import { ENV_SET } from '../variables';
-import { postHogClient } from '../services';
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { eventPushSecrets } from '../../events';
+import { EventService } from '../../services';
+import { ENV_SET } from '../../variables';
+import { postHogClient } from '../../services';

 interface PushSecret {
 	ciphertextKey: string;
@ -21,6 +21,10 @@ interface PushSecret {
 	ivValue: string;
 	tagValue: string;
 	hashValue: string;
+	ciphertextComment: string;
+	ivComment: string;
+	tagComment: string;
+	hashComment: string;
 	type: 'shared' | 'personal';
 }

@ -119,7 +123,9 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		secrets = await pull({
 			userId: req.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
 		});

 		key = await Key.findOne({
@ -184,7 +190,9 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 		secrets = await pull({
 			userId: req.serviceToken.user._id.toString(),
 			workspaceId,
-			environment
+			environment,
+			channel: 'cli',
+			ipAddress: req.ip
 		});

 		key = {
--- a/backend/src/controllers/v1/serviceTokenController.ts
+++ b/backend/src/controllers/v1/serviceTokenController.ts
@ -1,8 +1,8 @@
 import { Request, Response } from 'express';
-import { ServiceToken } from '../models';
-import { createToken } from '../helpers/auth';
-import { ENV_SET } from '../variables';
-import { JWT_SERVICE_SECRET } from '../config';
+import { ServiceToken } from '../../models';
+import { createToken } from '../../helpers/auth';
+import { ENV_SET } from '../../variables';
+import { JWT_SERVICE_SECRET } from '../../config';

 /**
 * Return service token on request
@ -11,7 +11,6 @@ import { JWT_SERVICE_SECRET } from '../config';
 * @returns
 */
 export const getServiceToken = async (req: Request, res: Response) => {
-	// get service token
 	return res.status(200).send({
 		serviceToken: req.serviceToken
 	});
@ -73,4 +72,4 @@ export const createServiceToken = async (req: Request, res: Response) => {
 	return res.status(200).send({
 		token
 	});
-};
+};
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -1,15 +1,15 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../config';
-import { User, MembershipOrg } from '../models';
-import { completeAccount } from '../helpers/user';
+import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
 	initializeDefaultOrg
-} from '../helpers/signup';
-import { issueTokens, createToken } from '../helpers/auth';
-import { INVITED, ACCEPTED } from '../variables';
+} from '../../helpers/signup';
+import { issueTokens, createToken } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
 import axios from 'axios';

 /**
--- a/backend/src/controllers/v1/stripeController.ts
+++ b/backend/src/controllers/v1/stripeController.ts
--- a/backend/src/controllers/v1/userActionController.ts
+++ b/backend/src/controllers/v1/userActionController.ts
@ -1,6 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { UserAction } from '../models';
+import { UserAction } from '../../models';

 /**
 * Add user action [action]
--- a/backend/src/controllers/v1/userController.ts
+++ b/backend/src/controllers/v1/userController.ts
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -8,13 +8,14 @@ import {
 	IntegrationAuth,
 	IUser,
 	ServiceToken,
-} from '../models';
+	ServiceTokenData
+} from '../../models';
 import {
 	createWorkspace as create,
 	deleteWorkspace as deleteWork
-} from '../helpers/workspace';
-import { addMemberships } from '../helpers/membership';
-import { ADMIN, COMPLETED, GRANTED } from '../variables';
+} from '../../helpers/workspace';
+import { addMemberships } from '../../helpers/membership';
+import { ADMIN } from '../../variables';

