allow git branch mapping to env

Merge pull request #274 from Grraahaam/feat/pr-template
feat(docs): added a base pull request template
2025-03-21 00:04:07 +00:00 · 2023-02-23 00:00:56 -05:00 · 2023-02-23 11:16:19 +07:00 · 2023-02-22 17:21:44 -08:00 · 2023-02-22 16:29:53 -08:00 · 2023-02-22 18:52:09 -05:00
442 changed files with 23091 additions and 6365 deletions
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -0,0 +1,22 @@
+# Description 📣
+
+*Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.*
+
+## Type ✨
+
+- [ ] Bug fix
+- [ ] New feature
+- [ ] Breaking change
+- [ ] Documentation
+
+# Tests 🛠️
+
+*Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration. You may want to add screenshots when relevant and possible*
+
+```sh
+# Here's some code block to paste some code snippets
+```
+
+---
+
+- [ ] I have read the [contributing guide](https://infisical.com/docs/contributing/overview), agreed and acknowledged the [code of conduct](https://infisical.com/docs/contributing/code-of-conduct). 📝
--- a/.github/values.yaml
+++ b/.github/values.yaml
@ -1,11 +1,5 @@
-#####
-# INFISICAL K8 DEFAULT VALUES FILE
-# PLEASE REPLACE VALUES/EDIT AS REQUIRED 
-#####
-
-nameOverride: ""
-
 frontend:
+  enabled: true
  name: frontend
  podAnnotations: {}
  deploymentAnnotations:
@ -13,17 +7,18 @@ frontend:
  replicaCount: 2
  image:
    repository: infisical/frontend
-    pullPolicy: Always 
    tag: "latest"
+    pullPolicy: Always
  kubeSecretRef: managed-secret-frontend
  service:
-    # type of the frontend service
-    type: ClusterIP
-    # define the nodePort if service type is NodePort
-    # nodePort: 
    annotations: {}
+    type: ClusterIP
+    nodePort: ""
+
+frontendEnvironmentVariables: null

 backend:
+  enabled: true
  name: backend
  podAnnotations: {}
  deploymentAnnotations:
@ -31,63 +26,46 @@ backend:
  replicaCount: 2
  image:
    repository: infisical/backend
-    pullPolicy: Always
    tag: "latest"
+    pullPolicy: Always
  kubeSecretRef: managed-backend-secret
  service:
    annotations: {}
+    type: ClusterIP
+    nodePort: ""

+backendEnvironmentVariables: null
+
+## Mongo DB persistence
 mongodb:
-  name: mongodb
-  podAnnotations: {}
-  image:
-    repository: mongo
-    pullPolicy: IfNotPresent
-    tag: "latest"
-  service:
-    annotations: {}
+  enabled: true
+  persistence:
+    enabled: false

-# By default the backend will be connected to a Mongo instance in the cluster.
-# However, it is recommended to add a managed document DB connection string because the DB instance in the cluster does not have persistence yet ( data will be deleted on next deploy).
-# Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
-mongodbConnection: {}
-  # externalMongoDBConnectionString: <>
+## By default the backend will be connected to a Mongo instance within the cluster
+## However, it is recommended to add a managed document DB connection string for production-use (DBaaS)
+## Learn about connection string type here https://www.mongodb.com/docs/manual/reference/connection-string/
+## e.g. "mongodb://<user>:<pass>@<host>:<port>/<database-name>"
+mongodbConnection:
+  externalMongoDBConnectionString: ""

 ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx"
-  hostName: gamma.infisical.com # replace with your domain 
-  frontend: 
+    # cert-manager.io/issuer: letsencrypt-nginx
+  hostName: gamma.infisical.com ## <- Replace with your own domain
+  frontend:
    path: /
    pathType: Prefix
  backend:
    path: /api
    pathType: Prefix
-  tls: []
+  tls:
+    []
+    # - secretName: letsencrypt-nginx
+    #   hosts:
+    #     - infisical.local

-
-## Complete Ingress example 
-# ingress:
-#   enabled: true
-#   annotations:
-#     kubernetes.io/ingress.class: "nginx"
-#     cert-manager.io/issuer: letsencrypt-nginx
-#   hostName: k8.infisical.com
-#   frontend: 
-#     path: /
-#     pathType: Prefix
-#   backend:
-#     path: /api
-#     pathType: Prefix
-#   tls:
-#     - secretName: letsencrypt-nginx
-#       hosts:
-#         - k8.infisical.com
-
-###
-### YOU MUST FILL IN ALL SECRETS BELOW
-### 
-backendEnvironmentVariables: {}
-
-frontendEnvironmentVariables: {}
+mailhog:
+  enabled: false
--- a/.github/workflows/release_build.yml
+++ b/.github/workflows/release_build.yml
@ -4,7 +4,7 @@ on:
  push:
    # run only against tags
    tags:
-      - 'v*'
+      - "v*"

 permissions:
  contents: write
@ -18,11 +18,16 @@ jobs:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - run: git fetch --force --tags
      - run: echo "Ref name ${{github.ref_name}}"
      - uses: actions/setup-go@v3
        with:
-          go-version: '>=1.19.3'
+          go-version: ">=1.19.3"
          cache: true
          cache-dependency-path: cli/go.sum
      - name: libssl1.1 => libssl1.0-dev for OSXCross
@ -45,8 +50,7 @@ jobs:
          AUR_KEY: ${{ secrets.AUR_KEY }}
      - uses: actions/setup-python@v4
      - run: pip install --upgrade cloudsmith-cli
-      - name: Publish to CloudSmith 
+      - name: Publish to CloudSmith
        run: sh cli/upload_to_cloudsmith.sh
        env:
          CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
-      
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -68,10 +68,10 @@ archives:

 release:
  replace_existing_draft: true
-  mode: 'replace'
+  mode: "replace"

 checksum:
-  name_template: 'checksums.txt'
+  name_template: "checksums.txt"

 snapshot:
  name_template: "{{ incpatch .Version }}-devel"
@ -80,8 +80,8 @@ changelog:
  sort: asc
  filters:
    exclude:
-      - '^docs:'
-      - '^test:'
+      - "^docs:"
+      - "^test:"

 # publishers:
 #   - name: fury.io
@ -109,30 +109,30 @@ brews:
      man1.install "manpages/infisical.1.gz"

 nfpms:
- id: infisical
-  package_name: infisical
-  builds:
-    - all-other-builds
-  vendor: Infisical, Inc
-  homepage: https://infisical.com/
-  maintainer: Infisical, Inc
-  description: The offical Infisical CLI
-  license: MIT
-  formats:
-  - rpm
-  - deb
-  - apk
-  - archlinux
-  bindir: /usr/bin
-  contents:
-    - src: ./completions/infisical.bash
-      dst: /etc/bash_completion.d/infisical
-    - src: ./completions/infisical.fish
-      dst: /usr/share/fish/vendor_completions.d/infisical.fish
-    - src: ./completions/infisical.zsh
-      dst: /usr/share/zsh/site-functions/_infisical
-    - src: ./manpages/infisical.1.gz
-      dst: /usr/share/man/man1/infisical.1.gz
+  - id: infisical
+    package_name: infisical
+    builds:
+      - all-other-builds
+    vendor: Infisical, Inc
+    homepage: https://infisical.com/
+    maintainer: Infisical, Inc
+    description: The offical Infisical CLI
+    license: MIT
+    formats:
+      - rpm
+      - deb
+      - apk
+      - archlinux
+    bindir: /usr/bin
+    contents:
+      - src: ./completions/infisical.bash
+        dst: /etc/bash_completion.d/infisical
+      - src: ./completions/infisical.fish
+        dst: /usr/share/fish/vendor_completions.d/infisical.fish
+      - src: ./completions/infisical.zsh
+        dst: /usr/share/zsh/site-functions/_infisical
+      - src: ./manpages/infisical.1.gz
+        dst: /usr/share/man/man1/infisical.1.gz

 scoop:
  bucket:
@ -146,15 +146,14 @@ scoop:
  license: MIT

 aurs:
-  -
-    name: infisical-bin
+  - name: infisical-bin
    homepage: "https://infisical.com"
    description: "The official Infisical CLI"
    maintainers:
      - Infisical, Inc <support@infisical.com>
    license: MIT
-    private_key: '{{ .Env.AUR_KEY }}'
-    git_url: 'ssh://aur@aur.archlinux.org/infisical-bin.git'
+    private_key: "{{ .Env.AUR_KEY }}"
+    git_url: "ssh://aur@aur.archlinux.org/infisical-bin.git"
    package: |-
      # bin
      install -Dm755 "./infisical" "${pkgdir}/usr/bin/infisical"
@ -169,19 +168,13 @@ aurs:
      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
      # man pages
      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
+
 # dockers:
-#   - dockerfile: goreleaser.dockerfile
+#   - dockerfile: cli/docker/Dockerfile
 #     goos: linux
 #     goarch: amd64
 #     ids:
 #       - infisical
 #     image_templates:
-#       - "infisical/cli:{{ .Version }}"             
-#       - "infisical/cli:{{ .Major }}.{{ .Minor }}"  
-#       - "infisical/cli:{{ .Major }}"               
+#       - "infisical/cli:{{ .Version }}"
 #       - "infisical/cli:latest"
-#     build_flag_templates:
-#       - "--label=org.label-schema.schema-version=1.0"
-#       - "--label=org.label-schema.version={{.Version}}"
-#       - "--label=org.label-schema.name={{.ProjectName}}"
-#       - "--platform=linux/amd64"
--- a/README.md
+++ b/README.md
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -1,4 +1,48 @@
 {
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.267.0",
+    "@godaddy/terminus": "^4.11.2",
+    "@octokit/rest": "^19.0.5",
+    "@sentry/node": "^7.14.0",
+    "@sentry/tracing": "^7.19.0",
+    "@types/crypto-js": "^4.1.1",
+    "@types/libsodium-wrappers": "^0.7.10",
+    "await-to-js": "^3.0.0",
+    "aws-sdk": "^2.1311.0",
+    "axios": "^1.1.3",
+    "bcrypt": "^5.1.0",
+    "bigint-conversion": "^2.2.2",
+    "builder-pattern": "^2.2.0",
+    "cookie-parser": "^1.4.6",
+    "cors": "^2.8.5",
+    "crypto-js": "^4.1.1",
+    "dotenv": "^16.0.1",
+    "express": "^4.18.1",
+    "express-rate-limit": "^6.7.0",
+    "express-validator": "^6.14.2",
+    "handlebars": "^4.7.7",
+    "helmet": "^5.1.1",
+    "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.0",
+    "jsrp": "^0.2.4",
+    "libsodium-wrappers": "^0.7.10",
+    "lodash": "^4.17.21",
+    "mongoose": "^6.7.2",
+    "nodemailer": "^6.8.0",
+    "posthog-node": "^2.2.2",
+    "query-string": "^7.1.3",
+    "request-ip": "^3.3.0",
+    "rimraf": "^3.0.2",
+    "stripe": "^10.7.0",
+    "swagger-autogen": "^2.22.0",
+    "swagger-ui-express": "^4.6.0",
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1",
+    "typescript": "^4.9.3",
+    "utility-types": "^3.10.0",
+    "winston": "^3.8.2",
+    "winston-loki": "^6.0.6"
+  },
  "name": "infisical-api",
  "version": "1.0.0",
  "main": "src/index.js",
@ -74,47 +118,5 @@
    "suiteNameTemplate": "{filepath}",
    "classNameTemplate": "{classname}",
    "titleTemplate": "{title}"
-  },
-  "dependencies": {
-    "@godaddy/terminus": "^4.11.2",
-    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.14.0",
-    "@sentry/tracing": "^7.19.0",
-    "@types/crypto-js": "^4.1.1",
-    "@types/libsodium-wrappers": "^0.7.10",
-    "await-to-js": "^3.0.0",
-    "axios": "^1.1.3",
-    "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
-    "builder-pattern": "^2.2.0",
-    "cookie-parser": "^1.4.6",
-    "cors": "^2.8.5",
-    "crypto-js": "^4.1.1",
-    "dotenv": "^16.0.1",
-    "express": "^4.18.1",
-    "express-rate-limit": "^6.7.0",
-    "express-validator": "^6.14.2",
-    "handlebars": "^4.7.7",
-    "helmet": "^5.1.1",
-    "js-yaml": "^4.1.0",
-    "jsonwebtoken": "^9.0.0",
-    "jsrp": "^0.2.4",
-    "libsodium-wrappers": "^0.7.10",
-    "lodash": "^4.17.21",
-    "mongoose": "^6.7.2",
-    "nodemailer": "^6.8.0",
-    "posthog-node": "^2.2.2",
-    "query-string": "^7.1.3",
-    "request-ip": "^3.3.0",
-    "rimraf": "^3.0.2",
-    "stripe": "^10.7.0",
-    "swagger-autogen": "^2.22.0",
-    "swagger-ui-express": "^4.6.0",
-    "tweetnacl": "^1.0.3",
-    "tweetnacl-util": "^0.15.1",
-    "typescript": "^4.9.3",
-    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6"
  }
 }
--- a/backend/src/app.ts
+++ b/backend/src/app.ts
@ -1,7 +1,7 @@
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const { patchRouterParam } = require('./utils/patchAsyncRoutes');

-import express, { Request, Response } from 'express';
+import express from 'express';
 import helmet from 'helmet';
 import cors from 'cors';
 import cookieParser from 'cookie-parser';
@ -42,6 +42,8 @@ import {
  integrationAuth as v1IntegrationAuthRouter
 } from './routes/v1';
 import {
+  signup as v2SignupRouter,
+  auth as v2AuthRouter,
  users as v2UsersRouter,
  organizations as v2OrganizationsRouter,
  workspace as v2WorkspaceRouter,
@ -50,6 +52,7 @@ import {
  serviceTokenData as v2ServiceTokenDataRouter,
  apiKeyData as v2APIKeyDataRouter,
  environment as v2EnvironmentRouter,
+  tags as v2TagsRouter,
 } from './routes/v2';

 import { healthCheck } from './routes/status';
@ -109,9 +112,12 @@ app.use('/api/v1/integration', v1IntegrationRouter);
 app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);