 /**
 * Return public keys of members of workspace with id [workspaceId]
@ -32,13 +33,12 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
 				workspace: workspaceId
 			}).populate<{ user: IUser }>('user', 'publicKey')
 		)
-			.filter((m) => m.status === COMPLETED || m.status === GRANTED)
-			.map((member) => {
-				return {
-					publicKey: member.user.publicKey,
-					userId: member.user._id
-				};
-			});
+		.map((member) => {
+			return {
+				publicKey: member.user.publicKey,
+				userId: member.user._id
+			};
+		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@ -168,8 +168,7 @@ export const createWorkspace = async (req: Request, res: Response) => {
 		await addMemberships({
 			userIds: [req.user._id],
 			workspaceId: workspace._id.toString(),
-			roles: [ADMIN],
-			statuses: [GRANTED]
+			roles: [ADMIN]
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/controllers/v2/apiKeyDataController.ts
+++ b/backend/src/controllers/v2/apiKeyDataController.ts
@ -0,0 +1,105 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    APIKeyData
+} from '../../models';
+import {
+    SALT_ROUNDS
+} from '../../config';
+
+/**
+ * Return API key data for user with id [req.user_id]
+ * @param req
+ * @param res 
+ * @returns 
+ */
+export const getAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        apiKeyData = await APIKeyData.find({
+            user: req.user._id
+        });
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to get API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
+
+/**
+ * Create new API key data for user with id [req.user._id]
+ * @param req 
+ * @param res 
+ */
+export const createAPIKeyData = async (req: Request, res: Response) => {
+    let apiKey, apiKeyData;
+    try {
+        const { name, expiresIn } = req.body;
+        
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+        
+		const expiresAt = new Date();
+		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+        
+        apiKeyData = await new APIKeyData({
+            name,
+            expiresAt,
+            user: req.user._id,
+            secretHash
+        }).save();
+        
+        // return api key data without sensitive data
+        apiKeyData = await APIKeyData.findById(apiKeyData._id);
+        
+        if (!apiKeyData) throw new Error('Failed to find API key data');
+        
+        apiKey = `ak.${apiKeyData._id.toString()}.${secret}`;
+            
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKey,
+        apiKeyData
+    });
+}
+
+/**
+ * Delete API key data with id [apiKeyDataId].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteAPIKeyData = async (req: Request, res: Response) => {
+    let apiKeyData;
+    try {
+        const { apiKeyDataId } = req.params;
+
+        apiKeyData = await APIKeyData.findByIdAndDelete(apiKeyDataId);
+        
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete API key data'
+        });
+    }
+    
+    return res.status(200).send({
+        apiKeyData
+    });
+}
--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -0,0 +1,13 @@
+import * as workspaceController from './workspaceController';
+import * as serviceTokenDataController from './serviceTokenDataController';
+import * as apiKeyDataController from './apiKeyDataController';
+import * as secretController from './secretController';
+import * as secretsController from './secretsController';
+
+export {
+    workspaceController,
+    serviceTokenDataController,
+    apiKeyDataController,
+    secretController,
+    secretsController
+}
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -0,0 +1,401 @@
+import to from "await-to-js";
+import { Request, Response } from "express";
+import mongoose, { Types } from "mongoose";
+import Secret, { ISecret } from "../../models/secret";
+import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCreate, SanitizedSecretModify } from "../../types/secret";
+const { ValidationError } = mongoose.Error;
+import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
+import { AnyBulkWriteOperation } from 'mongodb';
+import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { postHogClient } from '../../services';
+
+/**
+ * Create secret for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+  const secretToCreate: CreateSecretRequestBody = req.body.secret;
+  const { workspaceId, environment } = req.params
+  const sanitizedSecret: SanitizedSecretForCreate = {
+    secretKeyCiphertext: secretToCreate.secretKeyCiphertext,
+    secretKeyIV: secretToCreate.secretKeyIV,
+    secretKeyTag: secretToCreate.secretKeyTag,
+    secretKeyHash: secretToCreate.secretKeyHash,
+    secretValueCiphertext: secretToCreate.secretValueCiphertext,
+    secretValueIV: secretToCreate.secretValueIV,
+    secretValueTag: secretToCreate.secretValueTag,
+    secretValueHash: secretToCreate.secretValueHash,
+    secretCommentCiphertext: secretToCreate.secretCommentCiphertext,
+    secretCommentIV: secretToCreate.secretCommentIV,
+    secretCommentTag: secretToCreate.secretCommentTag,
+    secretCommentHash: secretToCreate.secretCommentHash,
+    workspace: new Types.ObjectId(workspaceId),
+    environment,
+    type: secretToCreate.type,
+    user: new Types.ObjectId(req.user._id)
+  }
+
+
+  const [error, secret] = await to(Secret.create(sanitizedSecret).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: error.message, stack: error.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets added',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        workspaceId,
+        environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secret
+  })
+}
+
+/**
+ * Create many secrets for workspace wiht id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecrets = async (req: Request, res: Response) => {
+  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
+  const { workspaceId, environment } = req.params
+  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
+
+  secretsToCreate.forEach(rawSecret => {
+    const safeUpdateFields: SanitizedSecretForCreate = {
+      secretKeyCiphertext: rawSecret.secretKeyCiphertext,
+      secretKeyIV: rawSecret.secretKeyIV,
+      secretKeyTag: rawSecret.secretKeyTag,
+      secretKeyHash: rawSecret.secretKeyHash,
+      secretValueCiphertext: rawSecret.secretValueCiphertext,
+      secretValueIV: rawSecret.secretValueIV,
+      secretValueTag: rawSecret.secretValueTag,
+      secretValueHash: rawSecret.secretValueHash,
+      secretCommentCiphertext: rawSecret.secretCommentCiphertext,
+      secretCommentIV: rawSecret.secretCommentIV,
+      secretCommentTag: rawSecret.secretCommentTag,
+      secretCommentHash: rawSecret.secretCommentHash,
+      workspace: new Types.ObjectId(workspaceId),
+      environment,
+      type: rawSecret.type,
+      user: new Types.ObjectId(req.user._id)
+    }
+
+    sanitizedSecretesToCreate.push(safeUpdateFields)
+  })
+
+  const [bulkCreateError, secrets] = await to(Secret.insertMany(sanitizedSecretesToCreate).then())
+  if (bulkCreateError) {
+    if (bulkCreateError instanceof ValidationError) {
+      throw RouteValidationError({ message: bulkCreateError.message, stack: bulkCreateError.stack })
+    }
+
+    throw InternalServerError({ message: "Unable to process your batch create request. Please try again", stack: bulkCreateError.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets added',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: (secretsToCreate ?? []).length,
+        workspaceId,
+        environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secrets
+  })
+}
+
+/**
+ * Delete secrets in workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretIdsToDelete: string[] = req.body.secretIds
+
+  const [secretIdsUserCanDeleteError, secretIdsUserCanDelete] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanDeleteError) {
+    throw InternalServerError({ message: `Unable to fetch secrets you own: [error=${secretIdsUserCanDeleteError.message}]` })
+  }
+
+  const secretsUserCanDeleteSet: Set<string> = new Set(secretIdsUserCanDelete.map(objectId => objectId._id.toString()));
+  const deleteOperationsToPerform: AnyBulkWriteOperation<ISecret>[] = []
+
+  let numSecretsDeleted = 0;
+  secretIdsToDelete.forEach(secretIdToDelete => {
+    if (secretsUserCanDeleteSet.has(secretIdToDelete)) {
+      const deleteOperation = { deleteOne: { filter: { _id: new Types.ObjectId(secretIdToDelete) } } }
+      deleteOperationsToPerform.push(deleteOperation)
+      numSecretsDeleted++;
+    } else {
+      throw RouteValidationError({ message: "You cannot delete secrets that you do not have access to" })
+    }
+  })
+
+  const [bulkDeleteError, bulkDelete] = await to(Secret.bulkWrite(deleteOperationsToPerform).then())
+  if (bulkDeleteError) {
+    if (bulkDeleteError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkDeleteError.stack })
+    }
+    throw InternalServerError()
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets deleted',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: numSecretsDeleted,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send()
+}
+
+/**
+ * Delete secret with id [secretId]
+ * @param req 
+ * @param res
+ */
+export const deleteSecret = async (req: Request, res: Response) => {
+  await Secret.findByIdAndDelete(req._secret._id)
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets deleted',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        workspaceId: req._secret.workspace.toString(),
+        environment: req._secret.environment,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  res.status(200).send({
+    secret: req._secret
+  })
+}
+
+/**
+ * Update secrets for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSecrets = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
+  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdsUserCanModifyError) {
+    throw InternalServerError({ message: "Unable to fetch secrets you own" })
+  }
+
+  const secretsUserCanModifySet: Set<string> = new Set(secretIdsUserCanModify.map(objectId => objectId._id.toString()));
+  const updateOperationsToPerform: any = []
+
+  secretsModificationsRequested.forEach(userModifiedSecret => {
+    if (secretsUserCanModifySet.has(userModifiedSecret._id.toString())) {
+      const sanitizedSecret: SanitizedSecretModify = {
+        secretKeyCiphertext: userModifiedSecret.secretKeyCiphertext,
+        secretKeyIV: userModifiedSecret.secretKeyIV,
+        secretKeyTag: userModifiedSecret.secretKeyTag,
+        secretKeyHash: userModifiedSecret.secretKeyHash,
+        secretValueCiphertext: userModifiedSecret.secretValueCiphertext,
+        secretValueIV: userModifiedSecret.secretValueIV,
+        secretValueTag: userModifiedSecret.secretValueTag,
+        secretValueHash: userModifiedSecret.secretValueHash,
+        secretCommentCiphertext: userModifiedSecret.secretCommentCiphertext,
+        secretCommentIV: userModifiedSecret.secretCommentIV,
+        secretCommentTag: userModifiedSecret.secretCommentTag,
+        secretCommentHash: userModifiedSecret.secretCommentHash,
+      }
+
+      const updateOperation = { updateOne: { filter: { _id: userModifiedSecret._id, workspace: workspaceId }, update: { $inc: { version: 1 }, $set: sanitizedSecret } } }
+      updateOperationsToPerform.push(updateOperation)
+    } else {
+      throw UnauthorizedRequestError({ message: "You do not have permission to modify one or more of the requested secrets" })
+    }
+  })
+
+  const [bulkModificationInfoError, bulkModificationInfo] = await to(Secret.bulkWrite(updateOperationsToPerform).then())
+  if (bulkModificationInfoError) {
+    if (bulkModificationInfoError instanceof ValidationError) {
+      throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: bulkModificationInfoError.stack })
+    }
+
+    throw InternalServerError()
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets modified',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: (secretsModificationsRequested ?? []).length,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.status(200).send()
+}
+
+/**
+ * Update a secret within workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateSecret = async (req: Request, res: Response) => {
+  const { workspaceId, environmentName } = req.params
+  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;
+
+  const [secretIdUserCanModifyError, secretIdUserCanModify] = await to(Secret.findOne({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
+  if (secretIdUserCanModifyError && !secretIdUserCanModify) {
+    throw BadRequestError()
+  }
+
+  const sanitizedSecret: SanitizedSecretModify = {
+    secretKeyCiphertext: secretModificationsRequested.secretKeyCiphertext,
+    secretKeyIV: secretModificationsRequested.secretKeyIV,
+    secretKeyTag: secretModificationsRequested.secretKeyTag,
+    secretKeyHash: secretModificationsRequested.secretKeyHash,
+    secretValueCiphertext: secretModificationsRequested.secretValueCiphertext,
+    secretValueIV: secretModificationsRequested.secretValueIV,
+    secretValueTag: secretModificationsRequested.secretValueTag,
+    secretValueHash: secretModificationsRequested.secretValueHash,
+    secretCommentCiphertext: secretModificationsRequested.secretCommentCiphertext,
+    secretCommentIV: secretModificationsRequested.secretCommentIV,
+    secretCommentTag: secretModificationsRequested.secretCommentTag,
+    secretCommentHash: secretModificationsRequested.secretCommentHash,
+  }
+
+  const [error, singleModificationUpdate] = await to(Secret.updateOne({ _id: secretModificationsRequested._id, workspace: workspaceId }, { $inc: { version: 1 }, $set: sanitizedSecret }).then())
+  if (error instanceof ValidationError) {
+    throw RouteValidationError({ message: "Unable to apply modifications, please try again", stack: error.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets modified',
+      distinctId: req.user.email,
+      properties: {
+        numberOfSecrets: 1,
+        environment: environmentName,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.status(200).send(singleModificationUpdate)
+}
+
+/**
+ * Return secrets for workspace with id [workspaceId], environment [environment] and user
+ * with id [req.user._id]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+  const { environment } = req.query;
+  const { workspaceId } = req.params;
+
+  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
+  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  if (req.user) {
+    userId = req.user._id;
+    userEmail = req.user.email;
+  }
+
+  if (req.serviceTokenData) {
+    userId = req.serviceTokenData.user._id
+    userEmail = req.serviceTokenData.user.email;
+  }
+
+  const [err, secrets] = await to(Secret.find(
+    {
+      workspace: workspaceId,
+      environment,
+      $or: [{ user: userId }, { user: { $exists: false } }],
+      type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+    }
+  ).then())
+
+  if (err) {
+    throw RouteValidationError({ message: "Failed to get secrets, please try again", stack: err.stack })
+  }
+
+  if (postHogClient) {
+    postHogClient.capture({
+      event: 'secrets pulled',
+      distinctId: userEmail,
+      properties: {
+        numberOfSecrets: (secrets ?? []).length,
+        environment,
+        workspaceId,
+        channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+        userAgent: req.headers?.['user-agent']
+      }
+    });
+  }
+
+  return res.json(secrets)
+}
+
+/**
+ * Return secret with id [secretId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecret = async (req: Request, res: Response) => {
+  // if (postHogClient) {
+  //   postHogClient.capture({
+  //     event: 'secrets pulled',
+  //     distinctId: req.user.email,
+  //     properties: {
+  //       numberOfSecrets: 1,
+  //       workspaceId: req._secret.workspace.toString(),
+  //       environment: req._secret.environment,
+  //       channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+  //       userAgent: req.headers?.['user-agent']
+  //     }
+  //   });
+  // }
+
+  return res.status(200).send({
+    secret: req._secret
+  });
+}
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -0,0 +1,472 @@
+import to from 'await-to-js';
+import { Types } from 'mongoose';
+import { Request, Response } from 'express';
+import { ISecret, Secret } from '../../models';
+import {
+    SECRET_PERSONAL,
+    SECRET_SHARED,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
+import { ValidationError } from '../../utils/errors';
+import { EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
+import { EESecretService, EELogService } from '../../ee/services';
+import { postHogClient } from '../../services';
+import { BadRequestError } from '../../utils/errors';
+
+/**
+ * Create secret(s) for workspace with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const createSecrets = async (req: Request, res: Response) => {
+    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+    const { workspaceId, environment } = req.body;
+
+    let toAdd;
+    if (Array.isArray(req.body.secrets)) {
+        // case: create multiple secrets
+        toAdd = req.body.secrets;
+    } else if (typeof req.body.secrets === 'object') {
+        // case: create 1 secret
+        toAdd = [req.body.secrets];
+    }
+
+    const newSecrets = await Secret.insertMany(
+        toAdd.map(({
+            type,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+        }: {
+            type: string;
+            secretKeyCiphertext: string;
+            secretKeyIV: string;
+            secretKeyTag: string;
+            secretValueCiphertext: string;
+            secretValueIV: string;
+            secretValueTag: string;
+        }) => ({
+            version: 1,
+            workspace: new Types.ObjectId(workspaceId),
+            type,
+            user: type === SECRET_PERSONAL ? req.user : undefined,
+            environment,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag
+        }))
+    );
+
+    // (EE) add secret versions for new secrets
+    EESecretService.addSecretVersions({
+        secretVersions: newSecrets.map(({
+            _id,
+            version,
+            workspace,
+            type,
+            user,
+            environment,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretKeyHash,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretValueHash
+        }) => ({
+            _id: new Types.ObjectId(),
+            secret: _id,
+            version,
+            workspace,
+            type,
+            user,
+            environment,
+            isDeleted: false,
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretKeyHash,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretValueHash
+        }))
+    });
+
+    // trigger event - push secrets
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId
+        })
+    });
+
+    const addAction = await EELogService.createActionSecret({
+        name: ACTION_ADD_SECRETS,
+        userId: req.user._id.toString(),
+        workspaceId,
+        secretIds: newSecrets.map((n) => n._id)
+    });
+
+    // (EE) create (audit) log
+    addAction && await EELogService.createLog({
+        userId: req.user._id.toString(),
+        workspaceId,
+        actions: [addAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets added',
+            distinctId: req.user.email,
+            properties: {
+                numberOfSecrets: toAdd.length,
+                environment,
+                workspaceId,
+                channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }
+
+    return res.status(200).send({
+        secrets: newSecrets
+    });
+}
+
+/**
+ * Return secret(s) for workspace with id [workspaceId], environment [environment] and user
+ * with id [req.user._id]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+    const { workspaceId, environment } = req.query;
+
+    let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
+    let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
+    }
+
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    const [err, secrets] = await to(Secret.find(
+        {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    ).then())
+
+    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });
+
+    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+
+    const readAction = await EELogService.createActionSecret({
+        name: ACTION_READ_SECRETS,
+        userId: req.user._id.toString(),
+        workspaceId: workspaceId as string,
+        secretIds: secrets.map((n: any) => n._id)
+    });
+
+    readAction && await EELogService.createLog({
+        userId: req.user._id.toString(),
+        workspaceId: workspaceId as string,
+        actions: [readAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets added',
+            distinctId: userEmail,
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel,
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Update secret(s)
+ * @param req 
+ * @param res 
+ */
+export const updateSecrets = async (req: Request, res: Response) => {
+    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+
+    // TODO: move type
+    interface PatchSecret {
+        id: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretCommentCiphertext: string;
+        secretCommentIV: string;
+        secretCommentTag: string;
+    }
+
+    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
+        const {
+            secretKeyCiphertext,
+            secretKeyIV,
+            secretKeyTag,
+            secretValueCiphertext,
+            secretValueIV,
+            secretValueTag,
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        } = secret;
+
+        return ({
+            updateOne: {
+                filter: { _id: new Types.ObjectId(secret.id) },
+                update: {
+                    $inc: {
+                        version: 1
+                    },
+                    secretKeyCiphertext,
+                    secretKeyIV,
+                    secretKeyTag,
+                    secretValueCiphertext,
+                    secretValueIV,
+                    secretValueTag,
+                    ...((
+                        secretCommentCiphertext &&
+                        secretCommentIV &&
+                        secretCommentTag
+                    ) ? {
+                        secretCommentCiphertext,
+                        secretCommentIV,
+                        secretCommentTag
+                    } : {}),
+                }
+            }
+        });
+    });
+
+    await Secret.bulkWrite(updateOperationsToPerform);
+
+    const secretModificationsBySecretId: { [key: string]: PatchSecret } = {};
+    req.body.secrets.forEach((secret: PatchSecret) => {
+        secretModificationsBySecretId[secret.id] = secret;
+    });
+
+    const ListOfSecretsBeforeModifications = req.secrets
+    const secretVersions = {
+        secretVersions: ListOfSecretsBeforeModifications.map((secret: ISecret) => {
+            const {
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+            } = secretModificationsBySecretId[secret._id.toString()]
+
+            return ({
+                secret: secret._id,
+                version: secret.version + 1,
+                workspace: secret.workspace,
+                type: secret.type,
+                environment: secret.environment,
+                secretKeyCiphertext: secretKeyCiphertext ? secretKeyCiphertext : secret.secretKeyCiphertext,
+                secretKeyIV: secretKeyIV ? secretKeyIV : secret.secretKeyIV,
+                secretKeyTag: secretKeyTag ? secretKeyTag : secret.secretKeyTag,
+                secretValueCiphertext: secretValueCiphertext ? secretValueCiphertext : secret.secretValueCiphertext,
+                secretValueIV: secretValueIV ? secretValueIV : secret.secretValueIV,
+                secretValueTag: secretValueTag ? secretValueTag : secret.secretValueTag,
+                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
+                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
+                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+            });
+        })
+    }
+
+    await EESecretService.addSecretVersions(secretVersions);
+
+
+    // group secrets into workspaces so updated secrets can
+    // be logged and snapshotted separately for each workspace
+    const workspaceSecretObj: any = {};
+    req.secrets.forEach((s: any) => {
+        if (s.workspace.toString() in workspaceSecretObj) {
+            workspaceSecretObj[s.workspace.toString()].push(s);
+        } else {
+            workspaceSecretObj[s.workspace.toString()] = [s]
+        }
+    });
+
+    Object.keys(workspaceSecretObj).forEach(async (key) => {
+        // trigger event - push secrets
+        await EventService.handleEvent({
+            event: eventPushSecrets({
+                workspaceId: key
+            })
+        });
+
+        const updateAction = await EELogService.createActionSecret({
+            name: ACTION_UPDATE_SECRETS,
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
+        });
+
+        // (EE) create (audit) log
+        updateAction && await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            actions: [updateAction],
+            channel,
+            ipAddress: req.ip
+        });
+
+        // (EE) take a secret snapshot
+        await EESecretService.takeSecretSnapshot({
+            workspaceId: key
+        })
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets modified',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: workspaceSecretObj[key].length,
+                    environment: workspaceSecretObj[key][0].environment,
+                    workspaceId: key,
+                    channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    });
+
+    return res.status(200).send({
+        secrets: await Secret.find({
+            _id: {
+                $in: req.secrets.map((secret: ISecret) => secret._id)
+            }
+        })
+    });
+}
+
+/**
+ * Delete secret(s) with id [workspaceId] and environment [environment]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecrets = async (req: Request, res: Response) => {
+    const channel = req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli';
+    const toDelete = req.secrets.map((s: any) => s._id);
+
+    await Secret.deleteMany({
+        _id: {
+            $in: toDelete
+        }
+    });
+
+    await EESecretService.markDeletedSecretVersions({
+        secretIds: toDelete
+    });
+
+    // group secrets into workspaces so deleted secrets can
+    // be logged and snapshotted separately for each workspace
+    const workspaceSecretObj: any = {};
+    req.secrets.forEach((s: any) => {
+        if (s.workspace.toString() in workspaceSecretObj) {
+            workspaceSecretObj[s.workspace.toString()].push(s);
+        } else {
+            workspaceSecretObj[s.workspace.toString()] = [s]
+        }
+    });
+
+    Object.keys(workspaceSecretObj).forEach(async (key) => {
+        // trigger event - push secrets
+        await EventService.handleEvent({
+            event: eventPushSecrets({
+                workspaceId: key
+            })
+        });
+        const deleteAction = await EELogService.createActionSecret({
+            name: ACTION_DELETE_SECRETS,
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
+        });
+
+        // (EE) create (audit) log
+        deleteAction && await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: key,
+            actions: [deleteAction],
+            channel,
+            ipAddress: req.ip
+        });
+
+        // (EE) take a secret snapshot
+        await EESecretService.takeSecretSnapshot({
+            workspaceId: key
+        })
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets deleted',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: workspaceSecretObj[key].length,
+                    environment: workspaceSecretObj[key][0].environment,
+                    workspaceId: key,
+                    channel: req.headers?.['user-agent']?.toLowerCase().includes('mozilla') ? 'web' : 'cli',
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    });
+
+    return res.status(200).send({
+        secrets: req.secrets
+    });
+}
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -0,0 +1,103 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    ServiceTokenData
+} from '../../models';
+import {
+    SALT_ROUNDS
+} from '../../config';
+
+/**
+ * Return service token data associated with service token on request
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getServiceTokenData = async (req: Request, res: Response) => res.status(200).json(req.serviceTokenData);
+
+/**
+ * Create new service token data for workspace with id [workspaceId] and
+ * environment [environment].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const createServiceTokenData = async (req: Request, res: Response) => {
+    let serviceToken, serviceTokenData;
+    try {
+        const {
+            name,
+            workspaceId,
+            environment,
+            encryptedKey,
+            iv,
+            tag,
+            expiresIn
+        } = req.body;
+
+        const secret = crypto.randomBytes(16).toString('hex');
+        const secretHash = await bcrypt.hash(secret, SALT_ROUNDS);
+
+        const expiresAt = new Date();
+        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
+
+        serviceTokenData = await new ServiceTokenData({
+            name,
+            workspace: workspaceId,
+            environment,
+            user: req.user._id,
+            expiresAt,
+            secretHash,
+            encryptedKey,
+            iv,
+            tag
+        }).save();
+
+        // return service token data without sensitive data
+        serviceTokenData = await ServiceTokenData.findById(serviceTokenData._id);
+
+        if (!serviceTokenData) throw new Error('Failed to find service token data');
+
+        serviceToken = `st.${serviceTokenData._id.toString()}.${secret}`;
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to create service token data'
+        });
+    }
+
+    return res.status(200).send({
+        serviceToken,
+        serviceTokenData
+    });
+}
+
+/**
+ * Delete service token data with id [serviceTokenDataId].
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const deleteServiceTokenData = async (req: Request, res: Response) => {
+    let serviceTokenData;
+    try {
+        const { serviceTokenDataId } = req.params;
+
+        serviceTokenData = await ServiceTokenData.findByIdAndDelete(serviceTokenDataId);
+
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+        return res.status(400).send({
+            message: 'Failed to delete service token data'
+        });
+    }
+
+    return res.status(200).send({
+        serviceTokenData
+    });
+}
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -0,0 +1,217 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import {
+	Workspace,
+	Membership,
+	MembershipOrg,
+	Integration,
+	IntegrationAuth,
+	Key,
+	IUser,
+	ServiceToken,
+	ServiceTokenData
+} from '../../models';
+import {
+	v2PushSecrets as push,
+	pullSecrets as pull,
+	reformatPullSecrets
+} from '../../helpers/secret';
+import { pushKeys } from '../../helpers/key';
+import { postHogClient, EventService } from '../../services';
+import { eventPushSecrets } from '../../events';
+import { ENV_SET } from '../../variables';
+
+interface V2PushSecret {
+	type: string; // personal or shared
+	secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretKeyHash: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
+	secretValueHash: string;
+	secretCommentCiphertext?: string;
+	secretCommentIV?: string;
+	secretCommentTag?: string;
+	secretCommentHash?: string;
+}
+
+/**
+ * Upload (encrypted) secrets to workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
+	// upload (encrypted) secrets to workspace with id [workspaceId]
+	try {
+		let { secrets }: { secrets: V2PushSecret[] } = req.body;
+		const { keys, environment, channel } = req.body;
+		const { workspaceId } = req.params;
+
+		// validate environment
+		if (!ENV_SET.has(environment)) {
+			throw new Error('Failed to validate environment');
+		}
+
+		// sanitize secrets
+		secrets = secrets.filter(
+			(s: V2PushSecret) => s.secretKeyCiphertext !== '' && s.secretValueCiphertext !== ''
+		);
+
+		await push({
+			userId: req.user._id,
+			workspaceId,
+			environment,
+			secrets,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
+
+		await pushKeys({
+			userId: req.user._id,
+			workspaceId,
+			keys
+		});
+
+		if (postHogClient) {
+			postHogClient.capture({
+				event: 'secrets pushed',
+				distinctId: req.user.email,
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+
+		// trigger event - push secrets
+		EventService.handleEvent({
+			event: eventPushSecrets({
+				workspaceId
+			})
+		});
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to upload workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully uploaded workspace secrets'
+	});
+};
+
+/**
+ * Return (encrypted) secrets for workspace with id [workspaceId]
+ * for environment [environment]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const pullSecrets = async (req: Request, res: Response) => {
+	let secrets;
+	try {
+		const environment: string = req.query.environment as string;
+		const channel: string = req.query.channel as string;
+		const { workspaceId } = req.params;
+
+		let userId;
+		if (req.user) {
+			userId = req.user._id.toString();
+		} else if (req.serviceTokenData) {
+			userId = req.serviceTokenData.user._id
+		}
+
+		secrets = await pull({
+			userId,
+			workspaceId,
+			environment,
+			channel: channel ? channel : 'cli',
+			ipAddress: req.ip
+		});
+
+		if (channel !== 'cli') {
+			secrets = reformatPullSecrets({ secrets });
+		}
+
+		if (postHogClient) {
+			// capture secrets pushed event in production
+			postHogClient.capture({
+				distinctId: req.user.email,
+				event: 'secrets pulled',
+				properties: {
+					numberOfSecrets: secrets.length,
+					environment,
+					workspaceId,
+					channel: channel ? channel : 'cli'
+				}
+			});
+		}
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to pull workspace secrets'
+		});
+	}
+
+	return res.status(200).send({
+		secrets
+	});
+};
+
+export const getWorkspaceKey = async (req: Request, res: Response) => {
+	let key;
+	try {
+		const { workspaceId } = req.params;
+
+		key = await Key.findOne({
+			workspace: workspaceId,
+			receiver: req.user._id
+		}).populate('sender', '+publicKey');
+
+		if (!key) throw new Error('Failed to find workspace key');
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace key'
+		});
+	}
+
+	return res.status(200).json(key);
+}
+export const getWorkspaceServiceTokenData = async (
+	req: Request,
+	res: Response
+) => {
+	let serviceTokenData;
+	try {
+		const { workspaceId } = req.params;
+
+		serviceTokenData = await ServiceTokenData
+			.find({
+				workspace: workspaceId
+			})
+			.select('+encryptedKey +iv +tag');
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace service token data'
+		});
+	}
+
+	return res.status(200).send({
+		serviceTokenData
+	});
+}
--- a/backend/src/ee/controllers/secretController.ts
+++ b/backend/src/ee/controllers/secretController.ts
@ -1,35 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { SecretVersion } from '../models';
-
-/**
- * Return secret versions for secret with id [secretId]
- * @param req 
- * @param res 
- */
- export const getSecretVersions = async (req: Request, res: Response) => {
-	let secretVersions;
-	try {
-		const { secretId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretVersions = await SecretVersion.find({
-			secret: secretId
-		})
-		.skip(offset)
-		.limit(limit);
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret versions'
-		});
-	}
-	
-	return res.status(200).send({
-		secretVersions
-	});
-}
--- a/backend/src/ee/controllers/v1/actionController.ts
+++ b/backend/src/ee/controllers/v1/actionController.ts
@ -0,0 +1,31 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Action, SecretVersion } from '../../models';
+import { ActionNotFoundError } from '../../../utils/errors';
+
+export const getAction = async (req: Request, res: Response) => {
+    let action;
+    try {
+        const { actionId } = req.params;
+        
+        action = await Action
+            .findById(actionId)
+            .populate([
+                'payload.secretVersions.oldSecretVersion',
+                'payload.secretVersions.newSecretVersion'
+            ]);
+        
+        if (!action) throw ActionNotFoundError({
+            message: 'Failed to find action'
+        });
+
+    } catch (err) {
+        throw ActionNotFoundError({
+            message: 'Failed to find action'
+        });
+    }
+    
+    return res.status(200).send({
+        action
+    });
+}
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -1,9 +1,13 @@
 import * as stripeController from './stripeController';
 import * as secretController from './secretController';
+import * as secretSnapshotController from './secretSnapshotController';
 import * as workspaceController from './workspaceController';
+import * as actionController from './actionController';

 export {
    stripeController,
    secretController,
-    workspaceController
+    secretSnapshotController,
+    workspaceController,
+    actionController
 }
--- a/backend/src/ee/controllers/v1/secretController.ts
+++ b/backend/src/ee/controllers/v1/secretController.ts
@ -0,0 +1,137 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Secret } from '../../../models';
+import { SecretVersion } from '../../models';
+import { EESecretService } from '../../services';
+
+/**
+ * Return secret versions for secret with id [secretId]
+ * @param req 
+ * @param res 
+ */
+ export const getSecretVersions = async (req: Request, res: Response) => {
+	let secretVersions;
+	try {
+		const { secretId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretVersions = await SecretVersion.find({
+			secret: secretId
+		})
+		.sort({ createdAt: -1 })
+		.skip(offset)
+		.limit(limit);
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret versions'
+		});
+	}
+	
+	return res.status(200).send({
+		secretVersions
+	});
+}
+
+/**
+ * Roll back secret with id [secretId] to version [version]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const rollbackSecretVersion = async (req: Request, res: Response) => {
+	let secret;
+	try {
+		const { secretId } = req.params;
+		const { version } = req.body;
+		
+		// validate secret version
+		const oldSecretVersion = await SecretVersion.findOne({
+			secret: secretId,
+			version
+		});
+		
+		if (!oldSecretVersion) throw new Error('Failed to find secret version');
+		
+		const {
+			workspace,
+			type,
+			user,
+			environment,
+			secretKeyCiphertext,
+			secretKeyIV,
+			secretKeyTag,
+			secretKeyHash,
+			secretValueCiphertext,
+			secretValueIV,
+			secretValueTag,
+			secretValueHash
+		} = oldSecretVersion;
+		
+		// update secret
+		secret = await Secret.findByIdAndUpdate(
+			secretId,
+			{
+				$inc: {
+					version: 1
+				},
+				workspace,
+				type,
+				user,
+				environment,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			},
+			{
+				new: true
+			}
+		);
+		
+		if (!secret) throw new Error('Failed to find and update secret');
+
+		// add new secret version
+		await new SecretVersion({
+			secret: secretId,
+			version: secret.version,
+			workspace,
+			type,
+			user,
+			environment,
+			isDeleted: false,
+			secretKeyCiphertext,
+			secretKeyIV,
+			secretKeyTag,
+			secretKeyHash,
+			secretValueCiphertext,
+			secretValueIV,
+			secretValueTag,
+			secretValueHash	
+		}).save();
+		
+		// take secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId: secret.workspace.toString()
+		});
+		
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to roll back secret version'
+		});
+	}
+	
+	return res.status(200).send({
+		secret
+	});
+}
--- a/backend/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend/src/ee/controllers/v1/secretSnapshotController.ts
@ -0,0 +1,33 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { SecretSnapshot } from '../../models';
+
+/**
+ * Return secret snapshot with id [secretSnapshotId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getSecretSnapshot = async (req: Request, res: Response) => {
+    let secretSnapshot;
+    try {
+        const { secretSnapshotId } = req.params;
+
+        secretSnapshot = await SecretSnapshot
+            .findById(secretSnapshotId)
+            .populate('secretVersions');
+        
+        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
+        
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret snapshot'
+		});
+    }
+    
+    return res.status(200).send({
+        secretSnapshot
+    });
+}
--- a/backend/src/ee/controllers/v1/stripeController.ts
+++ b/backend/src/ee/controllers/v1/stripeController.ts
@ -1,7 +1,7 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import Stripe from 'stripe';
-import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../config';
+import { STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET } from '../../../config';
 const stripe = new Stripe(STRIPE_SECRET_KEY, {
 	apiVersion: '2022-08-01'
 });
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -0,0 +1,273 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Secret
+} from '../../../models';
+import { 
+	SecretSnapshot,
+	Log,
+	SecretVersion,
+	ISecretVersion
+} from '../../models';
+import { EESecretService } from '../../services';
+import { getLatestSecretVersionIds } from '../../helpers/secretVersion';
+
+/**
+ * Return secret snapshots for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+ export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
+	let secretSnapshots;
+	try {
+		const { workspaceId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		
+		secretSnapshots = await SecretSnapshot.find({
+			workspace: workspaceId
+		})
+		.sort({ createdAt: -1 })
+		.skip(offset)
+		.limit(limit);
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get secret snapshots'
+		});
+	}
+	
+	return res.status(200).send({
+		secretSnapshots
+	});
+}
+
+/**
+ * Return count of secret snapshots for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const getWorkspaceSecretSnapshotsCount = async (req: Request, res: Response) => {
+	let count;
+	try {
+		const { workspaceId } = req.params;
+		count = await SecretSnapshot.countDocuments({
+			workspace: workspaceId
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to count number of secret snapshots'
+		});
+	}
+	
+	return res.status(200).send({
+		count
+	});
+}
+
+/**
+ * Rollback secret snapshot with id [secretSnapshotId] to version [version]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Response) => {
+	let secrets;
+    try {	
+        const { workspaceId } = req.params;
+        const { version } = req.body;
+        
+		// validate secret snapshot
+        const secretSnapshot = await SecretSnapshot.findOne({
+        	workspace: workspaceId,
+            version
+        }).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
+        
+        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
+
+		// TODO: fix any
+		const oldSecretVersionsObj: any = secretSnapshot.secretVersions
+			.reduce((accumulator, s) => ({ 
+				...accumulator, 
+				[`${s.secret.toString()}`]: s 
+			}), {});	
+		
+		const latestSecretVersionIds = await getLatestSecretVersionIds({
+			secretIds: secretSnapshot.secretVersions.map((sv) => sv.secret)
+		});
+		
+		// TODO: fix any
+		const latestSecretVersions: any = (await SecretVersion.find({
+			_id: {
+				$in: latestSecretVersionIds.map((s) => s.versionId)
+			}
+		}, 'secret version'))
+		.reduce((accumulator, s) => ({ 
+			...accumulator, 
+			[`${s.secret.toString()}`]: s 
+		}), {});
+		
+		// delete existing secrets
+		await Secret.deleteMany({
+			workspace: workspaceId
+		});
+
+		// add secrets
+        secrets = await Secret.insertMany(
+			secretSnapshot.secretVersions.map((sv) => {
+				const secretId = sv.secret;
+				const {
+					workspace,
+					type,
+					user,
+					environment,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash,
+					createdAt
+				} = oldSecretVersionsObj[secretId.toString()];
+				
+				return ({
+					_id: secretId,
+					version: latestSecretVersions[secretId.toString()].version + 1,
+					workspace,
+					type,
+					user,
+					environment,
+					secretKeyCiphertext,
+					secretKeyIV,
+					secretKeyTag,
+					secretKeyHash,
+					secretValueCiphertext,
+					secretValueIV,
+					secretValueTag,
+					secretValueHash,
+					secretCommentCiphertext: '',
+					secretCommentIV: '',
+					secretCommentTag: '',
+					createdAt
+				});
+			})
+		);
+		
+		// add secret versions
+		await SecretVersion.insertMany(
+			secrets.map(({
+				_id,
+				version,
+				workspace,
+				type,
+				user,
+				environment,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			}) => ({
+				_id: new Types.ObjectId(),
+				secret: _id,
+				version,
+				workspace,
+				type,
+				user,
+				environment,
+				isDeleted: false,
+				secretKeyCiphertext,
+				secretKeyIV,
+				secretKeyTag,
+				secretKeyHash,
+				secretValueCiphertext,
+				secretValueIV,
+				secretValueTag,
+				secretValueHash
+			}))
+		);
+		
+		// update secret versions of restored secrets as not deleted
+		await SecretVersion.updateMany({
+			secret: {
+				$in: secretSnapshot.secretVersions.map((sv) => sv.secret)
+			}
+		}, {
+			isDeleted: false
+		});
+		
+        // take secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId
+		});
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to roll back secret snapshot'
+		}); 
+    }
+    
+	return res.status(200).send({
+		secrets
+	});
+}
+
+/**
+ * Return (audit) logs for workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceLogs = async (req: Request, res: Response) => {
+	let logs
+	try {
+		const { workspaceId } = req.params;
+
+		const offset: number = parseInt(req.query.offset as string);
+		const limit: number = parseInt(req.query.limit as string);
+		const sortBy: string = req.query.sortBy as string;
+		const userId: string = req.query.userId as string;
+		const actionNames: string = req.query.actionNames as string;
+		
+		logs = await Log.find({
+			workspace: workspaceId,
+			...( userId ? { user: userId } : {}),
+			...( 
+				actionNames 
+				? { 
+					actionNames: {
+						$in: actionNames.split(',')
+					}
+				} : {}
+			)
+		})
+		.sort({ createdAt: sortBy === 'recent' ? -1 : 1 })
+		.skip(offset)
+		.limit(limit)
+		.populate('actions')
+		.populate('user');
+
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get workspace logs'
+		});
+	}
+	
+	return res.status(200).send({
+		logs
+	});
+}
--- a/backend/src/ee/controllers/workspaceController.ts
+++ b/backend/src/ee/controllers/workspaceController.ts
@ -1,35 +0,0 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
-import { SecretSnapshot } from '../models';
-
-/**
- * Return secret snapshots for workspace with id [workspaceId]
- * @param req 
- * @param res 
- */
- export const getWorkspaceSecretSnapshots = async (req: Request, res: Response) => {
-	let secretSnapshots;
-	try {
-		const { workspaceId } = req.params;
-
-		const offset: number = parseInt(req.query.offset as string);
-		const limit: number = parseInt(req.query.limit as string);
-		
-		secretSnapshots = await SecretSnapshot.find({
-			workspace: workspaceId
-		})
-		.skip(offset)
-		.limit(limit);
-
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get secret snapshots'
-		});
-	}
-	
-	return res.status(200).send({
-		secretSnapshots
-	});
-}
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -0,0 +1,73 @@
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import { SecretVersion, Action } from '../models';
+import { 
+    getLatestSecretVersionIds,
+    getLatestNSecretSecretVersionIds
+} from '../helpers/secretVersion';
+import { ACTION_UPDATE_SECRETS } from '../../variables';
+
+/**
+ * Create an (audit) action for secrets including
+ * add, delete, update, and read actions.
+ * @param {Object} obj
+ * @param {String} obj.name - name of action
+ * @param {ObjectId[]} obj.secretIds - ids of relevant secrets
+ * @returns {Action} action - new action
+ */
+const createActionSecretHelper = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds
+}: {
+    name: string;
+    userId: string;
+    workspaceId: string;
+    secretIds: Types.ObjectId[];
+}) => {
+
+    let action;
+    let latestSecretVersions;
+    try {
+        if (name === ACTION_UPDATE_SECRETS) {
+            // case: action is updating secrets
+            // -> add old and new secret versions
+            latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+                secretIds,
+                n: 2
+            }))
+            .map((s) => ({
+                oldSecretVersion: s.versions[0]._id,
+                newSecretVersion: s.versions[1]._id
+            }));
+        } else {
+            // case: action is adding, deleting, or reading secrets
+            // -> add new secret versions
+            latestSecretVersions = (await getLatestSecretVersionIds({
+                secretIds
+            }))
+            .map((s) => ({
+                newSecretVersion: s.versionId
+            }));
+        }
+
+        action = await new Action({
+            name,
+            user: userId,
+            workspace: workspaceId,
+            payload: {
+                secretVersions: latestSecretVersions
+            }
+        }).save();
+
+    } catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to create action');
+    }
+    
+    return action;
+}
+
+export { createActionSecretHelper };
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -0,0 +1,41 @@
+import * as Sentry from '@sentry/node';
+import { 
+    Log,
+    IAction
+} from '../models';
+
+const createLogHelper = async ({
+    userId,
+    workspaceId,
+    actions,
+    channel,
+    ipAddress
+}: {
+    userId: string;
+    workspaceId: string;
+    actions: IAction[];
+    channel: string;
+    ipAddress: string;
+}) => {
+    let log;
+    try {
+        log = await new Log({
+            user: userId,
+            workspace: workspaceId,
+            actionNames: actions.map((a) => a.name),
+            actions,
+            channel,
+            ipAddress
+        }).save();
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to create log');
+    }
+
+    return log;
+}
+
+export {
+    createLogHelper
+}
--- a/backend/src/ee/helpers/secret.ts
+++ b/backend/src/ee/helpers/secret.ts
@ -1,74 +1,169 @@
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import {
-    Secret
+	Secret,
+	ISecret
 } from '../../models';
 import {
-    SecretSnapshot,
+	SecretSnapshot,
 	SecretVersion,
 	ISecretVersion
 } from '../models';

 /**
- * Save a copy of the current state of secrets in workspace with id
+ * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
 * [workspaceId] under a new snapshot with incremented version under the
 * secretsnapshots collection.
 * @param {Object} obj
 * @param {String} obj.workspaceId
+ * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
 */
- const takeSecretSnapshotHelper = async ({
+const takeSecretSnapshotHelper = async ({
 	workspaceId
 }: {
 	workspaceId: string;
 }) => {
+
+	let secretSnapshot;
 	try {
-		const secrets = await Secret.find({
+		const secretIds = (await Secret.find({
 			workspace: workspaceId
-		});
-		
+		}, '_id')).map((s) => s._id);
+
+		const latestSecretVersions = (await SecretVersion.aggregate([
+			{
+				$match: {
+					secret: {
+						$in: secretIds
+					}
+				}
+			},
+			{
+				$group: {
+					_id: '$secret',
+					version: { $max: '$version' },
+					versionId: { $max: '$_id' } // secret version id
+				}
+			},
+			{
+				$sort: { version: -1 }
+			}
+		])
+			.exec())
+			.map((s) => s.versionId);
+
 		const latestSecretSnapshot = await SecretSnapshot.findOne({
 			workspace: workspaceId
 		}).sort({ version: -1 });
-		
-		if (!latestSecretSnapshot) {
-			// case: no snapshots exist for workspace -> create first snapshot
-			await new SecretSnapshot({
-				workspace: workspaceId,
-				version: 1,
-				secrets 
-			}).save();	

-			return;
-		}
-		
-		// case: snapshots exist for workspace
-		await new SecretSnapshot({
+		secretSnapshot = await new SecretSnapshot({
 			workspace: workspaceId,
-			version: latestSecretSnapshot.version + 1,
-			secrets 
+			version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
+			secretVersions: latestSecretVersions
 		}).save();
-		
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
 		throw new Error('Failed to take a secret snapshot');
 	}
+
+	return secretSnapshot;
 }