 // v2 routes
+app.use('/api/v2/signup', v2SignupRouter);
+app.use('/api/v2/auth', v2AuthRouter);
 app.use('/api/v2/users', v2UsersRouter);
 app.use('/api/v2/organizations', v2OrganizationsRouter);
 app.use('/api/v2/workspace', v2EnvironmentRouter);
+app.use('/api/v2/workspace', v2TagsRouter);
 app.use('/api/v2/workspace', v2WorkspaceRouter);
 app.use('/api/v2/secret', v2SecretRouter); // deprecated
 app.use('/api/v2/secrets', v2SecretsRouter);
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,9 +1,12 @@
 const PORT = process.env.PORT || 4000;
-const EMAIL_TOKEN_LIFETIME = process.env.EMAIL_TOKEN_LIFETIME! || '86400';
+const EMAIL_TOKEN_LIFETIME = parseInt(process.env.EMAIL_TOKEN_LIFETIME! || '86400');
+const INVITE_ONLY_SIGNUP = process.env.INVITE_ONLY_SIGNUP == undefined ? false : process.env.INVITE_ONLY_SIGNUP
 const ENCRYPTION_KEY = process.env.ENCRYPTION_KEY!;
 const SALT_ROUNDS = parseInt(process.env.SALT_ROUNDS!) || 10;
 const JWT_AUTH_LIFETIME = process.env.JWT_AUTH_LIFETIME! || '10d';
 const JWT_AUTH_SECRET = process.env.JWT_AUTH_SECRET!;
+const JWT_MFA_LIFETIME = process.env.JWT_MFA_LIFETIME! || '5m';
+const JWT_MFA_SECRET = process.env.JWT_MFA_SECRET!;
 const JWT_REFRESH_LIFETIME = process.env.JWT_REFRESH_LIFETIME! || '90d';
 const JWT_REFRESH_SECRET = process.env.JWT_REFRESH_SECRET!;
 const JWT_SERVICE_SECRET = process.env.JWT_SERVICE_SECRET!;
@ -13,15 +16,18 @@ const MONGO_URL = process.env.MONGO_URL!;
 const NODE_ENV = process.env.NODE_ENV! || 'production';
 const VERBOSE_ERROR_OUTPUT = process.env.VERBOSE_ERROR_OUTPUT! === 'true' && true;
 const LOKI_HOST = process.env.LOKI_HOST || undefined;
+const CLIENT_ID_AZURE = process.env.CLIENT_ID_AZURE!;
+const TENANT_ID_AZURE = process.env.TENANT_ID_AZURE!;
 const CLIENT_ID_HEROKU = process.env.CLIENT_ID_HEROKU!;
 const CLIENT_ID_VERCEL = process.env.CLIENT_ID_VERCEL!;
 const CLIENT_ID_NETLIFY = process.env.CLIENT_ID_NETLIFY!;
 const CLIENT_ID_GITHUB = process.env.CLIENT_ID_GITHUB!;
+const CLIENT_SECRET_AZURE = process.env.CLIENT_SECRET_AZURE!;
 const CLIENT_SECRET_HEROKU = process.env.CLIENT_SECRET_HEROKU!;
 const CLIENT_SECRET_VERCEL = process.env.CLIENT_SECRET_VERCEL!;
 const CLIENT_SECRET_NETLIFY = process.env.CLIENT_SECRET_NETLIFY!;
 const CLIENT_SECRET_GITHUB = process.env.CLIENT_SECRET_GITHUB!;
-const CLIENT_SLUG_VERCEL= process.env.CLIENT_SLUG_VERCEL!;
+const CLIENT_SLUG_VERCEL = process.env.CLIENT_SLUG_VERCEL!;
 const POSTHOG_HOST = process.env.POSTHOG_HOST! || 'https://app.posthog.com';
 const POSTHOG_PROJECT_API_KEY =
  process.env.POSTHOG_PROJECT_API_KEY! ||
@ -47,10 +53,13 @@ const LICENSE_KEY = process.env.LICENSE_KEY!;
 export {
  PORT,
  EMAIL_TOKEN_LIFETIME,
+  INVITE_ONLY_SIGNUP,
  ENCRYPTION_KEY,
  SALT_ROUNDS,
  JWT_AUTH_LIFETIME,
  JWT_AUTH_SECRET,
+  JWT_MFA_LIFETIME,
+  JWT_MFA_SECRET,
  JWT_REFRESH_LIFETIME,
  JWT_REFRESH_SECRET,
  JWT_SERVICE_SECRET,
@ -60,10 +69,13 @@ export {
  NODE_ENV,
  VERBOSE_ERROR_OUTPUT,
  LOKI_HOST,
+  CLIENT_ID_AZURE,
+  TENANT_ID_AZURE,
  CLIENT_ID_HEROKU,
  CLIENT_ID_VERCEL,
  CLIENT_ID_NETLIFY,
  CLIENT_ID_GITHUB,
+  CLIENT_SECRET_AZURE,
  CLIENT_SECRET_HEROKU,
  CLIENT_SECRET_VERCEL,
  CLIENT_SECRET_NETLIFY,
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -4,16 +4,22 @@ import jwt from 'jsonwebtoken';
 import * as Sentry from '@sentry/node';
 import * as bigintConversion from 'bigint-conversion';
 const jsrp = require('jsrp');
-import { User } from '../../models';
-import { createToken, issueTokens, clearTokens } from '../../helpers/auth';
+import { User, LoginSRPDetail } from '../../models';
+import { createToken, issueAuthTokens, clearTokens } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
+import {
+  ACTION_LOGIN,
+  ACTION_LOGOUT
+} from '../../variables';
 import {
  NODE_ENV,
  JWT_AUTH_LIFETIME,
  JWT_AUTH_SECRET,
  JWT_REFRESH_SECRET
 } from '../../config';
-import LoginSRPDetail from '../../models/LoginSRPDetail';
 import { BadRequestError } from '../../utils/errors';
+import { EELogService } from '../../ee/services';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this

 declare module 'jsonwebtoken' {
  export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -106,7 +112,14 @@ export const login2 = async (req: Request, res: Response) => {
        // compare server and client shared keys
        if (server.checkClientProof(clientProof)) {
          // issue tokens
-          const tokens = await issueTokens({ userId: user._id.toString() });
+
+          await checkUserDevice({
+            user,
+            ip: req.ip,
+            userAgent: req.headers['user-agent'] ?? ''
+          });
+
+          const tokens = await issueAuthTokens({ userId: user._id.toString() });

          // store (refresh) token in httpOnly cookie
          res.cookie('jid', tokens.refreshToken, {
@ -116,6 +129,18 @@ export const login2 = async (req: Request, res: Response) => {
            secure: NODE_ENV === 'production' ? true : false
          });

+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
+          
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
+          
          // return (access) token in response
          return res.status(200).send({
            token: tokens.token,
@ -159,6 +184,19 @@ export const logout = async (req: Request, res: Response) => {
      sameSite: 'strict',
      secure: NODE_ENV === 'production' ? true : false
    });
+
+    const logoutAction = await EELogService.createAction({
+      name: ACTION_LOGOUT,
+      userId: req.user._id
+    });
+    
+    logoutAction && await EELogService.createLog({
+      userId: req.user._id,
+      actions: [logoutAction],
+      channel: getChannelFromUserAgent(req.headers['user-agent']),
+      ipAddress: req.ip
+    });
+
  } catch (err) {
    Sentry.setUser({ email: req.user.email });
    Sentry.captureException(err);
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -10,15 +10,37 @@ import { INTEGRATION_SET, INTEGRATION_OPTIONS } from '../../variables';
 import { IntegrationService } from '../../services';
 import { getApps, revokeAccess } from '../../integrations';

-export const getIntegrationOptions = async (
-	req: Request,
-	res: Response
-) => {
+/***
+ * Return integration authorization with id [integrationAuthId]
+ */
+export const getIntegrationAuth = async (req: Request, res: Response) => {
+	let integrationAuth;
+	try {
+		const { integrationAuthId } = req.params;
+		integrationAuth = await IntegrationAuth.findById(integrationAuthId);
+		
+		if (!integrationAuth) return res.status(400).send({
+			message: 'Failed to find integration authorization'
+		});
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to get integration authorization'
+		});	
+	}
+	
 	return res.status(200).send({
-		integrationOptions: INTEGRATION_OPTIONS
+		integrationAuth
 	});
 }

+export const getIntegrationOptions = async (req: Request, res: Response) => {
+  return res.status(200).send({
+    integrationOptions: INTEGRATION_OPTIONS,
+  });
+};
+
 /**
 * Perform OAuth2 code-token exchange as part of integration [integration] for workspace with id [workspaceId]
 * @param req
@ -31,7 +53,6 @@ export const oAuthExchange = async (
 ) => {
 	try {
 		const { workspaceId, code, integration } = req.body;
-
 		if (!INTEGRATION_SET.has(integration))
 			throw new Error('Failed to validate integration');
 		
@ -40,12 +61,16 @@ export const oAuthExchange = async (
 			throw new Error("Failed to get environments")
 		}
 	
-		await IntegrationService.handleOAuthExchange({
+		const integrationAuth = await IntegrationService.handleOAuthExchange({
 			workspaceId,
 			integration,
 			code,
 			environment: environments[0].slug,
 		});
+		
+		return res.status(200).send({
+			integrationAuth
+		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@ -53,34 +78,42 @@ export const oAuthExchange = async (
 			message: 'Failed to get OAuth2 code-token exchange'
 		});
 	}
-
-	return res.status(200).send({
-		message: 'Successfully enabled integration authorization'
-	});
 };

 /**
- * Save integration access token as part of integration [integration] for workspace with id [workspaceId]
+ * Save integration access token and (optionally) access id as part of integration
+ * [integration] for workspace with id [workspaceId]
 * @param req 
 * @param res 
 */
 export const saveIntegrationAccessToken = async (
-	req: Request,
-	res: Response
+  req: Request,
+  res: Response
 ) => {
 	// TODO: refactor
+	// TODO: check if access token is valid for each integration
+
 	let integrationAuth;
 	try {
 		const {
 			workspaceId,
+			accessId,
 			accessToken,
 			integration
 		}: {
 			workspaceId: string;
+			accessId: string | null;
 			accessToken: string;
 			integration: string;
 		} = req.body;

+		const bot = await Bot.findOne({
+            workspace: new Types.ObjectId(workspaceId),
+            isActive: true
+        });
+        
+        if (!bot) throw new Error('Bot must be enabled to save integration access token');
+
 		integrationAuth = await IntegrationAuth.findOneAndUpdate({
            workspace: new Types.ObjectId(workspaceId),
            integration
@ -91,17 +124,11 @@ export const saveIntegrationAccessToken = async (
            new: true,
            upsert: true
        });
-
-		const bot = await Bot.findOne({
-            workspace: new Types.ObjectId(workspaceId),
-            isActive: true
-        });
-        
-        if (!bot) throw new Error('Bot must be enabled to save integration access token');
 		
-		// encrypt and save integration access token
+		// encrypt and save integration access details
 		integrationAuth = await IntegrationService.setIntegrationAuthAccess({
 			integrationAuthId: integrationAuth._id.toString(),
+			accessId,
 			accessToken,
 			accessExpiresAt: undefined
 		});
@ -127,23 +154,23 @@ export const saveIntegrationAccessToken = async (
 * @returns
 */
 export const getIntegrationAuthApps = async (req: Request, res: Response) => {
-	let apps;
-	try {
-		apps = await getApps({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);	
-		return res.status(400).send({
-			message: 'Failed to get integration authorization applications'
-		});
-	}
+  let apps;
+  try {
+    apps = await getApps({
+      integrationAuth: req.integrationAuth,
+      accessToken: req.accessToken,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get integration authorization applications",
+    });
+  }

-	return res.status(200).send({
-		apps
-	});
+  return res.status(200).send({
+    apps,
+  });
 };

 /**
@ -153,21 +180,21 @@ export const getIntegrationAuthApps = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteIntegrationAuth = async (req: Request, res: Response) => {
-	let integrationAuth;
-	try {
-		integrationAuth = await revokeAccess({
-			integrationAuth: req.integrationAuth,
-			accessToken: req.accessToken
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-        Sentry.captureException(err);	
-		return res.status(400).send({
-			message: 'Failed to delete integration authorization'
-		});
-	}
-	
-	return res.status(200).send({
-		integrationAuth
-	});
-}
+  let integrationAuth;
+  try {
+    integrationAuth = await revokeAccess({
+      integrationAuth: req.integrationAuth,
+      accessToken: req.accessToken,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration authorization",
+    });
+  }
+
+  return res.status(200).send({
+    integrationAuth,
+  });
+};
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { 
 	Integration, 
@ -11,73 +12,41 @@ import { eventPushSecrets } from '../../events';

 /**
 * Create/initialize an (empty) integration for integration authorization
- * @param req 
- * @param res 
- * @returns 
- */
-export const createIntegration = async (req: Request, res: Response) => {
-	let integration;
-	try {
-		// initialize new integration after saving integration access token
-        integration = await new Integration({
-            workspace: req.integrationAuth.workspace._id,
-            isActive: false,
-            app: null,
-            environment: req.integrationAuth.workspace?.environments[0].slug,
-            integration: req.integrationAuth.integration,
-            integrationAuth: req.integrationAuth._id
-        }).save();
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create integration'
-		});
-	}
-
-	return res.status(200).send({
-		integration
-	});
-}
-
-/**
- * Change environment or name of integration with id [integrationId]
 * @param req
 * @param res
 * @returns
 */
-export const updateIntegration = async (req: Request, res: Response) => {
+export const createIntegration = async (req: Request, res: Response) => {
 	let integration;
-	
-	// TODO: add integration-specific validation to ensure that each
-	// integration has the correct fields populated in [Integration]
-	
 	try {
-		const { 
-			environment, 
-			isActive, 
-			app, 
+		const {
+			integrationAuthId,
+			app,
 			appId,
+			isActive,
+			sourceEnvironment,
 			targetEnvironment,
-			owner, // github-specific integration param
+			owner,
+			path,
+			region
 		} = req.body;
 		