+/**
+ * Add secret versions [secretVersions] to the SecretVersion collection.
+ * @param {Object} obj
+ * @param {Object[]} obj.secretVersions
+ * @returns {SecretVersion[]} newSecretVersions - new secret versions
+ */
 const addSecretVersionsHelper = async ({
 	secretVersions
 }: {
 	secretVersions: ISecretVersion[]
 }) => {
+	let newSecretVersions;
 	try {
-		await SecretVersion.insertMany(secretVersions);
+		newSecretVersions = await SecretVersion.insertMany(secretVersions);
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
-		throw new Error('Failed to add secret versions');
+		throw new Error(`Failed to add secret versions [err=${err}]`);
+	}
+
+	return newSecretVersions;
+}
+
+const markDeletedSecretVersionsHelper = async ({
+	secretIds
+}: {
+	secretIds: Types.ObjectId[];
+}) => {
+	try {
+		await SecretVersion.updateMany({
+			secret: { $in: secretIds }
+		}, {
+			isDeleted: true
+		}, {
+			new: true
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to mark secret versions as deleted');
+	}
+}
+
+/**
+ * Initialize secret versioning by setting previously unversioned
+ * secrets to version 1 and begin populating secret versions.
+ */
+const initSecretVersioningHelper = async () => {
+	try {
+
+		await Secret.updateMany(
+			{ version: { $exists: false } },
+			{ $set: { version: 1 } }
+		);
+
+		const unversionedSecrets: ISecret[] = await Secret.aggregate([
+			{
+				$lookup: {
+					from: 'secretversions',
+					localField: '_id',
+					foreignField: 'secret',
+					as: 'versions',
+				},
+			},
+			{
+				$match: {
+					versions: { $size: 0 },
+				},
+			},
+		]);
+
+		if (unversionedSecrets.length > 0) {
+			await addSecretVersionsHelper({
+				secretVersions: unversionedSecrets.map((s, idx) => ({
+					...s,
+					secret: s._id,
+					version: s.version ? s.version : 1,
+					isDeleted: false,
+					workspace: s.workspace,
+					environment: s.environment
+				}))
+			});
+		}
+
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to ensure that secrets are versioned');
 	}
 }

 export {
-    takeSecretSnapshotHelper,
-	addSecretVersionsHelper
+	takeSecretSnapshotHelper,
+	addSecretVersionsHelper,
+	markDeletedSecretVersionsHelper,
+	initSecretVersioningHelper
 }
--- a/backend/src/ee/helpers/secretVersion.ts
+++ b/backend/src/ee/helpers/secretVersion.ts
@ -0,0 +1,110 @@
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import { SecretVersion } from '../models';
+
+/**
+ * Return latest secret versions for secrets with ids [secretIds]
+ * @param {Object} obj
+ * @param {Object} obj.secretIds = ids of secrets to get latest versions for
+ * @returns 
+ */
+const getLatestSecretVersionIds = async ({
+    secretIds
+}: {
+    secretIds: Types.ObjectId[];
+}) => {
+    
+    interface LatestSecretVersionId {
+        _id: Types.ObjectId;
+        version: number;
+        versionId: Types.ObjectId;
+    }
+    
+    let latestSecretVersionIds: LatestSecretVersionId[];
+    try {
+        latestSecretVersionIds = (await SecretVersion.aggregate([
+            {
+                $match: { 
+                    secret: { 
+                        $in: secretIds 
+                    } 
+                }
+            },
+            {
+                $group: {
+                    _id: '$secret',
+                    version: { $max: '$version' },
+                    versionId: { $max: '$_id' } // id of latest secret version
+                }
+            },
+            {
+                $sort: { version: -1 }
+            }
+            ])
+            .exec());
+            
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to get latest secret versions');
+    }
+    
+    return latestSecretVersionIds;
+}
+
+/**
+ * Return latest [n] secret versions for secrets with ids [secretIds]
+ * @param {Object} obj
+ * @param {Object} obj.secretIds = ids of secrets to get latest versions for
+ * @param {Number} obj.n - number of latest secret versions to return for each secret
+ * @returns 
+ */
+const getLatestNSecretSecretVersionIds = async ({
+    secretIds,
+    n
+}: {
+    secretIds: Types.ObjectId[];
+    n: number;
+}) => {
+    
+    // TODO: optimize query
+    let latestNSecretVersions;
+    try {
+        latestNSecretVersions = (await SecretVersion.aggregate([
+            {
+                $match: {
+                secret: {
+                    $in: secretIds,
+                },
+                },
+            },
+            {
+                $sort: { version: -1 },
+            },
+            {
+                $group: {
+                _id: "$secret",
+                versions: { $push: "$$ROOT" },
+                },
+            },
+            {
+                $project: {
+                _id: 0,
+                secret: "$_id",
+                versions: { $slice: ["$versions", n] },
+                },
+            }
+        ]));
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to get latest n secret versions');
+    }
+    
+    return latestNSecretVersions;
+}
+
+export {
+    getLatestSecretVersionIds,
+    getLatestNSecretSecretVersionIds
+}
--- a/backend/src/ee/middleware/index.ts
+++ b/backend/src/ee/middleware/index.ts
@ -0,0 +1,7 @@
+import requireLicenseAuth from './requireLicenseAuth';
+import requireSecretSnapshotAuth from './requireSecretSnapshotAuth';
+
+export {
+    requireLicenseAuth,
+    requireSecretSnapshotAuth
+}
--- a/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
+++ b/backend/src/ee/middleware/requireSecretSnapshotAuth.ts
@ -0,0 +1,47 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError, SecretSnapshotNotFoundError } from '../../utils/errors';
+import { SecretSnapshot } from '../models';
+import {
+    validateMembership
+} from '../../helpers/membership';
+
+/**
+ * Validate if user on request has proper membership for secret snapshot
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
+ * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
+ */
+const requireSecretSnapshotAuth = ({
+    acceptedRoles,
+}: {
+    acceptedRoles: string[];
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const { secretSnapshotId } = req.params;
+            
+            const secretSnapshot = await SecretSnapshot.findById(secretSnapshotId);
+            
+            if (!secretSnapshot) {
+                return next(SecretSnapshotNotFoundError({
+                    message: 'Failed to find secret snapshot'
+                }));
+            }
+            
+            await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: secretSnapshot.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req.secretSnapshot = secretSnapshot as any;
+
+            next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret snapshot' }));
+        }
+    }
+}
+
+export default requireSecretSnapshotAuth;
--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -0,0 +1,46 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface IAction {
+    name: string;
+    user?: Types.ObjectId,
+    workspace?: Types.ObjectId,
+    payload: {
+        secretVersions?: Types.ObjectId[]
+    }
+}
+
+const actionSchema = new Schema<IAction>(
+    {
+        name: {
+            type: String,
+            required: true
+        },
+        user: {
+            type: Schema.Types.ObjectId,
+            ref: 'User',
+            required: true
+        },
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace'
+        },
+        payload: {
+            secretVersions: [{
+                oldSecretVersion: {
+                    type: Schema.Types.ObjectId,
+                    ref: 'SecretVersion'
+                },
+                newSecretVersion: {
+                    type: Schema.Types.ObjectId,
+                    ref: 'SecretVersion'
+                }
+            }]
+        }
+    }, {
+        timestamps: true
+    }
+);
+
+const Action = model<IAction>('Action', actionSchema);
+
+export default Action;
--- a/backend/src/ee/models/index.ts
+++ b/backend/src/ee/models/index.ts
@ -1,9 +1,15 @@
-import SecretSnapshot, { ISecretSnapshot } from "./secretSnapshot";
-import SecretVersion, { ISecretVersion } from "./secretVersion";
+import SecretSnapshot, { ISecretSnapshot } from './secretSnapshot';
+import SecretVersion, { ISecretVersion } from './secretVersion';
+import Log, { ILog } from './log';
+import Action, { IAction } from './action';

 export {
    SecretSnapshot,
    ISecretSnapshot,
    SecretVersion,
-    ISecretVersion
+    ISecretVersion,
+    Log,
+    ILog,
+    Action,
+    IAction
 }
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -0,0 +1,59 @@
+import { Schema, model, Types } from 'mongoose';
+import {
+    ACTION_ADD_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';
+
+export interface ILog {
+    _id: Types.ObjectId;
+    user?: Types.ObjectId;
+    workspace?: Types.ObjectId;
+    actionNames: string[];
+    actions: Types.ObjectId[];
+    channel: string;
+    ipAddress?: string;
+}
+
+const logSchema = new Schema<ILog>(
+    {
+        user: {
+            type: Schema.Types.ObjectId,
+            ref: 'User'
+        },
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace'
+        },
+        actionNames: {
+            type: [String],
+            enum: [
+                ACTION_ADD_SECRETS,
+                ACTION_UPDATE_SECRETS,
+                ACTION_READ_SECRETS,
+                ACTION_DELETE_SECRETS
+            ],
+            required: true
+        },
+        actions: [{
+            type: Schema.Types.ObjectId,
+            ref: 'Action',
+            required: true
+        }],
+        channel: { 
+            type: String,
+            enum: ['web', 'cli', 'auto'],
+            required: true
+        },
+        ipAddress: {
+            type: String
+        }
+    }, {
+        timestamps: true
+    }
+);
+
+const Log = model<ILog>('Log', logSchema);
+
+export default Log;
--- a/backend/src/ee/models/secretSnapshot.ts
+++ b/backend/src/ee/models/secretSnapshot.ts
@ -1,31 +1,9 @@
 import { Schema, model, Types } from 'mongoose';
-import {
-	SECRET_SHARED,
-	SECRET_PERSONAL,
-	ENV_DEV,
-	ENV_TESTING,
-	ENV_STAGING,
-	ENV_PROD
-} from '../../variables';

 export interface ISecretSnapshot {
    workspace: Types.ObjectId;
    version: number;
-    secrets: {
-        version: number;
-        workspace: Types.ObjectId;
-        type: string;
-        user: Types.ObjectId;
-        environment: string;
-        secretKeyCiphertext: string;
-        secretKeyIV: string;
-        secretKeyTag: string;
-        secretKeyHash: string;
-        secretValueCiphertext: string;
-        secretValueIV: string;
-        secretValueTag: string;
-        secretValueHash: string;
-    }[]
+    secretVersions: Types.ObjectId[];
 }

 const secretSnapshotSchema = new Schema<ISecretSnapshot>(
@ -39,64 +17,10 @@ const secretSnapshotSchema = new Schema<ISecretSnapshot>(
            type: Number,
            required: true
        },
-        secrets: [{
-            version: {
-                type: Number,
-                default: 1,
-                required: true
-            },
-            workspace: {
-                type: Schema.Types.ObjectId,
-                ref: 'Workspace',
-                required: true
-            },
-            type: {
-                type: String,
-                enum: [SECRET_SHARED, SECRET_PERSONAL],
-                required: true
-            },
-            user: {
-                // user associated with the personal secret
-                type: Schema.Types.ObjectId,
-                ref: 'User'
-            },
-            environment: {
-                type: String,
-                enum: [ENV_DEV, ENV_TESTING, ENV_STAGING, ENV_PROD],
-                required: true
-            },
-            secretKeyCiphertext: {
-                type: String,
-                required: true
-            },
-            secretKeyIV: {
-                type: String, // symmetric
-                required: true
-            },
-            secretKeyTag: {
-                type: String, // symmetric
-                required: true
-            },
-            secretKeyHash: {
-                type: String,
-                required: true
-            },
-            secretValueCiphertext: {
-                type: String,
-                required: true
-            },
-            secretValueIV: {
-                type: String, // symmetric
-                required: true
-            },
-            secretValueTag: {
-                type: String, // symmetric
-                required: true
-            },
-            secretValueHash: {
-                type: String,
-                required: true
-            }
+        secretVersions: [{
+            type: Schema.Types.ObjectId,
+            ref: 'SecretVersion',
+            required: true
        }]
    },
    {
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -1,11 +1,23 @@
 import { Schema, model, Types } from 'mongoose';
+import {
+	SECRET_SHARED,
+	SECRET_PERSONAL,
+	ENV_DEV,
+	ENV_TESTING,
+	ENV_STAGING,
+	ENV_PROD
+} from '../../variables';

 export interface ISecretVersion {
-    _id?: Types.ObjectId;
-    secret: Types.ObjectId;
-    version: number;
-    isDeleted: boolean;
-    secretKeyCiphertext: string;
+	_id: Types.ObjectId;
+	secret: Types.ObjectId;
+	version: number;
+	workspace: Types.ObjectId; // new
+	type: string; // new
+	user: Types.ObjectId; // new
+	environment: string; // new
+	isDeleted: boolean;
+	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
 	secretKeyHash: string;
@ -16,23 +28,43 @@ export interface ISecretVersion {
 }

 const secretVersionSchema = new Schema<ISecretVersion>(
-    {
-        secret: { // could be deleted
-            type: Schema.Types.ObjectId,
-            ref: 'Secret',
-            required: true
-        },
-        version: {
-            type: Number,
-            default: 1,
-            required: true
-        },
-        isDeleted: {
-            type: Boolean,
-            default: false,
-            required: true
-        },
-        secretKeyCiphertext: {
+	{
+		secret: { // could be deleted
+			type: Schema.Types.ObjectId,
+			ref: 'Secret',
+			required: true
+		},
+		version: {
+			type: Number,
+			default: 1,
+			required: true
+		},
+		workspace: {
+			type: Schema.Types.ObjectId,
+			ref: 'Workspace',
+			required: true
+		},
+		type: {
+			type: String,
+			enum: [SECRET_SHARED, SECRET_PERSONAL],
+			required: true
+		},
+		user: {
+			// user associated with the personal secret
+			type: Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		environment: {
+			type: String,
+			enum: [ENV_DEV, ENV_TESTING, ENV_STAGING, ENV_PROD],
+			required: true
+		},
+		isDeleted: { // consider removing field
+			type: Boolean,
+			default: false,
+			required: true
+		},
+		secretKeyCiphertext: {
 			type: String,
 			required: true
 		},
@ -45,8 +77,7 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			required: true
 		},
 		secretKeyHash: {
-			type: String,
-			required: true
+			type: String
 		},
 		secretValueCiphertext: {
 			type: String,
@ -61,13 +92,12 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			required: true
 		},
 		secretValueHash: {
-			type: String,
-			required: true
+			type: String
 		}
-    },
-    {
-        timestamps: true
-    }
+	},
+	{
+		timestamps: true
+	}
 );

 const SecretVersion = model<ISecretVersion>('SecretVersion', secretVersionSchema);
--- a/backend/src/ee/routes/index.ts
+++ b/backend/src/ee/routes/index.ts
@ -1,7 +0,0 @@
-import secret from './secret';
-import workspace from './workspace';
-
-export {
-    secret,
-    workspace
-}
--- a/backend/src/ee/routes/secret.ts
+++ b/backend/src/ee/routes/secret.ts
@ -1,26 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-    requireAuth,
-    requireWorkspaceAuth,
-    validateRequest
-} from '../../middleware';
-import { body, query, param } from 'express-validator';
-import { secretController } from '../controllers';
-import { ADMIN, MEMBER, COMPLETED, GRANTED } from '../../variables';
-
-router.get(
-	'/:secretId/secret-versions',
-	requireAuth,
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		acceptedStatuses: [COMPLETED, GRANTED]
-	}),
-	param('secretId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	secretController.getSecretVersions
-);
-
-export default router;
--- a/backend/src/ee/routes/v1/action.ts
+++ b/backend/src/ee/routes/v1/action.ts
@ -0,0 +1,17 @@
+import express from 'express';
+const router = express.Router();
+import {
+    validateRequest
+} from '../../../middleware';
+import { param } from 'express-validator';
+import { actionController } from '../../controllers/v1';
+
+// TODO: put into action controller
+router.get(
+    '/:actionId',
+    param('actionId').exists().trim(),
+    validateRequest,
+    actionController.getAction
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -0,0 +1,11 @@
+import secret from './secret';
+import secretSnapshot from './secretSnapshot';
+import workspace from './workspace';
+import action from './action';
+
+export {
+    secret,
+    secretSnapshot,
+    workspace,
+    action
+}
--- a/backend/src/ee/routes/v1/secret.ts
+++ b/backend/src/ee/routes/v1/secret.ts
@ -0,0 +1,40 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+	requireSecretAuth,
+    validateRequest
+} from '../../../middleware';
+import { query, param, body } from 'express-validator';
+import { secretController } from '../../controllers/v1';
+import { ADMIN, MEMBER } from '../../../variables';
+
+router.get(
+	'/:secretId/secret-versions',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireSecretAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('secretId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	validateRequest,
+	secretController.getSecretVersions
+);
+
+router.post(
+	'/:secretId/secret-versions/rollback',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireSecretAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('secretId').exists().trim(),
+	body('version').exists().isInt(),
+	secretController.rollbackSecretVersion
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/secretSnapshot.ts
+++ b/backend/src/ee/routes/v1/secretSnapshot.ts
@ -0,0 +1,27 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireSecretSnapshotAuth
+} from '../../middleware';
+import {
+    requireAuth,
+    validateRequest
+} from '../../../middleware';
+import { param, body } from 'express-validator';
+import { ADMIN, MEMBER } from '../../../variables';
+import { secretSnapshotController } from '../../controllers/v1';
+
+router.get(
+    '/:secretSnapshotId',
+    requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+    requireSecretSnapshotAuth({
+        acceptedRoles: [ADMIN, MEMBER]
+    }),
+    param('secretSnapshotId').exists().trim(),
+    validateRequest,
+    secretSnapshotController.getSecretSnapshot
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/stripe.ts
+++ b/backend/src/ee/routes/v1/stripe.ts
@ -1,6 +1,6 @@
 import express from 'express';
 const router = express.Router();
-import { stripeController } from '../controllers';
+import { stripeController } from '../../controllers/v1';

 router.post('/webhook', stripeController.handleWebhook);