-		integration = await Integration.findOneAndUpdate(
-			{
-				_id: req.integration._id
-			},
-			{
-				environment,
-				isActive,
-				app,
-				appId,
-				targetEnvironment,
-				owner
-			},
-			{
-				new: true
-			}
-		);
+		// TODO: validate [sourceEnvironment] and [targetEnvironment]
+
+		// initialize new integration after saving integration access token
+        integration = await new Integration({
+            workspace: req.integrationAuth.workspace._id,
+            environment: sourceEnvironment,
+            isActive,
+            app,
+			appId,
+			targetEnvironment,
+			owner,
+			path,
+			region,
+            integration: req.integrationAuth.integration,
+            integrationAuth: new Types.ObjectId(integrationAuthId)
+        }).save();
 		
 		if (integration) {
 			// trigger event - push secrets
@ -87,17 +56,78 @@ export const updateIntegration = async (req: Request, res: Response) => {
 				})
 			});
 		}
+
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
 		return res.status(400).send({
-			message: 'Failed to update integration'
+			message: 'Failed to create integration'
 		});
 	}

-	return res.status(200).send({
-		integration
-	});
+  return res.status(200).send({
+    integration,
+  });
+};
+
+/**
+ * Change environment or name of integration with id [integrationId]
+ * @param req
+ * @param res
+ * @returns
+ */
+export const updateIntegration = async (req: Request, res: Response) => {
+  let integration;
+
+  // TODO: add integration-specific validation to ensure that each
+  // integration has the correct fields populated in [Integration]
+
+  try {
+    const {
+      environment,
+      isActive,
+      app,
+      appId,
+      targetEnvironment,
+      owner, // github-specific integration param
+    } = req.body;
+
+    integration = await Integration.findOneAndUpdate(
+      {
+        _id: req.integration._id,
+      },
+      {
+        environment,
+        isActive,
+        app,
+        appId,
+        targetEnvironment,
+        owner,
+      },
+      {
+        new: true,
+      }
+    );
+
+    if (integration) {
+      // trigger event - push secrets
+      EventService.handleEvent({
+        event: eventPushSecrets({
+          workspaceId: integration.workspace.toString(),
+        }),
+      });
+    }
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to update integration",
+    });
+  }
+
+  return res.status(200).send({
+    integration,
+  });
 };

 /**
@ -108,24 +138,24 @@ export const updateIntegration = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteIntegration = async (req: Request, res: Response) => {
-	let integration;
-	try {
-		const { integrationId } = req.params;
+  let integration;
+  try {
+    const { integrationId } = req.params;

-		integration = await Integration.findOneAndDelete({
-			_id: integrationId
-		});
-		
-		if (!integration) throw new Error('Failed to find integration');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete integration'
-		});
-	}
-	
-	return res.status(200).send({
-		integration
-	});
+    integration = await Integration.findOneAndDelete({
+      _id: integrationId,
+    });
+
+    if (!integration) throw new Error("Failed to find integration");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete integration",
+    });
+  }
+
+  return res.status(200).send({
+    integration,
+  });
 };
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,14 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
 import { SITE_URL, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
-import { MembershipOrg, Organization, User, Token } from '../../models';
+import { MembershipOrg, Organization, User } from '../../models';
 import { deleteMembershipOrg as deleteMemberFromOrg } from '../../helpers/membershipOrg';
-import { checkEmailVerification } from '../../helpers/signup';
 import { createToken } from '../../helpers/auth';
 import { updateSubscriptionOrgQuantity } from '../../helpers/organization';
 import { sendMail } from '../../helpers/nodemailer';
-import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED } from '../../variables';
+import { TokenService } from '../../services';
+import { OWNER, ADMIN, MEMBER, ACCEPTED, INVITED, TOKEN_EMAIL_ORG_INVITATION } from '../../variables';

 /**
 * Delete organization membership with id [membershipOrgId] from organization
@ -77,8 +76,6 @@ export const changeMembershipOrgRole = async (req: Request, res: Response) => {
 	// change role for (target) organization membership with id
 	// [membershipOrgId]

-	// TODO
-
 	let membershipToChangeRole;
 	// try {
 	// } catch (err) {
@ -115,14 +112,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		if (!membershipOrg) {
 			throw new Error('Failed to validate organization membership');
 		}
-		
+
 		invitee = await User.findOne({
 			email: inviteeEmail
 		}).select('+publicKey');

 		if (invitee) {
 			// case: invitee is an existing user
-			
+
 			inviteeMembershipOrg = await MembershipOrg.findOne({
 				user: invitee._id,
 				organization: organizationId
@ -165,17 +162,11 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });

 		if (organization) {
-			const token = crypto.randomBytes(16).toString('hex');
-
-			await Token.findOneAndUpdate(
-				{ email: inviteeEmail },
-				{
-					email: inviteeEmail,
-					token,
-					createdAt: new Date()
-				},
-				{ upsert: true, new: true }
-			);
+			const token = await TokenService.createToken({
+				type: TOKEN_EMAIL_ORG_INVITATION,
+				email: inviteeEmail,
+				organizationId: organization._id
+			});

 			await sendMail({
 				template: 'organizationInvitation.handlebars',
@ -227,10 +218,12 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {

 		if (!membershipOrg)
 			throw new Error('Failed to find any invitations for email');
-
-		await checkEmailVerification({
+		
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_ORG_INVITATION,
 			email,
-			code
+			organizationId: membershipOrg.organization,
+			token: code
 		});

 		if (user && user?.publicKey) {
@ -243,7 +236,7 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 				message: 'Successfully verified email',
 				user,
 			});
-        }
+		}

 		if (!user) {
 			// initialize user account
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -14,11 +14,13 @@ import {
 	MembershipOrg,
 	Organization,
 	Workspace,
-	IncidentContactOrg
+	IncidentContactOrg,
+	IMembershipOrg
 } from '../../models';
 import { createOrganization as create } from '../../helpers/organization';
 import { addMembershipsOrg } from '../../helpers/membershipOrg';
 import { OWNER, ACCEPTED } from '../../variables';
+import _ from 'lodash';

 export const getOrganizations = async (req: Request, res: Response) => {
 	let organizations;
@ -382,3 +384,44 @@ export const getOrganizationSubscriptions = async (
 		subscriptions
 	});
 };
+
+
+/**
+ * Given a org id, return the projects each member of the org belongs to
+ * @param req
+ * @param res
+ * @returns
+ */
+export const getOrganizationMembersAndTheirWorkspaces = async (
+	req: Request,
+	res: Response
+) => {
+	const { organizationId } = req.params;
+
+	const workspacesSet = (
+			await Workspace.find(
+				{
+					organization: organizationId
+				},
+				'_id'
+			)
+		).map((w) => w._id.toString());
+
+	const memberships = (
+		await Membership.find({
+			workspace: { $in: workspacesSet }
+		}).populate('workspace')
+	);
+	const userToWorkspaceIds: any = {};
+
+	memberships.forEach(membership => {
+		const user = membership.user.toString();
+		if (userToWorkspaceIds[user]) {
+			userToWorkspaceIds[user].push(membership.workspace);
+		} else {
+			userToWorkspaceIds[user] = [membership.workspace];
+		}
+	});
+
+	return res.json(userToWorkspaceIds);
+};
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -1,15 +1,14 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const jsrp = require('jsrp');
 import * as bigintConversion from 'bigint-conversion';
-import { User, Token, BackupPrivateKey } from '../../models';
-import { checkEmailVerification } from '../../helpers/signup';
+import { User, BackupPrivateKey, LoginSRPDetail } from '../../models';
 import { createToken } from '../../helpers/auth';
 import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
 import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, SITE_URL } from '../../config';
-import LoginSRPDetail from '../../models/LoginSRPDetail';
+import { TOKEN_EMAIL_PASSWORD_RESET } from '../../variables';
 import { BadRequestError } from '../../utils/errors';

 /**
@ -32,19 +31,12 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				error: 'Failed to send email verification for password reset'
 			});
 		}
-
-		const token = crypto.randomBytes(16).toString('hex');
-
-		await Token.findOneAndUpdate(
-			{ email },
-			{
-				email,
-				token,
-				createdAt: new Date()
-			},
-			{ upsert: true, new: true }
-		);
-
+		
+		const token = await TokenService.createToken({
+			type: TOKEN_EMAIL_PASSWORD_RESET,
+			email
+		});
+		
 		await sendMail({
 			template: 'passwordReset.handlebars',
 			subjectLine: 'Infisical password reset',
@ -55,7 +47,6 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 				callback_url: SITE_URL + '/password-reset'
 			}
 		});
-
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -88,10 +79,11 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 				error: 'Failed email verification for password reset'
 			});
 		}
-
-		await checkEmailVerification({
+		
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_PASSWORD_RESET,
 			email,
-			code
+			token: code
 		});

 		// generate temporary password-reset token
@ -174,8 +166,18 @@ export const srp1 = async (req: Request, res: Response) => {
 */
 export const changePassword = async (req: Request, res: Response) => {
 	try {
-		const { clientProof, encryptedPrivateKey, iv, tag, salt, verifier } =
-			req.body;
+		const { 
+			clientProof, 
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		} = req.body;
+
 		const user = await User.findOne({
 			email: req.user.email
 		}).select('+salt +verifier');
@ -205,9 +207,13 @@ export const changePassword = async (req: Request, res: Response) => {
 					await User.findByIdAndUpdate(
 						req.user._id.toString(),
 						{
+							encryptionVersion: 2,
+							protectedKey,
+							protectedKeyIV,
+							protectedKeyTag,
 							encryptedPrivateKey,
-							iv,
-							tag,
+							iv: encryptedPrivateKeyIV,
+							tag: encryptedPrivateKeyTag,
 							salt,
 							verifier
 						},
@ -341,9 +347,12 @@ export const getBackupPrivateKey = async (req: Request, res: Response) => {
 export const resetPassword = async (req: Request, res: Response) => {
 	try {
 		const {
+			protectedKey,
+			protectedKeyIV,
+			protectedKeyTag,
 			encryptedPrivateKey,
-			iv,
-			tag,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
 			salt,
 			verifier,
 		} = req.body;
@ -351,9 +360,13 @@ export const resetPassword = async (req: Request, res: Response) => {
 		await User.findByIdAndUpdate(
 			req.user._id.toString(),
 			{
+				encryptionVersion: 2,
+				protectedKey,
+				protectedKeyIV,
+				protectedKeyTag,	
 				encryptedPrivateKey,
-				iv,
-				tag,
+				iv: encryptedPrivateKeyIV,
+				tag: encryptedPrivateKeyTag,
 				salt,
 				verifier
 			},
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -1,16 +1,13 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
-import { NODE_ENV, JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET } from '../../config';
-import { User, MembershipOrg } from '../../models';
-import { completeAccount } from '../../helpers/user';
+import { User } from '../../models';
+import { JWT_SIGNUP_LIFETIME, JWT_SIGNUP_SECRET, INVITE_ONLY_SIGNUP } from '../../config';
 import {
 	sendEmailVerification,
 	checkEmailVerification,
-	initializeDefaultOrg
 } from '../../helpers/signup';
-import { issueTokens, createToken } from '../../helpers/auth';
-import { INVITED, ACCEPTED } from '../../variables';
-import axios from 'axios';
+import { createToken } from '../../helpers/auth';
+import { BadRequestError } from '../../utils/errors';

 /**
 * Signup step 1: Initialize account for user under email [email] and send a verification code
@ -24,6 +21,14 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;

+		if (INVITE_ONLY_SIGNUP) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
+
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@ -103,201 +108,3 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 		token
 	});
 };
-
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * signup flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountSignup = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier,
-			organizationName
-		} = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-		
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
-
-		// initialize default organization and workspace
-		await initializeDefaultOrg({
-			organizationName,
-			user
-		});
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-		refreshToken = tokens.refreshToken;
-
-		// sending a welcome email to new users
-		if (process.env.LOOPS_API_KEY) {
-			await axios.post("https://app.loops.so/api/v1/events/send", {
-				"email": email,
-				"eventName": "Sign Up",
-				"firstName": firstName,
-				"lastName": lastName
-			}, {
-				headers: {
-					"Accept": "application/json",
-					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
-				},
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token,
-		refreshToken
-	});
-};
-/**
- * Complete setting up user by adding their personal and auth information as part of the
- * invite flow
- * @param req
- * @param res
- * @returns
- */
-export const completeAccountInvite = async (req: Request, res: Response) => {
-	let user, token, refreshToken;
-	try {
-		const {
-			email,
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier
-		} = req.body;
-
-		// get user
-		user = await User.findOne({ email });
-
-		if (!user || (user && user?.publicKey)) {
-			// case 1: user doesn't exist.
-			// case 2: user has already completed account
-			return res.status(403).send({
-				error: 'Failed to complete account for complete user'
-			});
-		}
-
-		const membershipOrg = await MembershipOrg.findOne({
-			inviteEmail: email,
-			status: INVITED
-		});
-
-		if (!membershipOrg) throw new Error('Failed to find invitations for email');
-
-		// complete setting up user's account
-		user = await completeAccount({
-			userId: user._id.toString(),
-			firstName,
-			lastName,
-			publicKey,
-			encryptedPrivateKey,
-			iv,
-			tag,
-			salt,
-			verifier
-		});
-
-		if (!user)
-			throw new Error('Failed to complete account for non-existent user');
-
-		// update organization membership statuses that are
-		// invited to completed with user attached
-		await MembershipOrg.updateMany(
-			{
-				inviteEmail: email,
-				status: INVITED
-			},
-			{
-				user,
-				status: ACCEPTED
-			}
-		);
-
-		// issue tokens
-		const tokens = await issueTokens({
-			userId: user._id.toString()
-		});
-
-		token = tokens.token;
-		refreshToken = tokens.refreshToken;
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to complete account setup'
-		});
-	}
-
-	return res.status(200).send({
-		message: 'Successfully set up account',
-		user,
-		token,
-		refreshToken
-	});
-};
--- a/backend/src/controllers/v1/workspaceController.ts
+++ b/backend/src/controllers/v1/workspaceController.ts
@ -1,21 +1,21 @@
-import { Request, Response } from 'express';
-import * as Sentry from '@sentry/node';
+import { Request, Response } from "express";
+import * as Sentry from "@sentry/node";
 import {
-	Workspace,
-	Membership,
-	MembershipOrg,
-	Integration,
-	IntegrationAuth,
-	IUser,
-	ServiceToken,
-	ServiceTokenData
-} from '../../models';
+  Workspace,
+  Membership,
+  MembershipOrg,
+  Integration,
+  IntegrationAuth,
+  IUser,
+  ServiceToken,
+  ServiceTokenData,
+} from "../../models";
 import {
-	createWorkspace as create,
-	deleteWorkspace as deleteWork
-} from '../../helpers/workspace';
-import { addMemberships } from '../../helpers/membership';
-import { ADMIN } from '../../variables';
+  createWorkspace as create,
+  deleteWorkspace as deleteWork,
+} from "../../helpers/workspace";
+import { addMemberships } from "../../helpers/membership";
+import { ADMIN } from "../../variables";

 /**
 * Return public keys of members of workspace with id [workspaceId]
@ -24,32 +24,31 @@ import { ADMIN } from '../../variables';
 * @returns
 */
 export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
-	let publicKeys;
-	try {
-		const { workspaceId } = req.params;
+  let publicKeys;
+  try {
+    const { workspaceId } = req.params;

-		publicKeys = (
-			await Membership.find({
-				workspace: workspaceId
-			}).populate<{ user: IUser }>('user', 'publicKey')
-		)
-		.map((member) => {
-			return {
-				publicKey: member.user.publicKey,
-				userId: member.user._id
-			};
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace member public keys'
-		});
-	}
+    publicKeys = (
+      await Membership.find({
+        workspace: workspaceId,
+      }).populate<{ user: IUser }>("user", "publicKey")
+    ).map((member) => {
+      return {
+        publicKey: member.user.publicKey,
+        userId: member.user._id,
+      };
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace member public keys",
+    });
+  }

-	return res.status(200).send({
-		publicKeys
-	});
+  return res.status(200).send({
+    publicKeys,
+  });
 };

 /**
@ -59,24 +58,24 @@ export const getWorkspacePublicKeys = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceMemberships = async (req: Request, res: Response) => {
-	let users;
-	try {
-		const { workspaceId } = req.params;
+  let users;
+  try {
+    const { workspaceId } = req.params;

-		users = await Membership.find({
-			workspace: workspaceId
-		}).populate('user', '+publicKey');
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace members'
-		});
-	}
+    users = await Membership.find({
+      workspace: workspaceId,
+    }).populate("user", "+publicKey");
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace members",
+    });
+  }

-	return res.status(200).send({
-		users
-	});
+  return res.status(200).send({
+    users,
+  });
 };

 /**
@ -86,24 +85,24 @@ export const getWorkspaceMemberships = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaces = async (req: Request, res: Response) => {
-	let workspaces;
-	try {
-		workspaces = (
-			await Membership.find({
-				user: req.user._id
-			}).populate('workspace')
-		).map((m) => m.workspace);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspaces'
-		});
-	}
+  let workspaces;
+  try {
+    workspaces = (
+      await Membership.find({
+        user: req.user._id,
+      }).populate("workspace")
+    ).map((m) => m.workspace);
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspaces",
+    });
+  }

-	return res.status(200).send({
-		workspaces
-	});
+  return res.status(200).send({
+    workspaces,
+  });
 };

 /**
@ -113,24 +112,24 @@ export const getWorkspaces = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspace = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
+  let workspace;
+  try {
+    const { workspaceId } = req.params;

-		workspace = await Workspace.findOne({
-			_id: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace'
-		});
-	}
+    workspace = await Workspace.findOne({
+      _id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace",
+    });
+  }

-	return res.status(200).send({
-		workspace
-	});
+  return res.status(200).send({
+    workspace,
+  });
 };

 /**
@ -141,46 +140,46 @@ export const getWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const createWorkspace = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceName, organizationId } = req.body;
+  let workspace;
+  try {
+    const { workspaceName, organizationId } = req.body;

-		// validate organization membership
-		const membershipOrg = await MembershipOrg.findOne({
-			user: req.user._id,
-			organization: organizationId
-		});
+    // validate organization membership
+    const membershipOrg = await MembershipOrg.findOne({
+      user: req.user._id,
+      organization: organizationId,
+    });

-		if (!membershipOrg) {
-			throw new Error('Failed to validate organization membership');
-		}
+    if (!membershipOrg) {
+      throw new Error("Failed to validate organization membership");
+    }

-		if (workspaceName.length < 1) {
-			throw new Error('Workspace names must be at least 1-character long');
-		}
+    if (workspaceName.length < 1) {
+      throw new Error("Workspace names must be at least 1-character long");
+    }

-		// create workspace and add user as member
-		workspace = await create({
-			name: workspaceName,
-			organizationId
-		});
+    // create workspace and add user as member
+    workspace = await create({
+      name: workspaceName,
+      organizationId,
+    });

-		await addMemberships({
-			userIds: [req.user._id],
-			workspaceId: workspace._id.toString(),
-			roles: [ADMIN]
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to create workspace'
-		});
-	}
+    await addMemberships({
+      userIds: [req.user._id],
+      workspaceId: workspace._id.toString(),
+      roles: [ADMIN],
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to create workspace",
+    });
+  }

-	return res.status(200).send({
-		workspace
-	});
+  return res.status(200).send({
+    workspace,
+  });
 };

 /**
@ -190,24 +189,24 @@ export const createWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const deleteWorkspace = async (req: Request, res: Response) => {
-	try {
-		const { workspaceId } = req.params;
+  try {
+    const { workspaceId } = req.params;

-		// delete workspace
-		await deleteWork({
-			id: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to delete workspace'
-		});
-	}
+    // delete workspace
+    await deleteWork({
+      id: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to delete workspace",
+    });
+  }

-	return res.status(200).send({
-		message: 'Successfully deleted workspace'
-	});
+  return res.status(200).send({
+    message: "Successfully deleted workspace",
+  });
 };

 /**
@ -217,34 +216,34 @@ export const deleteWorkspace = async (req: Request, res: Response) => {
 * @returns
 */
 export const changeWorkspaceName = async (req: Request, res: Response) => {
-	let workspace;
-	try {
-		const { workspaceId } = req.params;
-		const { name } = req.body;
+  let workspace;
+  try {
+    const { workspaceId } = req.params;
+    const { name } = req.body;

-		workspace = await Workspace.findOneAndUpdate(
-			{
-				_id: workspaceId
-			},
-			{
-				name
-			},
-			{
-				new: true
-			}
-		);
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to change workspace name'
-		});
-	}
+    workspace = await Workspace.findOneAndUpdate(
+      {
+        _id: workspaceId,
+      },
+      {
+        name,
+      },
+      {
+        new: true,
+      }
+    );
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to change workspace name",
+    });
+  }

-	return res.status(200).send({
-		message: 'Successfully changed workspace name',
-		workspace
-	});
+  return res.status(200).send({
+    message: "Successfully changed workspace name",
+    workspace,
+  });
 };

 /**
@ -254,24 +253,24 @@ export const changeWorkspaceName = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
-	let integrations;
-	try {
-		const { workspaceId } = req.params;
+  let integrations;
+  try {
+    const { workspaceId } = req.params;

-		integrations = await Integration.find({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace integrations'
-		});
-	}
+    integrations = await Integration.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integrations",
+    });
+  }

-	return res.status(200).send({
-		integrations
-	});
+  return res.status(200).send({
+    integrations,
+  });
 };

 /**
@ -281,56 +280,56 @@ export const getWorkspaceIntegrations = async (req: Request, res: Response) => {
 * @returns
 */
 export const getWorkspaceIntegrationAuthorizations = async (
-	req: Request,
-	res: Response
+  req: Request,
+  res: Response
 ) => {
-	let authorizations;
-	try {
-		const { workspaceId } = req.params;
+  let authorizations;
+  try {
+    const { workspaceId } = req.params;

-		authorizations = await IntegrationAuth.find({
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace integration authorizations'
-		});
-	}
+    authorizations = await IntegrationAuth.find({
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace integration authorizations",
+    });
+  }

-	return res.status(200).send({
-		authorizations
-	});
+  return res.status(200).send({
+    authorizations,
+  });
 };