--- a/backend/src/ee/routes/v1/workspace.ts
+++ b/backend/src/ee/routes/v1/workspace.ts
@ -0,0 +1,72 @@
+import express from 'express';
+const router = express.Router();
+import {
+	requireAuth,
+	requireWorkspaceAuth,
+	validateRequest
+} from '../../../middleware';
+import { param, query, body } from 'express-validator';
+import { ADMIN, MEMBER } from '../../../variables';
+import { workspaceController } from '../../controllers/v1';
+
+router.get(
+	'/:workspaceId/secret-snapshots',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	validateRequest,
+	workspaceController.getWorkspaceSecretSnapshots
+);
+
+router.get(
+	'/:workspaceId/secret-snapshots/count',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	validateRequest,
+	workspaceController.getWorkspaceSecretSnapshotsCount
+);
+
+router.post(
+	'/:workspaceId/secret-snapshots/rollback',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	body('version').exists().isInt(),
+	validateRequest,
+	workspaceController.rollbackWorkspaceSecretSnapshot
+);
+
+router.get(
+	'/:workspaceId/logs',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	query('offset').exists().isInt(),
+	query('limit').exists().isInt(),
+	query('sortBy'),
+	query('userId'),
+	query('actionNames'),
+	validateRequest,
+	workspaceController.getWorkspaceLogs
+);
+
+export default router;
--- a/backend/src/ee/routes/workspace.ts
+++ b/backend/src/ee/routes/workspace.ts
@ -1,27 +0,0 @@
-import express from 'express';
-const router = express.Router();
-import {
-	requireAuth,
-	requireWorkspaceAuth,
-	validateRequest
-} from '../../middleware';
-import { param, query } from 'express-validator';
-import { ADMIN, MEMBER, GRANTED } from '../../variables';
-import { workspaceController } from '../controllers';
-
-router.get(
-	'/:workspaceId/secret-snapshots',
-	requireAuth,
-	requireWorkspaceAuth({
-		acceptedRoles: [ADMIN, MEMBER],
-		acceptedStatuses: [GRANTED]
-	}),
-	param('workspaceId').exists().trim(),
-	query('offset').exists().isInt(),
-	query('limit').exists().isInt(),
-	validateRequest,
-	workspaceController.getWorkspaceSecretSnapshots
-);
-
-
-export default router;
--- a/backend/src/ee/services/EELogService.ts
+++ b/backend/src/ee/services/EELogService.ts
@ -0,0 +1,81 @@
+import { Types } from 'mongoose';
+import { 
+    Log,
+    Action,
+    IAction
+} from '../models';
+import {
+    createLogHelper
+} from '../helpers/log';
+import {
+    createActionSecretHelper
+} from '../helpers/action';
+import EELicenseService from './EELicenseService';
+
+/**
+ * Class to handle Enterprise Edition log actions
+ */
+class EELogService {
+    /**
+     * Create an (audit) log
+     * @param {Object} obj
+     * @param {String} obj.userId - id of user associated with the log
+     * @param {String} obj.workspaceId - id of workspace associated with the log
+     * @param {Action} obj.actions - actions to include in log
+     * @param {String} obj.channel - channel (web/cli/auto) associated with the log
+     * @param {String} obj.ipAddress - ip address associated with the log
+     * @returns {Log} log - new audit log
+     */
+    static async createLog({
+        userId,
+        workspaceId,
+        actions,
+        channel,
+        ipAddress
+    }: {
+        userId: string;
+        workspaceId: string;
+        actions: IAction[];
+        channel: string;
+        ipAddress: string;
+    }) {
+        if (!EELicenseService.isLicenseValid) return null;
+        return await createLogHelper({
+            userId,
+            workspaceId,
+            actions,
+            channel,
+            ipAddress
+        })
+    }
+    
+    /**
+     * Create an (audit) action for secrets including
+     * add, delete, update, and read actions.
+     * @param {Object} obj
+     * @param {String} obj.name - name of action
+     * @param {ObjectId[]} obj.secretIds - secret ids
+     * @returns {Action} action - new action
+     */
+    static async createActionSecret({
+        name,
+        userId,
+        workspaceId,
+        secretIds
+    }: {
+        name: string;
+        userId: string;
+        workspaceId: string;
+        secretIds: Types.ObjectId[];
+    }) {
+        if (!EELicenseService.isLicenseValid) return null; 
+        return await createActionSecretHelper({
+            name,
+            userId,
+            workspaceId,
+            secretIds
+        });
+    }
+}
+
+export default EELogService;
--- a/backend/src/ee/services/EESecretService.ts
+++ b/backend/src/ee/services/EESecretService.ts
@ -1,7 +1,10 @@
+import { Types } from 'mongoose';
 import { ISecretVersion } from '../models';
 import { 
    takeSecretSnapshotHelper,
-    addSecretVersionsHelper
+    addSecretVersionsHelper,
+    markDeletedSecretVersionsHelper,
+    initSecretVersioningHelper
 } from '../helpers/secret';
 import EELicenseService from './EELicenseService';

@ -11,12 +14,13 @@ import EELicenseService from './EELicenseService';
 class EESecretService {
    
    /**
-     * Save a copy of the current state of secrets in workspace with id
+     * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
     * [workspaceId] under a new snapshot with incremented version under the
     * SecretSnapshot collection.
     * Requires a valid license key [licenseKey]
     * @param {Object} obj
     * @param {String} obj.workspaceId
+     * @returns {SecretSnapshot} secretSnapshot - new secret snpashot
     */
    static async takeSecretSnapshot({
        workspaceId
@ -24,13 +28,14 @@ class EESecretService {
        workspaceId: string;
    }) {
        if (!EELicenseService.isLicenseValid) return;
-        await takeSecretSnapshotHelper({ workspaceId });
+        return await takeSecretSnapshotHelper({ workspaceId });
    }
    
    /**
-     * Adds secret versions [secretVersions] to the SecretVersion collection.
+     * Add secret versions [secretVersions] to the SecretVersion collection.
     * @param {Object} obj
-     * @param {SecretVersion} obj.secretVersions
+     * @param {Object[]} obj.secretVersions
+     * @returns {SecretVersion[]} newSecretVersions - new secret versions
     */
    static async addSecretVersions({
        secretVersions
@ -38,10 +43,36 @@ class EESecretService {
        secretVersions: ISecretVersion[];
    }) {
        if (!EELicenseService.isLicenseValid) return;
-        await addSecretVersionsHelper({
+        return await addSecretVersionsHelper({
            secretVersions
        });
    }
+
+    /**
+     * Mark secret versions associated with secrets with ids [secretIds]
+     * as deleted.
+     * @param {Object} obj
+     * @param {ObjectId[]} obj.secretIds - secret ids
+     */
+    static async markDeletedSecretVersions({
+        secretIds
+    }: {
+        secretIds: Types.ObjectId[];
+    }) {
+        if (!EELicenseService.isLicenseValid) return;
+        await markDeletedSecretVersionsHelper({
+            secretIds
+        });
+    }
+    
+    /**
+     * Initialize secret versioning by setting previously unversioned
+     * secrets to version 1 and begin populating secret versions.
+     */
+    static async initSecretVersioning() {
+        if (!EELicenseService.isLicenseValid) return; 
+        await initSecretVersioningHelper();
+    }
 }

 export default EESecretService;
--- a/backend/src/ee/services/index.ts
+++ b/backend/src/ee/services/index.ts
@ -1,7 +1,9 @@
 import EELicenseService from "./EELicenseService";
 import EESecretService from "./EESecretService";
+import EELogService from "./EELogService";

 export {
    EELicenseService,
-    EESecretService
+    EESecretService,
+    EELogService
 }
--- a/backend/src/ee/variables.ts
+++ b/backend/src/ee/variables.ts
--- a/backend/src/events/secret.ts
+++ b/backend/src/events/secret.ts
@ -1,4 +1,7 @@
-import { EVENT_PUSH_SECRETS } from '../variables';
+import { 
+    EVENT_PUSH_SECRETS, 
+    EVENT_PULL_SECRETS 
+} from '../variables';

 interface PushSecret {
 	ciphertextKey: string;
@ -19,7 +22,7 @@ interface PushSecret {
 * @returns 
 */
 const eventPushSecrets = ({
-    workspaceId,
+    workspaceId
 }: {
    workspaceId: string;
 }) => {
@ -32,6 +35,26 @@ const eventPushSecrets = ({
    });
 }

+/**
+ * Return event for pulling secrets
+ * @param {Object} obj
+ * @param {String} obj.workspaceId - id of workspace to pull secrets from
+ * @returns 
+ */
+const eventPullSecrets = ({
+    workspaceId,
+}: {
+    workspaceId: string;
+}) => {
+    return ({
+        name: EVENT_PULL_SECRETS,
+        workspaceId,
+        payload: {
+
+        }
+    });
+}
+
 export {
    eventPushSecrets
 }
--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -1,7 +1,10 @@
 import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
+import bcrypt from 'bcrypt';
 import {
-	User
+	User,
+	ServiceTokenData,
+	APIKeyData
 } from '../models';
 import {
 	JWT_AUTH_LIFETIME,
@ -9,6 +12,179 @@ import {
 	JWT_REFRESH_LIFETIME,
 	JWT_REFRESH_SECRET
 } from '../config';
+import {
+	AccountNotFoundError,
+	ServiceTokenDataNotFoundError,
+	APIKeyDataNotFoundError,
+	UnauthorizedRequestError
+} from '../utils/errors';
+
+// TODO 1: check if API key works
+// TODO 2: optimize middleware
+
+/**
+ * Validate that auth token value [authTokenValue] falls under one of
+ * accepted auth modes [acceptedAuthModes].
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - auth token value (e.g. JWT or service token value)
+ * @param {String[]} obj.acceptedAuthModes - accepted auth modes (e.g. jwt, serviceToken)
+ * @returns {String} authMode - auth mode
+ */
+const validateAuthMode = ({
+	authTokenValue,
+	acceptedAuthModes
+}: {
+	authTokenValue: string;
+	acceptedAuthModes: string[];
+}) => {
+	let authMode;
+	try {
+		switch (authTokenValue.split('.', 1)[0]) {
+			case 'st':
+				authMode = 'serviceToken';
+				break;
+			case 'ak':
+				authMode = 'apiKey';
+				break;
+			default:
+				authMode = 'jwt';
+				break;
+		}
+		
+		if (!acceptedAuthModes.includes(authMode)) 
+			throw UnauthorizedRequestError({ message: 'Failed to authenticated auth mode' });
+
+	} catch (err) {
+		throw UnauthorizedRequestError({ message: 'Failed to authenticated auth mode' });
+	}
+	
+	return authMode;
+}
+
+/**
+ * Return user payload corresponding to JWT token [authTokenValue]
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - JWT token value
+ * @returns {User} user - user corresponding to JWT token
+ */
+const getAuthUserPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	let user;
+	try {
+		const decodedToken = <jwt.UserIDJwtPayload>(
+			jwt.verify(authTokenValue, JWT_AUTH_SECRET)
+		);
+
+		user = await User.findOne({
+			_id: decodedToken.userId
+		}).select('+publicKey');
+
+		if (!user) throw AccountNotFoundError({ message: 'Failed to find User' });
+
+		if (!user?.publicKey) throw UnauthorizedRequestError({ message: 'Failed to authenticate User with partially set up account' });
+
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate JWT token'
+		});
+	}
+	
+	return user;
+}
+
+/**
+ * Return service token data payload corresponding to service token [authTokenValue]
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - service token value
+ * @returns {ServiceTokenData} serviceTokenData - service token data
+ */
+const getAuthSTDPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	let serviceTokenData;
+	try {
+		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+
+		// TODO: optimize double query
+		serviceTokenData = await ServiceTokenData
+			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt');
+		
+		if (!serviceTokenData) {
+			throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });
+		} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+			// case: service token expired
+			await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
+			throw UnauthorizedRequestError({
+				message: 'Failed to authenticate expired service token'
+			});
+		}
+
+		const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
+		if (!isMatch) throw UnauthorizedRequestError({
+			message: 'Failed to authenticate service token'
+		});
+
+		serviceTokenData = await ServiceTokenData
+			.findById(TOKEN_IDENTIFIER)
+			.select('+encryptedKey +iv +tag');
+
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate service token'
+		});
+	}
+	
+	return serviceTokenData;
+}
+
+/**
+ * Return API key data payload corresponding to API key [authTokenValue]
+ * @param {Object} obj
+ * @param {String} obj.authTokenValue - API key value
+ * @returns {APIKeyData} apiKeyData - API key data
+ */
+const getAuthAPIKeyPayload = async ({
+	authTokenValue
+}: {
+	authTokenValue: string;
+}) => {
+	let user;
+	try {
+		const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split('.', 3);
+		
+		const apiKeyData = await APIKeyData
+			.findById(TOKEN_IDENTIFIER, '+secretHash +expiresAt')
+			.populate('user', '+publicKey');
+		
+		if (!apiKeyData) {
+			throw APIKeyDataNotFoundError({ message: 'Failed to find API key data' });
+		} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
+			// case: API key expired
+			await APIKeyData.findByIdAndDelete(apiKeyData._id);
+			throw UnauthorizedRequestError({
+				message: 'Failed to authenticate expired API key'
+			});
+		}
+
+		const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
+		if (!isMatch) throw UnauthorizedRequestError({
+			message: 'Failed to authenticate API key'
+		});
+		
+		user = apiKeyData.user;
+	} catch (err) {
+		throw UnauthorizedRequestError({
+			message: 'Failed to authenticate API key'
+		});
+	}
+	
+	return user;
+}

 /**
 * Return newly issued (JWT) auth and refresh tokens to user with id [userId]
@ -99,4 +275,12 @@ const createToken = ({
 	}
 };

-export { createToken, issueTokens, clearTokens };
+export { 
+	validateAuthMode,
+	getAuthUserPayload,
+	getAuthSTDPayload,
+	getAuthAPIKeyPayload,
+	createToken, 
+	issueTokens, 
+	clearTokens 
+};
--- a/backend/src/helpers/bot.ts
+++ b/backend/src/helpers/bot.ts
@ -12,7 +12,6 @@ import {
    decryptSymmetric,
    decryptAsymmetric
 } from '../utils/crypto';
-import { decryptSecrets } from '../helpers/secret';
 import { ENCRYPTION_KEY } from '../config';
 import { SECRET_SHARED } from '../variables';

@ -73,7 +72,7 @@ const getSecretsHelper = async ({
    try {
        const key = await getKey({ workspaceId });
        const secrets = await Secret.find({
-            workspaceId,
+            workspace: workspaceId,
            environment,
            type: SECRET_SHARED
        });
@ -85,7 +84,7 @@ const getSecretsHelper = async ({
                tag: secret.secretKeyTag,
                key
            });
-            
+
            const secretValue = decryptSymmetric({
                ciphertext: secret.secretValueCiphertext,
                iv: secret.secretValueIV,
--- a/backend/src/helpers/database.ts
+++ b/backend/src/helpers/database.ts
@ -0,0 +1,31 @@
+import mongoose from 'mongoose';
+import { ISecret, Secret } from '../models';
+import { EESecretService } from '../ee/services';
+import { getLogger } from '../utils/logger';
+
+/**
+ * Initialize database connection
+ * @param {Object} obj
+ * @param {String} obj.mongoURL - mongo connection string
+ * @returns 
+ */
+const initDatabaseHelper = async ({
+    mongoURL
+}: {
+    mongoURL: string;
+}) => {
+    try {
+        await mongoose.connect(mongoURL);
+        getLogger("database").info("Database connection established");
+        
+        await EESecretService.initSecretVersioning();
+    } catch (err) {
+        getLogger("database").error(`Unable to establish Database connection due to the error.\n${err}`);
+    }
+
+    return mongoose.connection;
+}
+
+export {
+    initDatabaseHelper
+}
--- a/backend/src/helpers/membership.ts
+++ b/backend/src/helpers/membership.ts
@ -3,7 +3,7 @@ import { Membership, Key } from '../models';