 /**
 * Return service service tokens for workspace [workspaceId] belonging to user
- * @param req 
- * @param res 
- * @returns 
+ * @param req
+ * @param res
+ * @returns
 */
 export const getWorkspaceServiceTokens = async (
-	req: Request,
-	res: Response
+  req: Request,
+  res: Response
 ) => {
-	let serviceTokens;
-	try {
-		const { workspaceId } = req.params;
-		// ?? FIX.
-		serviceTokens = await ServiceToken.find({
-			user: req.user._id,
-			workspace: workspaceId
-		});
-	} catch (err) {
-		Sentry.setUser({ email: req.user.email });
-		Sentry.captureException(err);
-		return res.status(400).send({
-			message: 'Failed to get workspace service tokens'
-		});
-	}
-	
-	return res.status(200).send({
-		serviceTokens
-	});
-}
+  let serviceTokens;
+  try {
+    const { workspaceId } = req.params;
+    // ?? FIX.
+    serviceTokens = await ServiceToken.find({
+      user: req.user._id,
+      workspace: workspaceId,
+    });
+  } catch (err) {
+    Sentry.setUser({ email: req.user.email });
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: "Failed to get workspace service tokens",
+    });
+  }
+
+  return res.status(200).send({
+    serviceTokens,
+  });
+};
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -0,0 +1,351 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+import { Request, Response } from 'express';
+import jwt from 'jsonwebtoken';
+import * as Sentry from '@sentry/node';
+import * as bigintConversion from 'bigint-conversion';
+const jsrp = require('jsrp');
+import { User, LoginSRPDetail } from '../../models';
+import { issueAuthTokens, createToken } from '../../helpers/auth';
+import { checkUserDevice } from '../../helpers/user';
+import { sendMail } from '../../helpers/nodemailer';
+import { TokenService } from '../../services';
+import { EELogService } from '../../ee/services';
+import {
+  NODE_ENV,
+  JWT_MFA_LIFETIME,
+  JWT_MFA_SECRET
+} from '../../config';
+import { BadRequestError, InternalServerError } from '../../utils/errors';
+import {
+  TOKEN_EMAIL_MFA,
+  ACTION_LOGIN
+} from '../../variables';
+import { getChannelFromUserAgent } from '../../utils/posthog'; // TODO: move this
+
+declare module 'jsonwebtoken' {
+  export interface UserIDJwtPayload extends jwt.JwtPayload {
+    userId: string;
+  }
+}
+
+const clientPublicKeys: any = {};
+
+/**
+ * Log in user step 1: Return [salt] and [serverPublicKey] as part of step 1 of SRP protocol
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login1 = async (req: Request, res: Response) => {
+  try {
+    const {
+      email,
+      clientPublicKey
+    }: { email: string; clientPublicKey: string } = req.body;
+
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier');
+
+    if (!user) throw new Error('Failed to find user');
+
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier
+      },
+      async () => {
+        // generate server-side public key
+        const serverPublicKey = server.getPublicKey();
+
+        await LoginSRPDetail.findOneAndReplace({ email: email }, {
+          email: email,
+          clientPublicKey: clientPublicKey,
+          serverBInt: bigintConversion.bigintToBuf(server.bInt),
+        }, { upsert: true, returnNewDocument: false });
+
+        return res.status(200).send({
+          serverPublicKey,
+          salt: user.salt
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to start authentication process'
+    });
+  }
+};
+
+/**
+ * Log in user step 2: complete step 2 of SRP protocol and return token and their (encrypted)
+ * private key
+ * @param req
+ * @param res
+ * @returns
+ */
+export const login2 = async (req: Request, res: Response) => {
+  try {
+    
+    if (!req.headers['user-agent']) throw InternalServerError({ message: 'User-Agent header is required' });
+
+    const { email, clientProof } = req.body;
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+
+    if (!user) throw new Error('Failed to find user');
+
+    const loginSRPDetail = await LoginSRPDetail.findOneAndDelete({ email: email })
+
+    if (!loginSRPDetail) {
+      return BadRequestError(Error("Failed to find login details for SRP"))
+    }
+
+    const server = new jsrp.server();
+    server.init(
+      {
+        salt: user.salt,
+        verifier: user.verifier,
+        b: loginSRPDetail.serverBInt
+      },
+      async () => {
+        server.setClientPublicKey(loginSRPDetail.clientPublicKey);
+
+        // compare server and client shared keys
+        if (server.checkClientProof(clientProof)) {
+
+          if (user.isMfaEnabled) {
+            // case: user has MFA enabled
+
+            // generate temporary MFA token
+            const token = createToken({
+              payload: {
+                userId: user._id.toString()
+              },
+              expiresIn: JWT_MFA_LIFETIME,
+              secret: JWT_MFA_SECRET
+            });
+          
+            const code = await TokenService.createToken({
+              type: TOKEN_EMAIL_MFA,
+              email
+            });
+            
+            // send MFA code [code] to [email]
+            await sendMail({
+              template: 'emailMfa.handlebars',
+              subjectLine: 'Infisical MFA code',
+              recipients: [email],
+              substitutions: {
+                code
+              }
+            });
+            
+            return res.status(200).send({
+              mfaEnabled: true,
+              token
+            });
+          }
+          
+          await checkUserDevice({
+            user,
+            ip: req.ip,
+            userAgent: req.headers['user-agent'] ?? ''
+          });
+
+          // issue tokens
+          const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+          // store (refresh) token in httpOnly cookie
+          res.cookie('jid', tokens.refreshToken, {
+            httpOnly: true,
+            path: '/',
+            sameSite: 'strict',
+            secure: NODE_ENV === 'production' ? true : false
+          });
+
+          // case: user does not have MFA enablgged
+          // return (access) token in response
+
+          interface ResponseData {
+            mfaEnabled: boolean;
+            encryptionVersion: any;
+            protectedKey?: string;
+            protectedKeyIV?: string;
+            protectedKeyTag?: string;
+            token: string;
+            publicKey?: string;
+            encryptedPrivateKey?: string;
+            iv?: string;
+            tag?: string;
+          }
+          
+          const response: ResponseData = {
+            mfaEnabled: false,
+            encryptionVersion: user.encryptionVersion,
+            token: tokens.token,
+            publicKey: user.publicKey,
+            encryptedPrivateKey: user.encryptedPrivateKey,
+            iv: user.iv,
+            tag: user.tag
+          }
+          
+          if (
+            user?.protectedKey &&
+            user?.protectedKeyIV &&
+            user?.protectedKeyTag
+          ) {
+            response.protectedKey = user.protectedKey;
+            response.protectedKeyIV = user.protectedKeyIV
+            response.protectedKeyTag = user.protectedKeyTag;
+          }
+
+          const loginAction = await EELogService.createAction({
+            name: ACTION_LOGIN,
+            userId: user._id
+          });
+          
+          loginAction && await EELogService.createLog({
+            userId: user._id,
+            actions: [loginAction],
+            channel: getChannelFromUserAgent(req.headers['user-agent']),
+            ipAddress: req.ip
+          });
+          
+          return res.status(200).send(response);
+        }
+
+        return res.status(400).send({
+          message: 'Failed to authenticate. Try again?'
+        });
+      }
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to authenticate. Try again?'
+    });
+  }
+};
+
+/**
+ * Send MFA token to email [email]
+ * @param req 
+ * @param res 
+ */
+export const sendMfaToken = async (req: Request, res: Response) => {
+  try {
+    const { email } = req.body;
+
+    const code = await TokenService.createToken({
+      type: TOKEN_EMAIL_MFA,
+      email
+    });
+    
+    // send MFA code [code] to [email]
+    await sendMail({
+      template: 'emailMfa.handlebars',
+      subjectLine: 'Infisical MFA code',
+      recipients: [email],
+      substitutions: {
+        code
+      }
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    return res.status(400).send({
+      message: 'Failed to send MFA code'
+    }); 
+  }
+  
+  return res.status(200).send({
+    message: 'Successfully sent new MFA code'
+  });
+}
+
+/**
+ * Verify MFA token [mfaToken] and issue JWT and refresh tokens if the
+ * MFA token [mfaToken] is valid
+ * @param req 
+ * @param res 
+ */
+export const verifyMfaToken = async (req: Request, res: Response) => {
+    const { email, mfaToken } = req.body;
+
+    await TokenService.validateToken({
+      type: TOKEN_EMAIL_MFA,
+      email,
+      token: mfaToken
+    });
+
+    const user = await User.findOne({
+      email
+    }).select('+salt +verifier +encryptionVersion +protectedKey +protectedKeyIV +protectedKeyTag +publicKey +encryptedPrivateKey +iv +tag');
+
+    if (!user) throw new Error('Failed to find user'); 
+
+     await checkUserDevice({
+      user,
+      ip: req.ip,
+      userAgent: req.headers['user-agent'] ?? ''
+    });
+
+    // issue tokens
+    const tokens = await issueAuthTokens({ userId: user._id.toString() });
+
+    // store (refresh) token in httpOnly cookie
+    res.cookie('jid', tokens.refreshToken, {
+      httpOnly: true,
+      path: '/',
+      sameSite: 'strict',
+      secure: NODE_ENV === 'production' ? true : false
+    });
+    
+    interface VerifyMfaTokenRes {
+      encryptionVersion: number;
+      protectedKey?: string;
+      protectedKeyIV?: string;
+      protectedKeyTag?: string;
+      token: string;
+      publicKey: string;
+      encryptedPrivateKey: string;
+      iv: string;
+      tag: string;
+    }
+
+    const resObj: VerifyMfaTokenRes = {
+      encryptionVersion: user.encryptionVersion,
+      token: tokens.token,
+      publicKey: user.publicKey as string,
+      encryptedPrivateKey: user.encryptedPrivateKey as string,
+      iv: user.iv as string,
+      tag: user.tag as string
+    }
+    
+    if (user?.protectedKey && user?.protectedKeyIV && user?.protectedKeyTag) {
+      resObj.protectedKey = user.protectedKey;
+      resObj.protectedKeyIV = user.protectedKeyIV;
+      resObj.protectedKeyTag = user.protectedKeyTag;
+    }
+
+    const loginAction = await EELogService.createAction({
+      name: ACTION_LOGIN,
+      userId: user._id
+    });
+    
+    loginAction && await EELogService.createLog({
+      userId: user._id,
+      actions: [loginAction],
+      channel: getChannelFromUserAgent(req.headers['user-agent']),
+      ipAddress: req.ip
+    });
+
+    return res.status(200).send(resObj); 
+}
+
--- a/backend/src/controllers/v2/environmentController.ts
+++ b/backend/src/controllers/v2/environmentController.ts
@ -246,13 +246,14 @@ export const getAllAccessibleEnvironmentsOfWorkspace = async (
  relatedWorkspace.environments.forEach(environment => {
    const isReadBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_READ })
    const isWriteBlocked = _.some(deniedPermission, { environmentSlug: environment.slug, ability: ABILITY_WRITE })
-    if (isReadBlocked) {
+    if (isReadBlocked && isWriteBlocked) {
      return
    } else {
      accessibleEnvironments.push({
        name: environment.name,
        slug: environment.slug,
-        isWriteDenied: isWriteBlocked
+        isWriteDenied: isWriteBlocked,
+        isReadDenied: isReadBlocked
      })
    }
  })
--- a/backend/src/controllers/v2/index.ts
+++ b/backend/src/controllers/v2/index.ts
@ -1,3 +1,5 @@
+import * as authController from './authController';
+import * as signupController from './signupController';
 import * as usersController from './usersController';
 import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
@ -6,8 +8,11 @@ import * as apiKeyDataController from './apiKeyDataController';
 import * as secretController from './secretController';
 import * as secretsController from './secretsController';
 import * as environmentController from './environmentController';
+import * as tagController from './tagController';

 export {
+    authController,
+    signupController,
    usersController,
    organizationsController,
    workspaceController,
@ -15,5 +20,6 @@ export {
    apiKeyDataController,
    secretController,
    secretsController,
-    environmentController
+    environmentController,
+    tagController
 }
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -1,7 +1,8 @@
 import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Membership, Secret, Workspace } from '../../models';
+import { ISecret, Secret } from '../../models';
+import { IAction } from '../../ee/models';
 import {
    SECRET_PERSONAL,
    SECRET_SHARED,
@ -17,7 +18,255 @@ import { EESecretService, EELogService } from '../../ee/services';
 import { postHogClient } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
 import { ABILITY_READ, ABILITY_WRITE } from '../../variables/organization';
-import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
+import Tag from '../../models/tag';
+import _ from 'lodash';
+import {
+    BatchSecretRequest, 
+    BatchSecret
+} from '../../types/secret';
+
+/**
+ * Peform a batch of any specified CUD secret operations
+ * @param req 
+ * @param res 
+ */
+export const batchSecrets = async (req: Request, res: Response) => {
+    const channel = getChannelFromUserAgent(req.headers['user-agent']);
+    const {
+        workspaceId,
+        environment,
+        requests
+    }: {
+        workspaceId: string;
+        environment: string;
+        requests: BatchSecretRequest[];
+    }= req.body;
+    
+    const createSecrets: BatchSecret[] = [];
+    const updateSecrets: BatchSecret[] = [];
+    const deleteSecrets: Types.ObjectId[] = [];
+    const actions: IAction[] = [];
+    
+    requests.forEach((request) => {
+        switch (request.method) {
+            case 'POST':
+                createSecrets.push({
+                    ...request.secret,
+                    version: 1,
+                    user: request.secret.type === SECRET_PERSONAL ? req.user : undefined,
+                    environment,
+                    workspace: new Types.ObjectId(workspaceId)
+                });
+                break;
+            case 'PATCH':
+                updateSecrets.push({
+                    ...request.secret,
+                    _id: new Types.ObjectId(request.secret._id)
+                });
+                break;
+            case 'DELETE':
+                deleteSecrets.push(new Types.ObjectId(request.secret._id));
+                break;
+        }
+    });
+    
+    // handle create secrets
+    let createdSecrets: ISecret[] = [];
+    if (createSecrets.length > 0) {
+        createdSecrets = await Secret.insertMany(createSecrets);
+        // (EE) add secret versions for new secrets
+        await EESecretService.addSecretVersions({
+            secretVersions: createdSecrets.map((n: any) => {
+                return ({
+                    ...n._doc,
+                    _id: new Types.ObjectId(),
+                    secret: n._id,
+                    isDeleted: false
+                });
+            })
+        });
+
+        const addAction = await EELogService.createAction({
+            name: ACTION_ADD_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(workspaceId),
+            secretIds: createdSecrets.map((n) => n._id)
+        }) as IAction;
+        actions.push(addAction);
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets added',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: createdSecrets.length,
+                    environment,
+                    workspaceId,
+                    channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    }
+    
+    // handle update secrets
+    let updatedSecrets: ISecret[] = [];
+    if (updateSecrets.length > 0 && req.secrets) {
+        // construct object containing all secrets
+        let listedSecretsObj: {
+            [key: string]: { 
+                version: number;
+                type: string;
+            }
+        } = {};
+        
+        listedSecretsObj = req.secrets.reduce((obj: any, secret: ISecret) => ({
+            ...obj,
+            [secret._id.toString()]: secret
+        }), {});
+
+        const updateOperations = updateSecrets.map((u) => ({
+            updateOne: {
+                filter: { _id: new Types.ObjectId(u._id) },
+                update: {
+                    $inc: {
+                        version: 1
+                    },
+                    ...u,
+                    _id: new Types.ObjectId(u._id)
+                }
+            }
+        }));
+
+        await Secret.bulkWrite(updateOperations);
+        
+        const secretVersions = updateSecrets.map((u) => ({
+            secret: new Types.ObjectId(u._id),
+            version: listedSecretsObj[u._id.toString()].version,
+            workspace: new Types.ObjectId(workspaceId),
+            type: listedSecretsObj[u._id.toString()].type,
+            environment,
+            isDeleted: false,
+            secretKeyCiphertext: u.secretKeyCiphertext,
+            secretKeyIV: u.secretKeyIV,
+            secretKeyTag: u.secretKeyTag,
+            secretValueCiphertext: u.secretValueCiphertext,
+            secretValueIV: u.secretValueIV,
+            secretValueTag: u.secretValueTag,
+            secretCommentCiphertext: u.secretCommentCiphertext,
+            secretCommentIV: u.secretCommentIV,
+            secretCommentTag: u.secretCommentTag,
+            tags: u.tags
+        }));
+
+        await EESecretService.addSecretVersions({
+            secretVersions
+        });
+
+        updatedSecrets = await Secret.find({
+            _id: {
+                $in: updateSecrets.map((u) => new Types.ObjectId(u._id))
+            }
+        });
+
+        const updateAction = await EELogService.createAction({
+            name: ACTION_UPDATE_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(workspaceId),
+            secretIds: updatedSecrets.map((u) => u._id)
+        }) as IAction;
+        actions.push(updateAction);
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets modified',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: updateSecrets.length,
+                    environment,
+                    workspaceId,
+                    channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    }
+
+    // handle delete secrets
+    if (deleteSecrets.length > 0) {
+        await Secret.deleteMany({
+            _id: {
+                $in: deleteSecrets
+            }
+        });
+
+        await EESecretService.markDeletedSecretVersions({
+            secretIds: deleteSecrets
+        });
+
+        const deleteAction = await EELogService.createAction({
+            name: ACTION_DELETE_SECRETS,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(workspaceId),
+            secretIds: deleteSecrets
+        }) as IAction;
+        actions.push(deleteAction);
+
+        if (postHogClient) {
+            postHogClient.capture({
+                event: 'secrets deleted',
+                distinctId: req.user.email,
+                properties: {
+                    numberOfSecrets: deleteSecrets.length,
+                    environment,
+                    workspaceId,
+                    channel: channel,
+                    userAgent: req.headers?.['user-agent']
+                }
+            });
+        }
+    }
+    
+    if (actions.length > 0) {
+        // (EE) create (audit) log
+        await EELogService.createLog({
+            userId: req.user._id.toString(),
+            workspaceId: new Types.ObjectId(workspaceId),
+            actions,
+            channel,
+            ipAddress: req.ip
+        });
+    }
+
+    // // trigger event - push secrets
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId
+        })
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+    
+    const resObj: { [key: string]: ISecret[] | string[] } = {}
+
+    if (createSecrets.length > 0) {
+        resObj['createdSecrets'] = createdSecrets;
+    }
+
+    if (updateSecrets.length > 0) {
+        resObj['updatedSecrets'] = updatedSecrets;
+    }
+    
+    if (deleteSecrets.length > 0) {
+        resObj['deletedSecrets'] = deleteSecrets.map((d) => d.toString());
+    }
+    
+    return res.status(200).send(resObj);
+}

 /**
 * Create secret(s) for workspace with id [workspaceId] and environment [environment]
@ -79,24 +328,38 @@ export const createSecrets = async (req: Request, res: Response) => {
    */