 /**
 * Validate that user with id [userId] is a member of workspace with id [workspaceId]
- * and has at least one of the roles in [acceptedRoles] and statuses in [acceptedStatuses]
+ * and has at least one of the roles in [acceptedRoles]
 * @param {Object} obj
 * @param {String} obj.userId - id of user to validate
 * @param {String} obj.workspaceId - id of workspace
@ -12,12 +12,10 @@ const validateMembership = async ({
 	userId,
 	workspaceId,
 	acceptedRoles,
-	acceptedStatuses
 }: {
 	userId: string;
 	workspaceId: string;
 	acceptedRoles: string[];
-	acceptedStatuses: string[];
 }) => {
 	
 	let membership;
@ -26,18 +24,13 @@ const validateMembership = async ({
 		membership = await Membership.findOne({
 			user: userId,
 			workspace: workspaceId
-		});
+		}).populate("workspace");
 		
 		if (!membership) throw new Error('Failed to find membership');
 		
 		if (!acceptedRoles.includes(membership.role)) {
 			throw new Error('Failed to validate membership role');
 		}
-
-		if (!acceptedStatuses.includes(membership.status)) {
-			throw new Error('Failed to validate membership status');
-		}
-		
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -72,18 +65,15 @@ const findMembership = async (queryObj: any) => {
 * @param {String[]} obj.userIds - id of users.
 * @param {String} obj.workspaceId - id of workspace.
 * @param {String[]} obj.roles - roles of users.
- * @param {String[]} obj.statuses - statuses of users.
 */
 const addMemberships = async ({
 	userIds,
 	workspaceId,
-	roles,
-	statuses
+	roles
 }: {
 	userIds: string[];
 	workspaceId: string;
 	roles: string[];
-	statuses: string[];
 }): Promise<void> => {
 	try {
 		const operations = userIds.map((userId, idx) => {
@ -92,14 +82,12 @@ const addMemberships = async ({
 					filter: {
 						user: userId,
 						workspace: workspaceId,
-						role: roles[idx],
-						status: statuses[idx]
+						role: roles[idx]
 					},
 					update: {
 						user: userId,
 						workspace: workspaceId,
-						role: roles[idx],
-						status: statuses[idx]
+						role: roles[idx]
 					},
 					upsert: true
 				}
--- a/backend/src/helpers/rateLimiter.ts
+++ b/backend/src/helpers/rateLimiter.ts
@ -3,10 +3,12 @@ import rateLimit from 'express-rate-limit';
 // 300 requests per 15 minutes
 const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
-  max: 400,
+  max: 450,
  standardHeaders: true,
  legacyHeaders: false,
-  skip: (request) => request.path === '/healthcheck'
+  skip: (request) => {
+    return request.path === '/healthcheck' || request.path === '/api/status'
+  }
 });

 // 5 requests per hour
@ -20,7 +22,7 @@ const signupLimiter = rateLimit({
 // 10 requests per hour
 const loginLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,
-  max: 20,
+  max: 25,
  standardHeaders: true,
  legacyHeaders: false
 });
--- a/backend/src/helpers/secret.ts
+++ b/backend/src/helpers/secret.ts
@ -1,22 +1,67 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import {
 	Secret,
 	ISecret,
+	Membership
 } from '../models';
 import {
-	EESecretService
+	EESecretService,
+	EELogService
 } from '../ee/services';
 import {
-	SecretVersion
+	IAction
 } from '../ee/models';
-import {
-	takeSecretSnapshotHelper
-} from '../ee/helpers/secret';
-import { decryptSymmetric } from '../utils/crypto';
-import { SECRET_SHARED, SECRET_PERSONAL } from '../variables';
-import { LICENSE_KEY } from '../config';
+import { 
+	SECRET_SHARED, 
+	SECRET_PERSONAL,
+	ACTION_ADD_SECRETS,
+	ACTION_UPDATE_SECRETS,
+	ACTION_DELETE_SECRETS,
+	ACTION_READ_SECRETS
+} from '../variables';

-interface PushSecret {
+/**
+ * Validate that user with id [userId] can modify secrets with ids [secretIds]
+ * @param {Object} obj
+ * @param {Object} obj.userId - id of user to validate
+ * @param {Object} obj.secretIds - secret ids
+ * @returns {Secret[]} secrets
+ */
+const validateSecrets = async ({
+	userId,
+	secretIds
+}: {
+	userId: string;
+	secretIds: string[];
+}) =>{
+	let secrets;
+	try {
+		secrets = await Secret.find({
+			_id: {
+				$in: secretIds
+			}
+		});
+		
+		const workspaceIdsSet = new Set((await Membership.find({
+			user: userId
+		}, 'workspace'))
+		.map((m) => m.workspace.toString()));
+		
+		secrets.forEach((secret: ISecret) => {
+			if (!workspaceIdsSet.has(secret.workspace.toString())) {
+				throw new Error('Failed to validate secret');
+			}
+		});
+		
+	} catch (err) {
+		throw new Error('Failed to validate secrets');
+	}
+
+	return secrets;
+}
+
+interface V1PushSecret {
 	ciphertextKey: string;
 	ivKey: string;
 	tagKey: string;
@ -25,15 +70,33 @@ interface PushSecret {
 	ivValue: string;
 	tagValue: string;
 	hashValue: string;
+	ciphertextComment: string;
+	ivComment: string;
+	tagComment: string;
+	hashComment: string;
 	type: 'shared' | 'personal';
 }

+interface V2PushSecret {
+	type: string; // personal or shared
+	secretKeyCiphertext: string;
+	secretKeyIV: string;
+	secretKeyTag: string;
+	secretKeyHash: string;
+	secretValueCiphertext: string;
+	secretValueIV: string;
+	secretValueTag: string;
+	secretValueHash: string;
+	secretCommentCiphertext?: string;
+	secretCommentIV?: string;
+	secretCommentTag?: string;
+	secretCommentHash?: string;
+}
+
 interface Update {
 	[index: string]: any;
 }

-type DecryptSecretType = 'text' | 'object' | 'expanded';
-
 /**
 * Push secrets for user with id [userId] to workspace
 * with id [workspaceId] with environment [environment]. Follow steps:
@ -45,21 +108,21 @@ type DecryptSecretType = 'text' | 'object' | 'expanded';
 * @param {String} obj.environment - environment for secrets
 * @param {Object[]} obj.secrets - secrets to push
 */
-const pushSecrets = async ({
+const v1PushSecrets = async ({
 	userId,
 	workspaceId,
 	environment,
-	secrets
+	secrets,
 }: {
 	userId: string;
 	workspaceId: string;
 	environment: string;
-	secrets: PushSecret[];
+	secrets: V1PushSecret[];
 }): Promise<void> => {
 	// TODO: clean up function and fix up types
 	try {
 		// construct useful data structures
-		const oldSecrets = await pullSecrets({
+		const oldSecrets = await getSecrets({
 			userId,
 			workspaceId,
 			environment
@ -82,19 +145,18 @@ const pushSecrets = async ({
 			await Secret.deleteMany({
 				_id: { $in: toDelete }
 			});
-			
-			await SecretVersion.updateMany({
-				secret: { $in: toDelete }
-			}, {
-				isDeleted: true
+
+			await EESecretService.markDeletedSecretVersions({
+				secretIds: toDelete
 			});
 		}
 		
 		const toUpdate = oldSecrets
 			.filter((s) => {
 				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
-					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue) {
-						// case: filter secrets where value changed
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashValue 
+					|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].hashComment) {
+						// case: filter secrets where value or comment changed
 						return true;
 					}

@ -113,14 +175,22 @@ const pushSecrets = async ({
 					ciphertextValue,
 					ivValue,
 					tagValue,
-					hashValue
+					hashValue,
+					ciphertextComment,
+					ivComment,
+					tagComment,
+					hashComment
 				} = newSecretsObj[`${s.type}-${s.secretKeyHash}`];

 				const update: Update = {
 					secretValueCiphertext: ciphertextValue,
 					secretValueIV: ivValue,
 					secretValueTag: tagValue,
-					secretValueHash: hashValue
+					secretValueHash: hashValue,
+					secretCommentCiphertext: ciphertextComment,
+					secretCommentIV: ivComment,
+					secretCommentTag: tagComment,
+					secretCommentHash: hashComment,
 				}

 				if (!s.version) {
@ -158,8 +228,13 @@ const pushSecrets = async ({
 			}) => {
 				const newSecret = newSecretsObj[`${type}-${secretKeyHash}`];
 				return ({
+					_id: new Types.ObjectId(),
 					secret: _id,
 					version: version ? version + 1 : 1,
+					workspace: new Types.ObjectId(workspaceId),
+					type: newSecret.type,
+					user: new Types.ObjectId(userId),
+					environment,
 					isDeleted: false,
 					secretKeyCiphertext: newSecret.ciphertextKey,
 					secretKeyIV: newSecret.ivKey,
@ -192,7 +267,11 @@ const pushSecrets = async ({
 						secretValueCiphertext: s.ciphertextValue,
 						secretValueIV: s.ivValue,
 						secretValueTag: s.tagValue,
-						secretValueHash: s.hashValue
+						secretValueHash: s.hashValue,
+						secretCommentCiphertext: s.ciphertextComment,
+						secretCommentIV: s.ivComment,
+						secretCommentTag: s.tagComment,
+						secretCommentHash: s.hashComment
 					};

 					if (toAdd[idx].type === 'personal') {
@ -207,6 +286,11 @@ const pushSecrets = async ({
 			EESecretService.addSecretVersions({
 				secretVersions: newSecrets.map(({
 					_id,
+					version,
+					workspace,
+					type,
+					user,
+					environment,
 					secretKeyCiphertext,
 					secretKeyIV,
 					secretKeyTag,
@ -216,8 +300,13 @@ const pushSecrets = async ({
 					secretValueTag,
 					secretValueHash
 				}) => ({
+					_id: new Types.ObjectId(),
 					secret: _id,
-					version: 1,
+					version,
+					workspace,
+					type,
+					user,
+					environment,
 					isDeleted: false,
 					secretKeyCiphertext,
 					secretKeyIV,
@ -234,7 +323,7 @@ const pushSecrets = async ({
 		// (EE) take a secret snapshot
 		await EESecretService.takeSecretSnapshot({
 			workspaceId
-		})
+		});
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -243,15 +332,235 @@ const pushSecrets = async ({
 };

 /**
- * Pull secrets for user with id [userId] for workspace
+ * Push secrets for user with id [userId] to workspace
+ * with id [workspaceId] with environment [environment]. Follow steps:
+ * 1. Handle shared secrets (insert, delete)
+ * 2. handle personal secrets (insert, delete)
+ * @param {Object} obj
+ * @param {String} obj.userId - id of user to push secrets for
+ * @param {String} obj.workspaceId - id of workspace to push to
+ * @param {String} obj.environment - environment for secrets
+ * @param {Object[]} obj.secrets - secrets to push
+ * @param {String} obj.channel - channel (web/cli/auto)
+ * @param {String} obj.ipAddress - ip address of request to push secrets
+ */
+ const v2PushSecrets = async ({
+	userId,
+	workspaceId,
+	environment,
+	secrets,
+	channel,
+	ipAddress
+}: {
+	userId: string;
+	workspaceId: string;
+	environment: string;
+	secrets: V2PushSecret[];
+	channel: string;
+	ipAddress: string;
+}): Promise<void> => {
+	// TODO: clean up function and fix up types
+	try {
+		const actions: IAction[] = [];
+		
+		// construct useful data structures
+		const oldSecrets = await getSecrets({
+			userId,
+			workspaceId,
+			environment
+		});
+		
+		const oldSecretsObj: any = oldSecrets.reduce((accumulator, s: any) => 
+			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
+		, {});
+		const newSecretsObj: any = secrets.reduce((accumulator, s) => 
+			({ ...accumulator, [`${s.type}-${s.secretKeyHash}`]: s })
+		, {});
+
+		// handle deleting secrets
+		const toDelete = oldSecrets
+			.filter(
+				(s: ISecret) => !(`${s.type}-${s.secretKeyHash}` in newSecretsObj)
+			)
+			.map((s) => s._id);
+		if (toDelete.length > 0) {
+			await Secret.deleteMany({
+				_id: { $in: toDelete }
+			});
+
+			await EESecretService.markDeletedSecretVersions({
+				secretIds: toDelete
+			});
+			
+			const deleteAction = await EELogService.createActionSecret({
+				name: ACTION_DELETE_SECRETS,
+				userId,
+				workspaceId,
+				secretIds: toDelete
+			});
+
+			deleteAction && actions.push(deleteAction);
+		}
+		
+		const toUpdate = oldSecrets
+			.filter((s) => {
+				if (`${s.type}-${s.secretKeyHash}` in newSecretsObj) {
+					if (s.secretValueHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretValueHash 
+					|| s.secretCommentHash !== newSecretsObj[`${s.type}-${s.secretKeyHash}`].secretCommentHash) {
+						// case: filter secrets where value or comment changed
+						return true;
+					}
+
+					if (!s.version) {
+						// case: filter (legacy) secrets that were not versioned
+						return true;
+					}
+				}
+				
+				return false;
+			});
+
+		if (toUpdate.length > 0) {
+			const operations = toUpdate
+				.map((s) => {
+					const {
+						secretValueCiphertext,
+						secretValueIV,
+						secretValueTag,
+						secretValueHash,
+						secretCommentCiphertext,
+						secretCommentIV,
+						secretCommentTag,
+						secretCommentHash,
+					} = newSecretsObj[`${s.type}-${s.secretKeyHash}`];
+
+					const update: Update = {
+						secretValueCiphertext,
+						secretValueIV,
+						secretValueTag,
+						secretValueHash,
+						secretCommentCiphertext,
+						secretCommentIV,
+						secretCommentTag,
+						secretCommentHash,
+					}
+
+					if (!s.version) {
+						// case: (legacy) secret was not versioned
+						update.version = 1;
+					} else {
+						update['$inc'] = {
+							version: 1
+						}
+					}
+
+					if (s.type === SECRET_PERSONAL) {
+						// attach user associated with the personal secret
+						update['user'] = userId;
+					}
+
+					return {
+						updateOne: {
+							filter: {
+								_id: oldSecretsObj[`${s.type}-${s.secretKeyHash}`]._id
+							},
+							update
+						}
+					};
+				});
+			await Secret.bulkWrite(operations as any);
+			
+			// (EE) add secret versions for updated secrets
+			await EESecretService.addSecretVersions({
+				secretVersions: toUpdate.map((s) => {
+					return ({
+						...newSecretsObj[`${s.type}-${s.secretKeyHash}`],
+						secret: s._id,
+						version: s.version ? s.version + 1 : 1,
+						workspace: new Types.ObjectId(workspaceId),
+						user: s.user,
+						environment: s.environment,
+						isDeleted: false
+					})
+				}) 
+			});
+
+			const updateAction = await EELogService.createActionSecret({
+				name: ACTION_UPDATE_SECRETS,
+				userId,
+				workspaceId,
+				secretIds: toUpdate.map((u) => u._id)
+			});
+
+			updateAction && actions.push(updateAction);
+		}
+
+		// handle adding new secrets
+		const toAdd = secrets.filter((s) => !(`${s.type}-${s.secretKeyHash}` in oldSecretsObj));
+
+		if (toAdd.length > 0) {
+			// add secrets
+			const newSecrets = await Secret.insertMany(
+				toAdd.map((s, idx) => ({
+					...s,
+					version: 1,
+					workspace: workspaceId,
+					type: toAdd[idx].type,
+					environment,
+					...( toAdd[idx].type === 'personal' ? { user: userId } : {})
+				}))
+			);
+
+			// (EE) add secret versions for new secrets
+			EESecretService.addSecretVersions({
+				secretVersions: newSecrets.map((secretDocument) => { 
+					return {
+						...secretDocument.toObject(),
+						secret: secretDocument._id,
+						isDeleted: false
+				}})
+			});
+
+			const addAction = await EELogService.createActionSecret({
+				name: ACTION_ADD_SECRETS,
+				userId,
+				workspaceId,
+				secretIds: newSecrets.map((n) => n._id)
+			});
+			addAction && actions.push(addAction);
+		}
+		
+		// (EE) take a secret snapshot
+		await EESecretService.takeSecretSnapshot({
+			workspaceId
+		})
+
+		// (EE) create (audit) log
+		if (actions.length > 0) {
+			await EELogService.createLog({
+				userId,
+				workspaceId,
+				actions,
+				channel,
+				ipAddress
+			});
+		}
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to push shared and personal secrets');
+	}
+};
+
+/**
+ * Get secrets for user with id [userId] for workspace
 * with id [workspaceId] with environment [environment]
 * @param {Object} obj
 * @param {String} obj.userId -id of user to pull secrets for
 * @param {String} obj.workspaceId - id of workspace to pull from
 * @param {String} obj.environment - environment for secrets
- *
 */
-const pullSecrets = async ({
+ const getSecrets = async ({
 	userId,
 	workspaceId,
 	environment
@ -261,6 +570,7 @@ const pullSecrets = async ({
 	environment: string;
 }): Promise<ISecret[]> => {
 	let secrets: any; // TODO: FIX any
+	
 	try {
 		// get shared workspace secrets
 		const sharedSecrets = await Secret.find({
@ -288,9 +598,64 @@ const pullSecrets = async ({
 	return secrets;
 };

+/**
+ * Pull secrets for user with id [userId] for workspace
+ * with id [workspaceId] with environment [environment]
+ * @param {Object} obj
+ * @param {String} obj.userId -id of user to pull secrets for
+ * @param {String} obj.workspaceId - id of workspace to pull from
+ * @param {String} obj.environment - environment for secrets
+ * @param {String} obj.channel - channel (web/cli/auto)
+ * @param {String} obj.ipAddress - ip address of request to push secrets
+ */
+const pullSecrets = async ({
+	userId,
+	workspaceId,
+	environment,
+	channel,
+	ipAddress
+}: {
+	userId: string;
+	workspaceId: string;
+	environment: string;
+	channel: string;
+	ipAddress: string;
+}): Promise<ISecret[]> => {
+	let secrets: any;
+	
+	try {
+		secrets = await getSecrets({
+			userId,
+			workspaceId,
+			environment
+		})
+
+		const readAction = await EELogService.createActionSecret({
+			name: ACTION_READ_SECRETS,
+			userId,
+			workspaceId,
+			secretIds: secrets.map((n: any) => n._id)
+		});
+
+		readAction && await EELogService.createLog({
+			userId,
+			workspaceId,
+			actions: [readAction],
+			channel,
+			ipAddress
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		throw new Error('Failed to pull shared and personal secrets');
+	}
+
+	return secrets;
+};
+
 /**
 * Reformat output of pullSecrets() to be compatible with how existing
- * clients handle secrets
+ * web client handle secrets
 * @param {Object} obj
 * @param {Object} obj.secrets
 */
@ -315,6 +680,13 @@ const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
 				iv: s.secretValueIV,
 				tag: s.secretValueTag,
 				hash: s.secretValueHash
+			},
+			secretComment: {
+				workspace: s.workspace,
+				ciphertext: s.secretCommentCiphertext,
+				iv: s.secretCommentIV,
+				tag: s.secretCommentTag,
+				hash: s.secretCommentHash
 			}
 		}));
 	} catch (err) {
@ -326,73 +698,10 @@ const reformatPullSecrets = ({ secrets }: { secrets: ISecret[] }) => {
 	return reformatedSecrets;
 };

-/**
- * Return decrypted secrets in format [format]
- * @param {Object} obj
- * @param {Object[]} obj.secrets - array of (encrypted) secret key-value pair objects
- * @param {String} obj.key - symmetric key to decrypt secret key-value pairs
- * @param {String} obj.format - desired return format that is either "text," "object," or "expanded"
- * @return {String|Object} (decrypted) secrets also called the content
- */
-const decryptSecrets = ({
-	secrets,
-	key,
-	format
-}: {
-	secrets: PushSecret[];
-	key: string;
-	format: DecryptSecretType;
-}) => {
-	// init content
-	let content: any = format === 'text' ? '' : {};
-
-	// decrypt secrets
-	secrets.forEach((s, idx) => {
-		const secretKey = decryptSymmetric({
-			ciphertext: s.ciphertextKey,
-			iv: s.ivKey,
-			tag: s.tagKey,
-			key
-		});
-
-		const secretValue = decryptSymmetric({
-			ciphertext: s.ciphertextValue,
-			iv: s.ivValue,
-			tag: s.tagValue,
-			key
-		});
-
-		switch (format) {
-			case 'text':
-				content += secretKey;
-				content += '=';
-				content += secretValue;
-
-				if (idx < secrets.length) {
-					content += '\n';
-				}
-				break;
-			case 'object':
-				content[secretKey] = secretValue;
-				break;
-			case 'expanded':
-				content[secretKey] = {
-					...s,
-					plaintextKey: secretKey,
-					plaintextValue: secretValue
-				};
-				break;
-		}
-	});
-
-	return content;
-};
-
-
-
 export {
-	pushSecrets,
+	validateSecrets,
+	v1PushSecrets,
+	v2PushSecrets,
 	pullSecrets,
-	reformatPullSecrets,
-	decryptSecrets
+	reformatPullSecrets
 };
--- a/backend/src/helpers/signup.ts
+++ b/backend/src/helpers/signup.ts
@ -5,7 +5,7 @@ import { createOrganization } from './organization';
 import { addMembershipsOrg } from './membershipOrg';
 import { createWorkspace } from './workspace';
 import { addMemberships } from './membership';
-import { OWNER, ADMIN, ACCEPTED, GRANTED } from '../variables';
+import { OWNER, ADMIN, ACCEPTED } from '../variables';
 import { sendMail } from '../helpers/nodemailer';

 /**
@ -113,8 +113,7 @@ const initializeDefaultOrg = async ({
 		await addMemberships({
 			userIds: [user._id.toString()],
 			workspaceId: workspace._id.toString(),
-			roles: [ADMIN],
-			statuses: [GRANTED]
+			roles: [ADMIN]
 		});
 	} catch (err) {
 		throw new Error('Failed to initialize default organization and workspace');
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -4,12 +4,12 @@ dotenv.config();
 import * as Sentry from '@sentry/node';
 import { SENTRY_DSN, NODE_ENV, MONGO_URL } from './config';
 import { server } from './app';
-import { initDatabase } from './services/database';
+import { DatabaseService } from './services';
 import { setUpHealthEndpoint } from './services/health';
 import { initSmtp } from './services/smtp';
 import { setTransporter } from './helpers/nodemailer';

-initDatabase(MONGO_URL);
+DatabaseService.initDatabase(MONGO_URL);

 setUpHealthEndpoint(server);

--- a/backend/src/integrations/apps.ts
+++ b/backend/src/integrations/apps.ts
@ -9,14 +9,9 @@ import {
  INTEGRATION_GITHUB,
  INTEGRATION_HEROKU_API_URL,
  INTEGRATION_VERCEL_API_URL,
-  INTEGRATION_NETLIFY_API_URL,
-  INTEGRATION_GITHUB_API_URL
+  INTEGRATION_NETLIFY_API_URL
 } from '../variables';

-interface GitHubApp {
-  name: string;
-}
-
 /**
 * Return list of names of apps for integration named [integration]
 * @param {Object} obj
@ -47,6 +42,7 @@ const getApps = async ({
        break;
      case INTEGRATION_VERCEL:
        apps = await getAppsVercel({
+          integrationAuth,
          accessToken
        });
        break;
@ -110,17 +106,28 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names of Vercel apps
 * @returns {String} apps.name - name of Vercel app
 */
-const getAppsVercel = async ({ accessToken }: { accessToken: string }) => {
+const getAppsVercel = async ({ 
+  integrationAuth,
+  accessToken 
+}: { 
+  integrationAuth: IIntegrationAuth;
+  accessToken: string;
+}) => {
  let apps;
  try {
    const res = (
      await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
        headers: {
          Authorization: `Bearer ${accessToken}`
+        },
+       ...( integrationAuth?.teamId ? { 
+        params: {
+          teamId: integrationAuth.teamId
        }
+      } : {}) 
      })
    ).data;
-
+    
    apps = res.projects.map((a: any) => ({
      name: a.name
    }));
--- a/backend/src/integrations/exchange.ts
+++ b/backend/src/integrations/exchange.ts
@ -8,8 +8,7 @@ import {
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
-  INTEGRATION_GITHUB_TOKEN_URL,
-  INTEGRATION_GITHUB_API_URL
+  INTEGRATION_GITHUB_TOKEN_URL
 } from '../variables';
 import {
  SITE_URL,
@ -21,7 +20,6 @@ import {
  CLIENT_SECRET_NETLIFY,
  CLIENT_SECRET_GITHUB
 } from '../config';
-import { user } from '../routes';

 interface ExchangeCodeHerokuResponse {
  token_type: string;
--- a/backend/src/integrations/sync.ts
+++ b/backend/src/integrations/sync.ts
@ -12,14 +12,10 @@ import {
  INTEGRATION_GITHUB,
  INTEGRATION_HEROKU_API_URL,
  INTEGRATION_VERCEL_API_URL,
-  INTEGRATION_NETLIFY_API_URL,
-  INTEGRATION_GITHUB_API_URL
+  INTEGRATION_NETLIFY_API_URL
 } from '../variables';
 import { access, appendFile } from 'fs';

-// TODO: need a helper function in the future to handle integration
-// envar priorities (i.e. prioritize secrets within integration or those on Infisical)
-
 /**
 * Sync/push [secrets] to [app] in integration named [integration]
 * @param {Object} obj
@ -53,6 +49,7 @@ const syncSecrets = async ({
      case INTEGRATION_VERCEL:
        await syncSecretsVercel({
          integration,
+          integrationAuth,
          secrets,
          accessToken
        });
@ -139,10 +136,12 @@ const syncSecretsHeroku = async ({
 */
 const syncSecretsVercel = async ({
    integration,
+    integrationAuth,
    secrets,
    accessToken
 }: {
    integration: IIntegration,
+    integrationAuth: IIntegrationAuth,
    secrets: any;
    accessToken: string;
 }) => {
@ -158,9 +157,12 @@ const syncSecretsVercel = async ({
    try {
        // Get all (decrypted) secrets back from Vercel in
        // decrypted format
-        const params = new URLSearchParams({
-            decrypt: "true"
-        });
+        const params: { [key: string]: string } = {
+          decrypt: 'true',
+          ...( integrationAuth?.teamId ? { 
+            teamId: integrationAuth.teamId
+          } : {})   
+        }
        
        const res = (await Promise.all((await axios.get(
            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`, 
@ -177,10 +179,10 @@ const syncSecretsVercel = async ({
        .map(async (secret: VercelSecret) => (await axios.get(
                `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
                {
-                    headers: {
-                        Authorization: `Bearer ${accessToken}`
-                    }
-                    
+                  params,
+                  headers: {
+                      Authorization: `Bearer ${accessToken}`
+                  }
                }
            )).data)
        )).reduce((obj: any, secret: any) => ({
@ -236,9 +238,10 @@ const syncSecretsVercel = async ({
                `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
                newSecrets,
                {
-                    headers: {
-                        Authorization: `Bearer ${accessToken}`
-                    }
+                  params,
+                  headers: {
+                      Authorization: `Bearer ${accessToken}`
+                  }
                }
            );
        }
@ -254,9 +257,10 @@ const syncSecretsVercel = async ({
                    `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
                    updatedSecret,
                    {
-                        headers: {
-                            Authorization: `Bearer ${accessToken}` 
-                        }
+                      params,
+                      headers: {
+                          Authorization: `Bearer ${accessToken}` 
+                      }
                    }
                );
            });
@ -268,17 +272,18 @@ const syncSecretsVercel = async ({
                await axios.delete(
                    `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
                    {
-                        headers: {
-                            Authorization: `Bearer ${accessToken}`
-                        }
+                      params,
+                      headers: {
+                          Authorization: `Bearer ${accessToken}`
+                      }
                    }
                );
            });
        }
    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to sync secrets to Vercel');
+      Sentry.setUser(null);
+      Sentry.captureException(err);
+      throw new Error('Failed to sync secrets to Vercel');
    }
 }

--- a/backend/src/middleware/index.ts
+++ b/backend/src/middleware/index.ts
@ -6,6 +6,9 @@ import requireOrganizationAuth from './requireOrganizationAuth';
 import requireIntegrationAuth from './requireIntegrationAuth';
 import requireIntegrationAuthorizationAuth from './requireIntegrationAuthorizationAuth';
 import requireServiceTokenAuth from './requireServiceTokenAuth';
+import requireServiceTokenDataAuth from './requireServiceTokenDataAuth';
+import requireSecretAuth from './requireSecretAuth';
+import requireSecretsAuth from './requireSecretsAuth';
 import validateRequest from './validateRequest';

 export {
@ -17,5 +20,8 @@ export {
 	requireIntegrationAuth,
 	requireIntegrationAuthorizationAuth,
 	requireServiceTokenAuth,
+	requireServiceTokenDataAuth,
+	requireSecretAuth,
+	requireSecretsAuth,
 	validateRequest
 };
--- a/backend/src/middleware/requestErrorHandler.ts
+++ b/backend/src/middleware/requestErrorHandler.ts
@ -4,26 +4,33 @@ import * as Sentry from '@sentry/node';
 import { InternalServerError } from "../utils/errors";
 import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
+import { NODE_ENV } from "../config";


-export const requestErrorHandler: ErrorRequestHandler = (error: RequestError|Error, req, res, next) => {
-    if(res.headersSent) return next();
+export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
+    if (res.headersSent) return next();
+    if (NODE_ENV !== "production") {
+        /* eslint-disable no-console */
+        console.log(error)
+        /* eslint-enable no-console */
+    }
+
    //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
-    if(!(error instanceof RequestError)){
-        error = InternalServerError({context: {exception: error.message}, stack: error.stack})
+    if (!(error instanceof RequestError)) {
+        error = InternalServerError({ context: { exception: error.message }, stack: error.stack })
        getLogger('backend-main').log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
    }
-    
+
    //* Set Sentry user identification if req.user is populated
-    if(req.user !== undefined && req.user !== null){
+    if (req.user !== undefined && req.user !== null) {
        Sentry.setUser({ email: req.user.email })
    }
    //* Only sent error to Sentry if LogLevel is one of the following level 'ERROR', 'EMERGENCY' or 'CRITICAL'
    //* with this we will eliminate false-positive errors like 'BadRequestError', 'UnauthorizedRequestError' and so on
-    if([LogLevel.ERROR, LogLevel.EMERGENCY, LogLevel.CRITICAL].includes((<RequestError>error).level)){
+    if ([LogLevel.ERROR, LogLevel.EMERGENCY, LogLevel.CRITICAL].includes((<RequestError>error).level)) {
        Sentry.captureException(error)
    }
-    
+
    res.status((<RequestError>error).statusCode).json((<RequestError>error).format(req))
    next()
 }
--- a/backend/src/middleware/requireAuth.ts
+++ b/backend/src/middleware/requireAuth.ts
@ -1,8 +1,13 @@
 import jwt from 'jsonwebtoken';
 import { Request, Response, NextFunction } from 'express';
-import { User } from '../models';
-import { JWT_AUTH_SECRET } from '../config';
-import { AccountNotFoundError, BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { User, ServiceTokenData } from '../models';
+import {
+	validateAuthMode,
+	getAuthUserPayload,
+	getAuthSTDPayload,
+	getAuthAPIKeyPayload
+} from '../helpers/auth';
+import { BadRequestError } from '../utils/errors';

 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -11,34 +16,58 @@ declare module 'jsonwebtoken' {
 }

 /**
- * Validate if JWT (auth) token on request is valid (e.g. not expired),
- * if there is an associated user, and if that user is fully setup.
- * @param req - express request object
- * @param res - express response object
- * @param next - express next function
+ * Validate if token on request is valid (e.g. not expired) for various auth modes:
+ * - If token is a JWT token, then check if there is an associated user
+ * and if user is fully setup.
+ * - If token is a service token (st), then check if there is associated
+ * service token data.
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedAuthModes - accepted modes of authentication (jwt/st)
 * @returns
 */
-const requireAuth = async (req: Request, res: Response, next: NextFunction) => {
-	// JWT authentication middleware
-	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
-	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
-	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
-	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
+const requireAuth = ({
+	acceptedAuthModes = ['jwt']
+}: {
+	acceptedAuthModes: string[];
+}) => {
+	return async (req: Request, res: Response, next: NextFunction) => {
+		const [AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+		if (AUTH_TOKEN_TYPE === null)
+			return next(BadRequestError({ message: `Missing Authorization Header in the request header.` }))
+		if (AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer')
+			return next(BadRequestError({ message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.` }))
+		if (AUTH_TOKEN_VALUE === null)
+			return next(BadRequestError({ message: 'Missing Authorization Body in the request header' }))

-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, JWT_AUTH_SECRET)
-	);
+		// validate auth token against 
+		const authMode = validateAuthMode({
+			authTokenValue: AUTH_TOKEN_VALUE,
+			acceptedAuthModes
+		});

-	const user = await User.findOne({
-		_id: decodedToken.userId
-	}).select('+publicKey');
+		if (!acceptedAuthModes.includes(authMode)) throw new Error('Failed to validate auth mode');

-	if (!user) return next(AccountNotFoundError({message: 'Failed to locate User account'}))
-	if (!user?.publicKey)
-		return next(UnauthorizedRequestError({message: 'Unable to authenticate due to partially set up account'}))
+		// attach auth payloads
+		switch (authMode) {
+			case 'serviceToken':
+				req.serviceTokenData = await getAuthSTDPayload({
+					authTokenValue: AUTH_TOKEN_VALUE
+				});
+				break;
+			case 'apiKey':
+				req.user = await getAuthAPIKeyPayload({
+					authTokenValue: AUTH_TOKEN_VALUE
+				});
+				break;
+			default:
+				req.user = await getAuthUserPayload({
+					authTokenValue: AUTH_TOKEN_VALUE
+				});
+				break;
+		}