    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-    const { workspaceId, environment } = req.body;
+    const { workspaceId, environment }: { workspaceId: string, environment: string } = req.body;

    const hasAccess = await userHasWorkspaceAccess(req.user, workspaceId, environment, ABILITY_WRITE)
    if (!hasAccess) {
        throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
    }

-    let toAdd;
+    let listOfSecretsToCreate;
    if (Array.isArray(req.body.secrets)) {
        // case: create multiple secrets
-        toAdd = req.body.secrets;
+        listOfSecretsToCreate = req.body.secrets;
    } else if (typeof req.body.secrets === 'object') {
        // case: create 1 secret
-        toAdd = [req.body.secrets];
+        listOfSecretsToCreate = [req.body.secrets];
    }

-    const newSecrets = await Secret.insertMany(
-        toAdd.map(({
+    type secretsToCreateType = {
+        type: string;
+        secretKeyCiphertext: string;
+        secretKeyIV: string;
+        secretKeyTag: string;
+        secretValueCiphertext: string;
+        secretValueIV: string;
+        secretValueTag: string;
+        secretCommentCiphertext: string;
+        secretCommentIV: string;
+        secretCommentTag: string;
+        tags: string[]
+    }
+
+    const newlyCreatedSecrets = await Secret.insertMany(
+        listOfSecretsToCreate.map(({
            type,
            secretKeyCiphertext,
            secretKeyIV,
@ -104,15 +367,11 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-        }: {
-            type: string;
-            secretKeyCiphertext: string;
-            secretKeyIV: string;
-            secretKeyTag: string;
-            secretValueCiphertext: string;
-            secretValueIV: string;
-            secretValueTag: string;
-        }) => {
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
+        }: secretsToCreateType) => {
            return ({
                version: 1,
                workspace: new Types.ObjectId(workspaceId),
@ -124,7 +383,11 @@ export const createSecrets = async (req: Request, res: Response) => {
                secretKeyTag,
                secretValueCiphertext,
                secretValueIV,
-                secretValueTag
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                tags
            });
        })
    );
@ -140,7 +403,7 @@ export const createSecrets = async (req: Request, res: Response) => {

    // (EE) add secret versions for new secrets
    await EESecretService.addSecretVersions({
-        secretVersions: newSecrets.map(({
+        secretVersions: newlyCreatedSecrets.map(({
            _id,
            version,
            workspace,
@ -150,11 +413,13 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
-            secretKeyHash,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretValueHash
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
        }) => ({
            _id: new Types.ObjectId(),
            secret: _id,
@ -167,25 +432,27 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
-            secretKeyHash,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretValueHash
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag,
+            tags
        }))
    });

-    const addAction = await EELogService.createActionSecret({
+    const addAction = await EELogService.createAction({
        name: ACTION_ADD_SECRETS,
-        userId: req.user._id.toString(),
-        workspaceId,
-        secretIds: newSecrets.map((n) => n._id)
+        userId: req.user._id,
+        workspaceId: new Types.ObjectId(workspaceId),
+        secretIds: newlyCreatedSecrets.map((n) => n._id)
    });

    // (EE) create (audit) log
    addAction && await EELogService.createLog({
        userId: req.user._id.toString(),
-        workspaceId,
+        workspaceId: new Types.ObjectId(workspaceId),
        actions: [addAction],
        channel,
        ipAddress: req.ip
@ -201,7 +468,7 @@ export const createSecrets = async (req: Request, res: Response) => {
            event: 'secrets added',
            distinctId: req.user.email,
            properties: {
-                numberOfSecrets: toAdd.length,
+                numberOfSecrets: listOfSecretsToCreate.length,
                environment,
                workspaceId,
                channel: channel,
@ -211,7 +478,7 @@ export const createSecrets = async (req: Request, res: Response) => {
    }

    return res.status(200).send({
-        secrets: newSecrets
+        secrets: newlyCreatedSecrets
    });
 }

@ -262,6 +529,108 @@ export const getSecrets = async (req: Request, res: Response) => {
        }
    }   
    */
+
+
+    const { workspaceId, environment, tagSlugs } = req.query;
+    const tagNamesList = typeof tagSlugs === 'string' && tagSlugs !== '' ? tagSlugs.split(',') : [];
+    let userId = "" // used for getting personal secrets for user
+    let userEmail = "" // used for posthog 
+    if (req.user) {
+        userId = req.user._id;
+        userEmail = req.user.email;
+    }
+
+    if (req.serviceTokenData) {
+        userId = req.serviceTokenData.user._id
+        userEmail = req.serviceTokenData.user.email;
+    }
+
+    // none service token case as service tokens are already scoped to env and project
+    let hasWriteOnlyAccess
+    if (!req.serviceTokenData) {
+        hasWriteOnlyAccess = await userHasWriteOnlyAbility(userId, workspaceId, environment)
+        const hasNoAccess = await userHasNoAbility(userId, workspaceId, environment)
+        if (hasNoAccess) {
+            throw UnauthorizedRequestError({ message: "You do not have the necessary permission(s) perform this action" })
+        }
+    }
+    let secrets: any
+    let secretQuery: any
+
+    if (tagNamesList != undefined && tagNamesList.length != 0) {
+        const workspaceFromDB = await Tag.find({ workspace: workspaceId })
+
+        const tagIds = _.map(tagNamesList, (tagName) => {
+            const tag = _.find(workspaceFromDB, { slug: tagName });
+            return tag ? tag.id : null;
+        });
+
+        secretQuery = {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            tags: { $in: tagIds },
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    } else {
+        secretQuery = {
+            workspace: workspaceId,
+            environment,
+            $or: [
+                { user: userId },
+                { user: { $exists: false } }
+            ],
+            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
+        }
+    }
+
+    if (hasWriteOnlyAccess) {
+        secrets = await Secret.find(secretQuery).select("secretKeyCiphertext secretKeyIV secretKeyTag")
+    } else {
+        secrets = await Secret.find(secretQuery).populate("tags")
+    }
+
+    const channel = getChannelFromUserAgent(req.headers['user-agent'])
+
+    const readAction = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
+        secretIds: secrets.map((n: any) => n._id)
+    });
+
+    readAction && await EELogService.createLog({
+        userId: new Types.ObjectId(userId),
+        workspaceId: new Types.ObjectId(workspaceId as string),
+        actions: [readAction],
+        channel,
+        ipAddress: req.ip
+    });
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pulled',
+            distinctId: userEmail,
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel,
+                userAgent: req.headers?.['user-agent']
+            }
+        });
+    }
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+
+export const getOnlySecretKeys = async (req: Request, res: Response) => {
    const { workspaceId, environment } = req.query;

    let userId = "" // used for getting personal secrets for user
@ -284,7 +653,7 @@ export const getSecrets = async (req: Request, res: Response) => {
        }
    }

-    const [err, secrets] = await to(Secret.find(
+    const [err, secretKeys] = await to(Secret.find(
        {
            workspace: workspaceId,
            environment,
@ -294,43 +663,22 @@ export const getSecrets = async (req: Request, res: Response) => {
            ],
            type: { $in: [SECRET_SHARED, SECRET_PERSONAL] }
        }
-    ).then())
+    )
+        .select("secretKeyIV secretKeyTag secretKeyCiphertext")
+        .then())

    if (err) throw ValidationError({ message: 'Failed to get secrets', stack: err.stack });

-    const channel = getChannelFromUserAgent(req.headers['user-agent'])
-
-    const readAction = await EELogService.createActionSecret({
-        name: ACTION_READ_SECRETS,
-        userId: userId,
-        workspaceId: workspaceId as string,
-        secretIds: secrets.map((n: any) => n._id)
-    });
-
-    readAction && await EELogService.createLog({
-        userId: userId,
-        workspaceId: workspaceId as string,
-        actions: [readAction],
-        channel,
-        ipAddress: req.ip
-    });
-
-    if (postHogClient) {
-        postHogClient.capture({
-            event: 'secrets pulled',
-            distinctId: userEmail,
-            properties: {
-                numberOfSecrets: secrets.length,
-                environment,
-                workspaceId,
-                channel,
-                userAgent: req.headers?.['user-agent']
-            }
-        });
-    }
+    // readAction && await EELogService.createLog({
+    //     userId: new Types.ObjectId(userId),
+    //     workspaceId: new Types.ObjectId(workspaceId as string),
+    //     actions: [readAction],
+    //     channel,
+    //     ipAddress: req.ip
+    // });

    return res.status(200).send({
-        secrets
+        secretKeys
    });
 }

@ -398,6 +746,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
        secretCommentCiphertext: string;
        secretCommentIV: string;
        secretCommentTag: string;
+        tags: string[]
    }

    const updateOperationsToPerform = req.body.secrets.map((secret: PatchSecret) => {
@ -410,7 +759,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
            secretValueTag,
            secretCommentCiphertext,
            secretCommentIV,
-            secretCommentTag
+            secretCommentTag,
+            tags
        } = secret;

        return ({
@ -426,8 +776,9 @@ export const updateSecrets = async (req: Request, res: Response) => {
                    secretValueCiphertext,
                    secretValueIV,
                    secretValueTag,
+                    tags,
                    ...((
-                        secretCommentCiphertext &&
+                        secretCommentCiphertext !== undefined &&
                        secretCommentIV &&
                        secretCommentTag
                    ) ? {
@ -460,6 +811,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                secretCommentCiphertext,
                secretCommentIV,
                secretCommentTag,
+                tags
            } = secretModificationsBySecretId[secret._id.toString()]

            return ({
@ -477,6 +829,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+                tags: tags ? tags : secret.tags
            });
        })
    }
@ -505,17 +858,17 @@ export const updateSecrets = async (req: Request, res: Response) => {
            });
        }, 10000);

-        const updateAction = await EELogService.createActionSecret({
+        const updateAction = await EELogService.createAction({
            name: ACTION_UPDATE_SECRETS,
-            userId: req.user._id.toString(),
-            workspaceId: key,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
        });

        // (EE) create (audit) log
        updateAction && await EELogService.createLog({
            userId: req.user._id.toString(),
-            workspaceId: key,
+            workspaceId: new Types.ObjectId(key),
            actions: [updateAction],
            channel,
            ipAddress: req.ip
@ -631,17 +984,17 @@ export const deleteSecrets = async (req: Request, res: Response) => {
                workspaceId: key
            })
        });
-        const deleteAction = await EELogService.createActionSecret({
+        const deleteAction = await EELogService.createAction({
            name: ACTION_DELETE_SECRETS,
-            userId: req.user._id.toString(),
-            workspaceId: key,
+            userId: req.user._id,
+            workspaceId: new Types.ObjectId(key),
            secretIds: workspaceSecretObj[key].map((secret: ISecret) => secret._id)
        });

        // (EE) create (audit) log
        deleteAction && await EELogService.createLog({
            userId: req.user._id.toString(),
-            workspaceId: key,
+            workspaceId: new Types.ObjectId(key),
            actions: [deleteAction],
            channel,
            ipAddress: req.ip
--- a/backend/src/controllers/v2/signupController.ts
+++ b/backend/src/controllers/v2/signupController.ts
@ -0,0 +1,250 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { User, MembershipOrg } from '../../models';
+import { completeAccount } from '../../helpers/user';
+import {
+	initializeDefaultOrg
+} from '../../helpers/signup';
+import { issueAuthTokens } from '../../helpers/auth';
+import { INVITED, ACCEPTED } from '../../variables';
+import { NODE_ENV } from '../../config';
+import axios from 'axios';
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * signup flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountSignup = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier,
+			organizationName
+		}: {
+			email: string;
+			firstName: string;
+			lastName: string;
+            protectedKey: string;
+            protectedKeyIV: string;
+            protectedKeyTag: string;
+			publicKey: string;
+			encryptedPrivateKey: string;
+			encryptedPrivateKeyIV: string;
+			encryptedPrivateKeyTag: string;
+			salt: string;
+			verifier: string;
+			organizationName: string;
+        } = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+		
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+            encryptionVersion: 2,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user'); // ensure user is non-null
+
+		// initialize default organization and workspace
+		await initializeDefaultOrg({
+			organizationName,
+			user
+		});
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+
+		// sending a welcome email to new users
+		if (process.env.LOOPS_API_KEY) {
+			await axios.post("https://app.loops.so/api/v1/events/send", {
+				"email": email,
+				"eventName": "Sign Up",
+				"firstName": firstName,
+				"lastName": lastName
+			}, {
+				headers: {
+					"Accept": "application/json",
+					"Authorization": "Bearer " + process.env.LOOPS_API_KEY
+				},
+			});
+		}
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: NODE_ENV === 'production' ? true : false
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token
+	});
+};
+
+/**
+ * Complete setting up user by adding their personal and auth information as part of the
+ * invite flow
+ * @param req
+ * @param res
+ * @returns
+ */
+export const completeAccountInvite = async (req: Request, res: Response) => {
+	let user, token, refreshToken;
+	try {
+		const {
+			email,
+			firstName,
+			lastName,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		} = req.body;
+
+		// get user
+		user = await User.findOne({ email });
+
+		if (!user || (user && user?.publicKey)) {
+			// case 1: user doesn't exist.
+			// case 2: user has already completed account
+			return res.status(403).send({
+				error: 'Failed to complete account for complete user'
+			});
+		}
+
+		const membershipOrg = await MembershipOrg.findOne({
+			inviteEmail: email,
+			status: INVITED
+		});
+
+		if (!membershipOrg) throw new Error('Failed to find invitations for email');
+
+		// complete setting up user's account
+		user = await completeAccount({
+			userId: user._id.toString(),
+			firstName,
+			lastName,
+            encryptionVersion: 2,
+            protectedKey,
+            protectedKeyIV,
+            protectedKeyTag,
+			publicKey,
+			encryptedPrivateKey,
+			encryptedPrivateKeyIV,
+			encryptedPrivateKeyTag,
+			salt,
+			verifier
+		});
+
+		if (!user)
+			throw new Error('Failed to complete account for non-existent user');
+
+		// update organization membership statuses that are
+		// invited to completed with user attached
+		await MembershipOrg.updateMany(
+			{
+				inviteEmail: email,
+				status: INVITED
+			},
+			{
+				user,
+				status: ACCEPTED
+			}
+		);
+
+		// issue tokens
+		const tokens = await issueAuthTokens({
+			userId: user._id.toString()
+		});
+
+		token = tokens.token;
+
+		// store (refresh) token in httpOnly cookie
+		res.cookie('jid', tokens.refreshToken, {
+			httpOnly: true,
+			path: '/',
+			sameSite: 'strict',
+			secure: NODE_ENV === 'production' ? true : false
+		});
+	} catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to complete account setup'
+		});
+	}
+	
+	return res.status(200).send({
+		message: 'Successfully set up account',
+		user,
+		token
+	});
+};
--- a/backend/src/controllers/v2/tagController.ts
+++ b/backend/src/controllers/v2/tagController.ts
@ -0,0 +1,72 @@
+import { Request, Response } from 'express';
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import {
+	Membership, Secret,
+} from '../../models';
+import Tag, { ITag } from '../../models/tag';
+import { Builder } from "builder-pattern"
+import to from 'await-to-js';
+import { BadRequestError, UnauthorizedRequestError } from '../../utils/errors';
+import { MongoError } from 'mongodb';
+import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissions';
+
+export const createWorkspaceTag = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const { name, slug } = req.body
+	const sanitizedTagToCreate = Builder<ITag>()
+		.name(name)
+		.workspace(new Types.ObjectId(workspaceId))
+		.slug(slug)
+		.user(new Types.ObjectId(req.user._id))
+		.build();
+
+	const [err, createdTag] = await to(Tag.create(sanitizedTagToCreate))
+
+	if (err) {
+		if ((err as MongoError).code === 11000) {
+			throw BadRequestError({ message: "Tags must be unique in a workspace" })
+		}
+
+		throw err
+	}
+
+	res.json(createdTag)
+}
+
+export const deleteWorkspaceTag = async (req: Request, res: Response) => {
+	const { tagId } = req.params
+
+	const tagFromDB = await Tag.findById(tagId)
+	if (!tagFromDB) {
+		throw BadRequestError()
+	}
+
+	// can only delete if the request user is one that belongs to the same workspace as the tag
+	const membership = await Membership.findOne({
+		user: req.user,
+		workspace: tagFromDB.workspace
+	});
+
+	if (!membership) {
+		UnauthorizedRequestError({ message: 'Failed to validate membership' });
+	}
+
+	const result = await Tag.findByIdAndDelete(tagId);
+
+	// remove the tag from secrets
+	await Secret.updateMany(
+		{ tags: { $in: [tagId] } },
+		{ $pull: { tags: tagId } }
+	);
+
+	res.json(result);
+}
+
+export const getWorkspaceTags = async (req: Request, res: Response) => {
+	const { workspaceId } = req.params
+	const workspaceTags = await Tag.find({ workspace: workspaceId })
+	return res.json({
+		workspaceTags
+	})
+}
--- a/backend/src/controllers/v2/usersController.ts
+++ b/backend/src/controllers/v2/usersController.ts
@ -55,6 +55,44 @@ export const getMe = async (req: Request, res: Response) => {
    });
 }