-	req.user = user;
-	return next();
-};
+		return next();
+	}
+}

 export default requireAuth;
--- a/backend/src/middleware/requireBotAuth.ts
+++ b/backend/src/middleware/requireBotAuth.ts
@ -7,15 +7,13 @@ type req = 'params' | 'body' | 'query';

 const requireBotAuth = ({
    acceptedRoles,
-    acceptedStatuses,
    location = 'params'
 }: {
    acceptedRoles: string[];
-    acceptedStatuses: string[];
    location?: req;
 }) => {
    return async (req: Request, res: Response, next: NextFunction) => {
-        const bot = await Bot.findOne({ _id: req[location].botId });
+        const bot = await Bot.findById(req[location].botId);
        
        if (!bot) {
            return next(AccountNotFoundError({message: 'Failed to locate Bot account'}))
@ -24,8 +22,7 @@ const requireBotAuth = ({
        await validateMembership({
            userId: req.user._id.toString(),
            workspaceId: bot.workspace.toString(),
-            acceptedRoles,
-            acceptedStatuses
+            acceptedRoles
        });
        
        req.bot = bot;
--- a/backend/src/middleware/requireIntegrationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuth.ts
@ -9,14 +9,11 @@ import { IntegrationNotFoundError, UnauthorizedRequestError } from '../utils/err
 * with the integration on request params.
 * @param {Object} obj
 * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
 */
 const requireIntegrationAuth = ({
-	acceptedRoles,
-	acceptedStatuses
+	acceptedRoles
 }: {
 	acceptedRoles: string[];
-	acceptedStatuses: string[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
 		// integration authorization middleware
@ -35,8 +32,7 @@ const requireIntegrationAuth = ({
 		await validateMembership({
 			userId: req.user._id.toString(),
 			workspaceId: integration.workspace.toString(),
-			acceptedRoles,
-			acceptedStatuses
+			acceptedRoles
 		});

 		const integrationAuth = await IntegrationAuth.findOne({
--- a/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
@ -10,16 +10,13 @@ import { UnauthorizedRequestError } from '../utils/errors';
 * with the integration authorization on request params.
 * @param {Object} obj
 * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
 * @param {Boolean} obj.attachAccessToken - whether or not to decrypt and attach integration authorization access token onto request
 */
 const requireIntegrationAuthorizationAuth = ({
 	acceptedRoles,
-	acceptedStatuses,
 	attachAccessToken = true
 }: {
 	acceptedRoles: string[];
-	acceptedStatuses: string[];
 	attachAccessToken?: boolean;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
@ -38,8 +35,7 @@ const requireIntegrationAuthorizationAuth = ({
 		await validateMembership({
 			userId: req.user._id.toString(),
 			workspaceId: integrationAuth.workspace.toString(),
-			acceptedRoles,
-			acceptedStatuses
+			acceptedRoles
 		});

 		req.integrationAuth = integrationAuth;
--- a/backend/src/middleware/requireSecretAuth.ts
+++ b/backend/src/middleware/requireSecretAuth.ts
@ -0,0 +1,49 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError, SecretNotFoundError } from '../utils/errors';
+import { Secret } from '../models';
+import {
+    validateMembership
+} from '../helpers/membership';
+
+// note: used for old /v1/secret and /v2/secret routes.
+// newer /v2/secrets routes use [requireSecretsAuth] middleware
+
+/**
+ * Validate if user on request has proper membership to modify secret.
+ * @param {Object} obj
+ * @param {String[]} obj.acceptedRoles - accepted workspace roles
+ * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
+ */
+const requireSecretAuth = ({
+    acceptedRoles
+}: {
+    acceptedRoles: string[];
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const { secretId } = req.params;
+            
+            const secret = await Secret.findById(secretId);
+            
+            if (!secret) {
+                return next(SecretNotFoundError({
+                    message: 'Failed to find secret'
+                }));
+            }
+            
+            await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: secret.workspace.toString(),
+                acceptedRoles
+            });
+            
+            req._secret = secret;
+
+            next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret' }));
+        }
+    }
+}
+
+export default requireSecretAuth;
--- a/backend/src/middleware/requireSecretsAuth.ts
+++ b/backend/src/middleware/requireSecretsAuth.ts
@ -0,0 +1,49 @@
+import { Request, Response, NextFunction } from 'express';
+import { UnauthorizedRequestError } from '../utils/errors';
+import { Secret, Membership } from '../models';
+import { validateSecrets } from '../helpers/secret';
+
+// TODO: make this work for delete route
+
+const requireSecretsAuth = ({
+    acceptedRoles
+}: {
+    acceptedRoles: string[];
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        let secrets;
+        try {
+            if (Array.isArray(req.body.secrets)) {
+                // case: validate multiple secrets
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: req.body.secrets.map((s: any) => s.id)
+                });
+            } else if (typeof req.body.secrets === 'object') { // change this to check for object
+                // case: validate 1 secret
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: req.body.secrets.id
+                });
+            } else if (Array.isArray(req.body.secretIds)) {
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: req.body.secretIds
+                });
+            } else if (typeof req.body.secretIds === 'string') {
+                // case: validate secretIds
+                secrets = await validateSecrets({
+                    userId: req.user._id.toString(),
+                    secretIds: [req.body.secretIds]
+                });
+            }
+            
+            req.secrets = secrets;
+            return next();
+        } catch (err) {
+            return next(UnauthorizedRequestError({ message: 'Unable to authenticate secret(s)' }));
+        }
+    }
+}
+
+export default requireSecretsAuth;
--- a/backend/src/middleware/requireServiceTokenAuth.ts
+++ b/backend/src/middleware/requireServiceTokenAuth.ts
@ -4,6 +4,7 @@ import { ServiceToken } from '../models';
 import { JWT_SERVICE_SECRET } from '../config';
 import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';

+// TODO: deprecate
 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
 		userId: string;
--- a/backend/src/middleware/requireServiceTokenDataAuth.ts
+++ b/backend/src/middleware/requireServiceTokenDataAuth.ts
@ -0,0 +1,41 @@
+import { Request, Response, NextFunction } from 'express';
+import { ServiceToken, ServiceTokenData } from '../models';
+import { validateMembership } from '../helpers/membership';
+import { AccountNotFoundError, UnauthorizedRequestError } from '../utils/errors';
+
+type req = 'params' | 'body' | 'query';
+
+const requireServiceTokenDataAuth = ({
+    acceptedRoles,
+    location = 'params'
+}: {
+    acceptedRoles: string[];
+    location?: req;
+}) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        const { serviceTokenDataId } = req[location];
+
+        const serviceTokenData = await ServiceTokenData
+            .findById(req[location].serviceTokenDataId)
+            .select('+encryptedKey +iv +tag');
+
+        if (!serviceTokenData) {
+            return next(AccountNotFoundError({message: 'Failed to locate service token data'}));
+        }
+
+        if (req.user) {
+            // case: jwt auth
+            await validateMembership({
+                userId: req.user._id.toString(),
+                workspaceId: serviceTokenData.workspace.toString(),
+                acceptedRoles
+            });
+        }
+        
+        req.serviceTokenData = serviceTokenData;
+        
+        next();
+    }
+}
+
+export default requireServiceTokenDataAuth;
--- a/backend/src/middleware/requireWorkspaceAuth.ts
+++ b/backend/src/middleware/requireWorkspaceAuth.ts
@ -8,31 +8,38 @@ type req = 'params' | 'body' | 'query';
 * Validate if user on request is a member with proper roles for workspace
 * on request params.
 * @param {Object} obj
- * @param {String[]} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.acceptedStatuses - accepted workspace statuses
+ * @param {String[]} obj.acceptedRoles - accepted workspace roles for JWT auth
 * @param {String[]} obj.location - location of [workspaceId] on request (e.g. params, body) for parsing
 */
 const requireWorkspaceAuth = ({
 	acceptedRoles,
-	acceptedStatuses,
 	location = 'params'
 }: {
 	acceptedRoles: string[];
-	acceptedStatuses: string[];
 	location?: req;
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
-		// workspace authorization middleware
-
 		try {
-			const membership = await validateMembership({
-				userId: req.user._id.toString(),
-				workspaceId: req[location].workspaceId,
-				acceptedRoles,
-				acceptedStatuses
-			});
+			const { workspaceId } = req[location];

-			req.membership = membership;
+			if (req.user) {
+				// case: jwt auth
+				const membership = await validateMembership({
+					userId: req.user._id.toString(),
+					workspaceId,
+					acceptedRoles
+				});
+
+				req.membership = membership;
+			}
+			
+			if (
+				req.serviceTokenData 
+				&& req.serviceTokenData.workspace !== workspaceId
+				&& req.serviceTokenData.environment !== req.query.environment
+			) {
+				next(UnauthorizedRequestError({message: 'Unable to authenticate workspace'}))	
+			}

 			return next();
 		} catch (err) {
--- a/backend/src/middleware/validateRequest.ts
+++ b/backend/src/middleware/validateRequest.ts
@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { validationResult } from 'express-validator';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+import { BadRequestError, UnauthorizedRequestError, ValidationError } from '../utils/errors';

 /**
 * Validate intended inputs on [req] via express-validator
@ -15,12 +15,12 @@ const validate = (req: Request, res: Response, next: NextFunction) => {
 	try {
 		const errors = validationResult(req);
 		if (!errors.isEmpty()) {
-			return next(BadRequestError({context: {errors: errors.array}}))
+			return next(ValidationError({ context: { errors: `One or more of your parameters are invalid [error(s)=${(JSON.stringify(errors))}]` } }))
 		}

 		return next();
 	} catch (err) {
-		return next(UnauthorizedRequestError({message: 'Unauthenticated requests are not allowed. Try logging in'}))
+		return next(UnauthorizedRequestError({ message: 'Unauthenticated requests are not allowed. Try logging in' }))
 	}
 };

--- a/backend/src/models/apiKeyData.ts
+++ b/backend/src/models/apiKeyData.ts
@ -0,0 +1,37 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface IAPIKeyData {
+    name: string;
+    user: Types.ObjectId;
+    expiresAt: Date;
+    secretHash: string;
+}
+
+const apiKeyDataSchema = new Schema<IAPIKeyData>(
+    {
+        name: {
+            type: String,
+            required: true
+        },
+        user: {
+            type: Schema.Types.ObjectId,
+            ref: 'User',
+            required: true
+        },
+        expiresAt: {
+            type: Date
+        },
+        secretHash: {
+            type: String,
+            required: true,
+            select: false
+        }
+    }, 
+    {
+        timestamps: true
+    }
+);
+
+const APIKeyData = model<IAPIKeyData>('APIKeyData', apiKeyDataSchema);
+
+export default APIKeyData;
--- a/backend/src/models/index.ts
+++ b/backend/src/models/index.ts
@ -14,6 +14,8 @@ import Token, { IToken } from './token';
 import User, { IUser } from './user';
 import UserAction, { IUserAction } from './userAction';
 import Workspace, { IWorkspace } from './workspace';
+import ServiceTokenData, { IServiceTokenData } from './serviceTokenData';
+import APIKeyData, { IAPIKeyData } from './apiKeyData';

 export {
 	BackupPrivateKey,
@ -47,5 +49,9 @@ export {
 	UserAction,
 	IUserAction,
 	Workspace,
-	IWorkspace
+	IWorkspace,
+	ServiceTokenData,
+	IServiceTokenData,
+	APIKeyData,
+	IAPIKeyData
 };
--- a/backend/src/models/membership.ts
+++ b/backend/src/models/membership.ts
@ -1,5 +1,5 @@
 import { Schema, model, Types } from 'mongoose';
-import { ADMIN, MEMBER, INVITED, COMPLETED, GRANTED } from '../variables';
+import { ADMIN, MEMBER } from '../variables';

 export interface IMembership {
 	_id: Types.ObjectId;
@ -7,7 +7,6 @@ export interface IMembership {
 	inviteEmail?: string;
 	workspace: Types.ObjectId;
 	role: 'admin' | 'member';
-	status: 'invited' | 'completed' | 'granted';
 }

 const membershipSchema = new Schema(
@ -28,12 +27,6 @@ const membershipSchema = new Schema(
 			type: String,
 			enum: [ADMIN, MEMBER],
 			required: true
-		},
-		status: {
-			// INVITED, COMPLETED, GRANTED
-			type: String,
-			enum: [INVITED, COMPLETED, GRANTED],
-			required: true
 		}
 	},
 	{
--- a/backend/src/models/secret.ts
+++ b/backend/src/models/secret.ts
@ -23,13 +23,18 @@ export interface ISecret {
 	secretValueIV: string;
 	secretValueTag: string;
 	secretValueHash: string;
+	secretCommentCiphertext?: string;
+	secretCommentIV?: string;
+	secretCommentTag?: string;
+	secretCommentHash?: string;
 }

 const secretSchema = new Schema<ISecret>(
 	{
 		version: {
 			type: Number,
-			required: true
+			required: true,
+			default: 1
 		},
 		workspace: {
 			type: Schema.Types.ObjectId,
@ -64,8 +69,7 @@ const secretSchema = new Schema<ISecret>(
 			required: true
 		},
 		secretKeyHash: {
-			type: String,
-			required: true
+			type: String
 		},
 		secretValueCiphertext: {
 			type: String,
@ -80,8 +84,23 @@ const secretSchema = new Schema<ISecret>(
 			required: true
 		},
 		secretValueHash: {
+			type: String
+		},
+		secretCommentCiphertext: {
 			type: String,
-			required: true
+			required: false
+		},
+		secretCommentIV: {
+			type: String, // symmetric
+			required: false
+		},
+		secretCommentTag: {
+			type: String, // symmetric
+			required: false
+		},
+		secretCommentHash: {
+			type: String,
+			required: false
 		}
 	},
 	{
--- a/backend/src/models/serviceToken.ts
+++ b/backend/src/models/serviceToken.ts
@ -1,6 +1,7 @@
 import { Schema, model, Types } from 'mongoose';
 import { ENV_DEV, ENV_TESTING, ENV_STAGING, ENV_PROD } from '../variables';

+// TODO: deprecate
 export interface IServiceToken {
 	_id: Types.ObjectId;
 	name: string;
--- a/backend/src/models/serviceTokenData.ts
+++ b/backend/src/models/serviceTokenData.ts
@ -0,0 +1,63 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface IServiceTokenData {
+    name: string;
+    workspace: Types.ObjectId;
+    environment: string; // TODO: adapt to upcoming environment id
+    user: Types.ObjectId;
+    expiresAt: Date;
+    secretHash: string;
+    encryptedKey: string;
+    iv: string;
+    tag: string;
+}
+
+const serviceTokenDataSchema = new Schema<IServiceTokenData>(
+    {
+        name: {
+            type: String,
+            required: true
+        },
+        workspace: {
+            type: Schema.Types.ObjectId,
+            ref: 'Workspace',
+            required: true
+        },
+        environment: { // TODO: adapt to upcoming environment id
+            type: String,
+            required: true
+        },
+        user: {
+            type: Schema.Types.ObjectId,
+            ref: 'User',
+            required: true
+        },
+        expiresAt: {
+            type: Date
+        },
+        secretHash: {
+            type: String,
+            required: true,
+            select: false
+        },
+        encryptedKey: {
+            type: String,
+            select: false
+        },
+        iv: {
+            type: String,
+            select: false
+        },
+        tag: {
+            type: String,
+            select: false
+        }
+    }, 
+    {
+        timestamps: true
+    }
+);
+
+const ServiceTokenData = model<IServiceTokenData>('ServiceTokenData', serviceTokenDataSchema);
+    
+export default ServiceTokenData;
--- a/backend/src/models/user.ts
+++ b/backend/src/models/user.ts
@ -11,7 +11,7 @@ export interface IUser {
 	tag?: string;
 	salt?: string;
 	verifier?: string;
-	refreshVersion?: Number;
+	refreshVersion?: number;
 }

 const userSchema = new Schema<IUser>(
@ -52,7 +52,8 @@ const userSchema = new Schema<IUser>(
 		},
 		refreshVersion: {
 			type: Number,
-			default: 0
+			default: 0,
+			select: false
 		}
 	},
 	{
--- a/backend/src/routes/status/index.ts
+++ b/backend/src/routes/status/index.ts
@ -0,0 +1,5 @@
+import healthCheck from './status';
+
+export {
+  healthCheck
+}
--- a/backend/src/routes/status/status.ts
+++ b/backend/src/routes/status/status.ts
@ -0,0 +1,15 @@
+import express, { Request, Response } from 'express';
+
+const router = express.Router();
+
+router.get(
+  '/status',
+  (req: Request, res: Response) => {
+    res.status(200).json({
+      date: new Date(),
+      message: 'Ok',
+    })
+  }
+);
+
+export default router
--- a/Show More
+++ b/Show More