+/**
+ * Update the current user's MFA-enabled status [isMfaEnabled].
+ * Note: Infisical currently only supports email-based 2FA only; this will expand to
+ * include SMS and authenticator app modes of authentication in the future.
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateMyMfaEnabled = async (req: Request, res: Response) => {
+    let user;
+    try {
+        const { isMfaEnabled }: { isMfaEnabled: boolean } = req.body;
+        req.user.isMfaEnabled = isMfaEnabled;
+        
+        if (isMfaEnabled) { 
+            // TODO: adapt this route/controller 
+            // to work for different forms of MFA
+            req.user.mfaMethods = ['email'];
+        } else {
+            req.user.mfaMethods = [];
+        }
+
+        await req.user.save();
+        
+        user = req.user;
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: "Failed to update current user's MFA status"
+		}); 
+    }
+    
+    return res.status(200).send({
+        user
+    });
+}
+
 /**
 * Return organizations that the current user is part of.
 * @param req 
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -467,4 +467,42 @@ export const deleteWorkspaceMembership = async (req: Request, res: Response) =>
 	return res.status(200).send({
 		membership
 	});
-}
+}
+
+/**
+ * Change autoCapitilzation Rule of workspace
+ * @param req
+ * @param res
+ * @returns
+ */
+export const toggleAutoCapitalization = async (req: Request, res: Response) => {
+	let workspace;
+	try {
+		const { workspaceId } = req.params;
+		const { autoCapitalization } = req.body;
+
+		workspace = await Workspace.findOneAndUpdate(
+			{
+				_id: workspaceId
+			},
+			{
+				autoCapitalization
+			},
+			{
+				new: true
+			}
+		);
+	} catch (err) {
+		Sentry.setUser({ email: req.user.email });
+		Sentry.captureException(err);
+		return res.status(400).send({
+			message: 'Failed to change autoCapitalization setting'
+		});
+	}
+
+	return res.status(200).send({
+		message: 'Successfully changed autoCapitalization setting',
+		workspace
+	});
+};
+
--- a/backend/src/ee/controllers/v1/secretController.ts
+++ b/backend/src/ee/controllers/v1/secretController.ts
@ -158,11 +158,9 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
-			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
 			secretValueTag,
-			secretValueHash
 		} = oldSecretVersion;
 		
 		// update secret
@ -179,11 +177,9 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
-				secretKeyHash,
 				secretValueCiphertext,
 				secretValueIV,
 				secretValueTag,
-				secretValueHash
 			},
 			{
 				new: true
@ -204,11 +200,9 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
-			secretKeyHash,
 			secretValueCiphertext,
 			secretValueIV,
-			secretValueTag,
-			secretValueHash	
+			secretValueTag
 		}).save();
 		
 		// take secret snapshot
--- a/backend/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend/src/ee/controllers/v1/secretSnapshotController.ts
@ -15,7 +15,13 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {

        secretSnapshot = await SecretSnapshot
            .findById(secretSnapshotId)
-            .populate('secretVersions');
+            .populate({
+                path: 'secretVersions',
+                populate: {
+                    path: 'tags',
+                    model: 'Tag',
+                }
+            });
        
        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
        
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -1,39 +1,40 @@
 import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
-import { SecretVersion, Action } from '../models';
+import { Action } from '../models';
 import { 
    getLatestSecretVersionIds,
    getLatestNSecretSecretVersionIds
 } from '../helpers/secretVersion';
-import { ACTION_UPDATE_SECRETS } from '../../variables';
+import { 
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS,
+    ACTION_UPDATE_SECRETS,
+} from '../../variables';

 /**
- * Create an (audit) action for secrets including
- * add, delete, update, and read actions.
+ * Create an (audit) action for updating secrets
 * @param {Object} obj
 * @param {String} obj.name - name of action
- * @param {ObjectId[]} obj.secretIds - ids of relevant secrets
+ * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
 * @returns {Action} action - new action
 */
-const createActionSecretHelper = async ({
+const createActionUpdateSecret = async ({
    name,
    userId,
    workspaceId,
    secretIds
 }: {
    name: string;
-    userId: string;
-    workspaceId: string;
+    userId: Types.ObjectId;
+    workspaceId: Types.ObjectId;
    secretIds: Types.ObjectId[];
 }) => {
-
    let action;
-    let latestSecretVersions;
    try {
-        if (name === ACTION_UPDATE_SECRETS) {
-            // case: action is updating secrets
-            // -> add old and new secret versions
-            latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
                secretIds,
                n: 2
            }))
@ -41,17 +42,7 @@ const createActionSecretHelper = async ({
                oldSecretVersion: s.versions[0]._id,
                newSecretVersion: s.versions[1]._id
            }));
-        } else {
-            // case: action is adding, deleting, or reading secrets
-            // -> add new secret versions
-            latestSecretVersions = (await getLatestSecretVersionIds({
-                secretIds
-            }))
-            .map((s) => ({
-                newSecretVersion: s.versionId
-            }));
-        }
-
+        
        action = await new Action({
            name,
            user: userId,
@ -64,10 +55,148 @@ const createActionSecretHelper = async ({
    } catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
+        throw new Error('Failed to create update secret action');
+    }
+    
+    return action;
+}
+
+/**
+ * Create an (audit) action for creating, reading, and deleting
+ * secrets
+ * @param {Object} obj
+ * @param {String} obj.name - name of action
+ * @param {Types.ObjectId} obj.secretIds - ids of relevant secrets
+ * @returns {Action} action - new action
+ */
+const createActionSecret = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds
+}: {
+    name: string;
+    userId: Types.ObjectId;
+    workspaceId: Types.ObjectId;
+    secretIds: Types.ObjectId[];
+}) => {
+    let action;
+    try {
+        // case: action is adding, deleting, or reading secrets
+        // -> add new secret versions
+        const latestSecretVersions = (await getLatestSecretVersionIds({
+            secretIds
+        }))
+        .map((s) => ({
+            newSecretVersion: s.versionId
+        }));
+        
+       action = await new Action({
+            name,
+            user: userId,
+            workspace: workspaceId,
+            payload: {
+                secretVersions: latestSecretVersions
+            }
+        }).save(); 
+
+    } catch (err) {
+		Sentry.setUser(null);
+		Sentry.captureException(err);
+        throw new Error('Failed to create action create/read/delete secret action');
+    }
+    
+    return action;
+}
+
+/**
+ * Create an (audit) action for user with id [userId]
+ * @param {Object} obj 
+ * @param {String} obj.name - name of action
+ * @param {String} obj.userId - id of user associated with action
+ * @returns 
+ */
+const createActionUser = ({
+    name,
+    userId
+}: {
+    name: string;
+    userId: Types.ObjectId;
+}) => {
+    let action;
+    try {
+        action = new Action({
+            name,
+            user: userId
+        }).save();
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error('Failed to create user action');
+    }
+
+    return action; 
+}
+
+/**
+ * Create an (audit) action. 
+ * @param {Object} obj
+ * @param {Object} obj.name - name of action
+ * @param {Types.ObjectId} obj.userId - id of user associated with action
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with action
+ * @param {Types.ObjectId[]} obj.secretIds - ids of secrets associated with action
+*/
+const createActionHelper = async ({
+    name,
+    userId,
+    workspaceId,
+    secretIds,
+}: {
+    name: string;
+    userId: Types.ObjectId;
+    workspaceId?: Types.ObjectId;
+    secretIds?: Types.ObjectId[];
+}) => {
+    let action;
+    try {
+        switch (name) {
+            case ACTION_LOGIN:
+            case ACTION_LOGOUT:
+                action = await createActionUser({
+                    name,
+                    userId
+                });
+                break;
+            case ACTION_ADD_SECRETS:
+            case ACTION_READ_SECRETS:
+            case ACTION_DELETE_SECRETS:
+                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+                action = await createActionSecret({
+                    name,
+                    userId,
+                    workspaceId,
+                    secretIds
+                });
+                break;
+            case ACTION_UPDATE_SECRETS:
+                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+                action = await createActionUpdateSecret({
+                    name,
+                    userId,
+                    workspaceId,
+                    secretIds
+                });
+                break;
+        }
+    } catch (err) {
+        Sentry.setUser(null);
+		Sentry.captureException(err);
        throw new Error('Failed to create action');
    }
    
    return action;
 }

-export { createActionSecretHelper };
+export { 
+    createActionHelper
+};
--- a/backend/src/ee/helpers/checkMembershipPermissions.ts
+++ b/backend/src/ee/helpers/checkMembershipPermissions.ts
@ -1,5 +1,6 @@
 import _ from "lodash";
 import { Membership } from "../../models";
+import { ABILITY_READ, ABILITY_WRITE } from "../../variables/organization";

 export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, environment: any, action: any) => {
  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
@ -15,4 +16,39 @@ export const userHasWorkspaceAccess = async (userId: any, workspaceId: any, envi
  }

  return true
+}
+
+export const userHasWriteOnlyAbility = async (userId: any, workspaceId: any, environment: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return false
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
+  const isReadDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+
+  // case: you have write only if read is blocked and write is not
+  if (isReadDisallowed && !isWriteDisallowed) {
+    return true
+  }
+
+  return false
+}
+
+export const userHasNoAbility = async (userId: any, workspaceId: any, environment: any) => {
+  const membershipForWorkspace = await Membership.findOne({ workspace: workspaceId, user: userId })
+  if (!membershipForWorkspace) {
+    return true
+  }
+
+  const deniedMembershipPermissions = membershipForWorkspace.deniedPermissions;
+  const isWriteDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_WRITE });
+  const isReadBlocked = _.some(deniedMembershipPermissions, { environmentSlug: environment, ability: ABILITY_READ });
+
+  if (isReadBlocked && isWriteDisallowed) {
+    return true
+  }
+
+  return false
 }
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -1,9 +1,19 @@
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { 
    Log,
    IAction
 } from '../models';
-
+/**
+ * Create an (audit) log
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.userId - id of user associated with the log
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the log
+ * @param {IAction[]} obj.actions - actions to include in log
+ * @param {String} obj.channel - channel (web/cli/auto) associated with the log
+ * @param {String} obj.ipAddress - ip address associated with the log
+ * @returns {Log} log - new audit log
+ */
 const createLogHelper = async ({
    userId,
    workspaceId,
@ -11,8 +21,8 @@ const createLogHelper = async ({
    channel,
    ipAddress
 }: {
-    userId: string;
-    workspaceId: string;
+    userId: Types.ObjectId;
+    workspaceId?: Types.ObjectId;
    actions: IAction[];
    channel: string;
    ipAddress: string;
@ -21,7 +31,7 @@ const createLogHelper = async ({
    try {
        log = await new Log({
            user: userId,
-            workspace: workspaceId,
+            workspace: workspaceId ?? undefined,
            actionNames: actions.map((a) => a.name),
            actions,
            channel,
--- a/backend/src/ee/models/action.ts
+++ b/backend/src/ee/models/action.ts
@ -1,10 +1,18 @@
 import { Schema, model, Types } from 'mongoose';
+import {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
+    ACTION_ADD_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_DELETE_SECRETS
+} from '../../variables';

 export interface IAction {
    name: string;
    user?: Types.ObjectId,
    workspace?: Types.ObjectId,
-    payload: {
+    payload?: {
        secretVersions?: Types.ObjectId[]
    }
 }
@ -13,7 +21,15 @@ const actionSchema = new Schema<IAction>(
    {
        name: {
            type: String,
-            required: true
+            required: true,
+            enum: [
+                ACTION_LOGIN,
+                ACTION_LOGOUT,
+                ACTION_ADD_SECRETS,
+                ACTION_UPDATE_SECRETS,
+                ACTION_READ_SECRETS,
+                ACTION_DELETE_SECRETS
+            ]
        },
        user: {
            type: Schema.Types.ObjectId,
--- a/backend/src/ee/models/log.ts
+++ b/backend/src/ee/models/log.ts
@ -1,5 +1,7 @@
 import { Schema, model, Types } from 'mongoose';
 import {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
    ACTION_ADD_SECRETS,
    ACTION_UPDATE_SECRETS,
    ACTION_READ_SECRETS,
@ -29,6 +31,8 @@ const logSchema = new Schema<ILog>(
        actionNames: {
            type: [String],
            enum: [
+                ACTION_LOGIN,
+                ACTION_LOGOUT,
                ACTION_ADD_SECRETS,
                ACTION_UPDATE_SECRETS,
                ACTION_READ_SECRETS,
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -5,22 +5,20 @@ import {
 } from '../../variables';

 export interface ISecretVersion {
-	_id: Types.ObjectId;
 	secret: Types.ObjectId;
 	version: number;
 	workspace: Types.ObjectId; // new
 	type: string; // new
-	user: Types.ObjectId; // new
+	user?: Types.ObjectId; // new
 	environment: string; // new
 	isDeleted: boolean;
 	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
-	secretKeyHash: string;
 	secretValueCiphertext: string;
 	secretValueIV: string;
 	secretValueTag: string;
-	secretValueHash: string;
+	tags?: string[];
 }

 const secretVersionSchema = new Schema<ISecretVersion>(
@ -71,9 +69,6 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		secretKeyHash: {
-			type: String
-		},
 		secretValueCiphertext: {
 			type: String,
 			required: true
@ -86,9 +81,11 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		secretValueHash: {
-			type: String
-		}
+		tags: {
+			ref: 'Tag',
+			type: [Schema.Types.ObjectId],
+			default: []
+		},
 	},
 	{
 		timestamps: true
--- a/backend/src/ee/services/EELogService.ts
+++ b/backend/src/ee/services/EELogService.ts
@ -1,14 +1,12 @@
 import { Types } from 'mongoose';
 import { 
-    Log,
-    Action,
    IAction
 } from '../models';
 import {
    createLogHelper
 } from '../helpers/log';
 import {
-    createActionSecretHelper
+    createActionHelper
 } from '../helpers/action';
 import EELicenseService from './EELicenseService';

@ -33,8 +31,8 @@ class EELogService {
        channel,
        ipAddress
    }: {
-        userId: string;
-        workspaceId: string;
+        userId: Types.ObjectId;
+        workspaceId?: Types.ObjectId;
        actions: IAction[];
        channel: string;
        ipAddress: string;
@ -50,26 +48,26 @@ class EELogService {
    }
    
    /**
-     * Create an (audit) action for secrets including
-     * add, delete, update, and read actions.
+     * Create an (audit) action
     * @param {Object} obj
     * @param {String} obj.name - name of action
-     * @param {ObjectId[]} obj.secretIds - secret ids
+     * @param {Types.ObjectId} obj.userId - id of user associated with the action
+     * @param {Types.ObjectId} obj.workspaceId - id of workspace associated with the action
+     * @param {ObjectId[]} obj.secretIds - ids of secrets associated with the action
     * @returns {Action} action - new action
     */
-    static async createActionSecret({
+    static async createAction({
        name,
        userId,
        workspaceId,
        secretIds
    }: {
        name: string;
-        userId: string;
-        workspaceId: string;
-        secretIds: Types.ObjectId[];
+        userId: Types.ObjectId;
+        workspaceId?: Types.ObjectId;
+        secretIds?: Types.ObjectId[];
    }) {
-        if (!EELicenseService.isLicenseValid) return null; 
-        return await createActionSecretHelper({
+        return await createActionHelper({
            name,
            userId,
            workspaceId,
--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -211,7 +211,7 @@ const getAuthAPIKeyPayload = async ({
 * @return {String} obj.token - issued JWT token
 * @return {String} obj.refreshToken - issued refresh token
 */
-const issueTokens = async ({ userId }: { userId: string }) => {
+const issueAuthTokens = async ({ userId }: { userId: string }) => {
 	let token: string;
 	let refreshToken: string;
 	try {
@ -298,6 +298,6 @@ export {
 	getAuthSTDPayload,
 	getAuthAPIKeyPayload,
 	createToken,
-	issueTokens,
+	issueAuthTokens,
 	clearTokens
 };
--- a/backend/src/helpers/integration.ts
+++ b/backend/src/helpers/integration.ts
@ -30,6 +30,7 @@ interface Update {
 * @param {String} obj.workspaceId - id of workspace
 * @param {String} obj.integration - name of integration 
 * @param {String} obj.code - code
+ * @returns {IntegrationAuth} integrationAuth - integration auth after OAuth2 code-token exchange
 */
 const handleOAuthExchangeHelper = async ({
    workspaceId,
@ -42,7 +43,6 @@ const handleOAuthExchangeHelper = async ({
    code: string;
    environment: string;
 }) => {
-    let action;
    let integrationAuth;
    try {
        const bot = await Bot.findOne({
@ -94,25 +94,18 @@ const handleOAuthExchangeHelper = async ({
            // set integration auth access token
            await setIntegrationAuthAccessHelper({
                integrationAuthId: integrationAuth._id.toString(),
+                accessId: null,
                accessToken: res.accessToken,
                accessExpiresAt: res.accessExpiresAt
            });
        }
-
-        // initialize new integration after exchange
-        await new Integration({
-            workspace: workspaceId,
-            isActive: false,
-            app: null,
-            environment,
-            integration,
-            integrationAuth: integrationAuth._id
-        }).save();
    } catch (err) {
        Sentry.setUser(null);
        Sentry.captureException(err);
        throw new Error('Failed to handle OAuth2 code-token exchange')
    }
+    
+    return integrationAuth;
 }
 /**
 * Sync/push environment variables in workspace with id [workspaceId] to
@ -146,7 +139,7 @@ const syncIntegrationsHelper = async ({
            if (!integrationAuth) throw new Error('Failed to find integration auth');
            
            // get integration auth access token
-            const accessToken = await getIntegrationAuthAccessHelper({
+            const access = await getIntegrationAuthAccessHelper({
                integrationAuthId: integration.integrationAuth.toString()
            });

@ -155,7 +148,8 @@ const syncIntegrationsHelper = async ({
                integration,
                integrationAuth,
                secrets,
-                accessToken
+                accessId: access.accessId,
+                accessToken: access.accessToken
            });
        }
    } catch (err) {
@ -211,12 +205,12 @@ const syncIntegrationsHelper = async ({
 * @returns {String} accessToken - decrypted access token
 */
 const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrationAuthId: string }) => {
+    let accessId;
    let accessToken;
-	
    try {
        const integrationAuth = await IntegrationAuth
            .findById(integrationAuthId)
-            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext');
+            .select('workspace integration +accessCiphertext +accessIV +accessTag +accessExpiresAt + refreshCiphertext +accessIdCiphertext +accessIdIV +accessIdTag');

        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});

@ -240,6 +234,15 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
                });
            }
        }
+        
+        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
+            accessId = await BotService.decryptSymmetric({
+                workspaceId: integrationAuth.workspace.toString(),
+                ciphertext: integrationAuth.accessIdCiphertext as string,
+                iv: integrationAuth.accessIdIV as string,
+                tag: integrationAuth.accessIdTag as string
+            });
+        }

    } catch (err) {
        Sentry.setUser(null);
@ -250,7 +253,10 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
            throw new Error('Failed to get integration access token');
    }
    
-    return accessToken;
+    return ({
+        accessId,
+        accessToken
+    });
 }

 /**
@ -300,9 +306,9 @@ const setIntegrationAuthRefreshHelper = async ({
 }

 /**
- * Encrypt access token [accessToken] using the bot's copy
- * of the workspace key for workspace belonging to integration auth
- * with id [integrationAuthId] and store it along with [accessExpiresAt]
+ * Encrypt access token [accessToken] and (optionally) access id [accessId]
+ * using the bot's copy of the workspace key for workspace belonging to 
+ * integration auth with id [integrationAuthId] and store it along with [accessExpiresAt]
 * @param {Object} obj
 * @param {String} obj.integrationAuthId - id of integration auth
 * @param {String} obj.accessToken - access token
@ -310,10 +316,12 @@ const setIntegrationAuthRefreshHelper = async ({
 */
 const setIntegrationAuthAccessHelper = async ({
    integrationAuthId,
+    accessId,
    accessToken,
    accessExpiresAt
 }: {
    integrationAuthId: string;
+    accessId: string | null;
    accessToken: string;
    accessExpiresAt: Date | undefined;
 }) => {
@ -323,17 +331,28 @@ const setIntegrationAuthAccessHelper = async ({
        
        if (!integrationAuth) throw new Error('Failed to find integration auth');
        
-        const obj = await BotService.encryptSymmetric({
+        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
            workspaceId: integrationAuth.workspace.toString(),
            plaintext: accessToken
        });
        
+        let encryptedAccessIdObj;
+        if (accessId) {
+            encryptedAccessIdObj = await BotService.encryptSymmetric({
+                workspaceId: integrationAuth.workspace.toString(),
+                plaintext: accessId
+            }); 
+        }
+        
        integrationAuth = await IntegrationAuth.findOneAndUpdate({
            _id: integrationAuthId
        }, {
-            accessCiphertext: obj.ciphertext,
-            accessIV: obj.iv,
-            accessTag: obj.tag,
+            accessIdCiphertext: encryptedAccessIdObj?.ciphertext ?? undefined,
+            accessIdIV: encryptedAccessIdObj?.iv ?? undefined,
+            accessIdTag: encryptedAccessIdObj?.tag ?? undefined,
+            accessCiphertext: encryptedAccessTokenObj.ciphertext,
+            accessIV: encryptedAccessTokenObj.iv,
+            accessTag: encryptedAccessTokenObj.tag,
            accessExpiresAt
        }, {
            new: true
--- a/backend/src/helpers/secret.ts
+++ b/backend/src/helpers/secret.ts
@ -406,10 +406,10 @@ const v2PushSecrets = async ({
 				secretIds: toDelete
 			});

-			const deleteAction = await EELogService.createActionSecret({
+			const deleteAction = await EELogService.createAction({
 				name: ACTION_DELETE_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(userId),
 				secretIds: toDelete
 			});

@ -499,10 +499,10 @@ const v2PushSecrets = async ({
 				})
 			});

-			const updateAction = await EELogService.createActionSecret({
+			const updateAction = await EELogService.createAction({
 				name: ACTION_UPDATE_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				secretIds: toUpdate.map((u) => u._id)
 			});

@ -536,10 +536,10 @@ const v2PushSecrets = async ({
 				})
 			});

-			const addAction = await EELogService.createActionSecret({
+			const addAction = await EELogService.createAction({
 				name: ACTION_ADD_SECRETS,
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				secretIds: newSecrets.map((n) => n._id)
 			});
 			addAction && actions.push(addAction);
@ -553,8 +553,8 @@ const v2PushSecrets = async ({
 		// (EE) create (audit) log
 		if (actions.length > 0) {
 			await EELogService.createLog({
-				userId,
-				workspaceId,
+				userId: new Types.ObjectId(userId),
+				workspaceId: new Types.ObjectId(workspaceId),
 				actions,
 				channel,
 				ipAddress
@ -645,16 +645,16 @@ const pullSecrets = async ({
 			environment
 		})

-		const readAction = await EELogService.createActionSecret({
+		const readAction = await EELogService.createAction({
 			name: ACTION_READ_SECRETS,
-			userId,
-			workspaceId,
+			userId: new Types.ObjectId(userId),
+			workspaceId: new Types.ObjectId(workspaceId),
 			secretIds: secrets.map((n: any) => n._id)
 		});

 		readAction && await EELogService.createLog({
-			userId,
-			workspaceId,
+			userId: new Types.ObjectId(userId),
+			workspaceId: new Types.ObjectId(workspaceId),
 			actions: [readAction],
 			channel,
 			ipAddress
--- a/backend/src/helpers/signup.ts
+++ b/backend/src/helpers/signup.ts
@ -1,12 +1,11 @@
 import * as Sentry from '@sentry/node';
-import crypto from 'crypto';
-import { Token, IToken, IUser } from '../models';
+import { IUser } from '../models';
 import { createOrganization } from './organization';
 import { addMembershipsOrg } from './membershipOrg';
-import { createWorkspace } from './workspace';
-import { addMemberships } from './membership';
-import { OWNER, ADMIN, ACCEPTED } from '../variables';
+import { OWNER, ACCEPTED } from '../variables';
 import { sendMail } from '../helpers/nodemailer';
+import { TokenService } from '../services';
+import { TOKEN_EMAIL_CONFIRMATION } from '../variables';

 /**
 * Send magic link to verify email to [email]
@ -14,21 +13,13 @@ import { sendMail } from '../helpers/nodemailer';
 * @param {Object} obj
 * @param {String} obj.email - email
 * @returns {Boolean} success - whether or not operation was successful
- *
 */
 const sendEmailVerification = async ({ email }: { email: string }) => {
 	try {
-		const token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-
-		await Token.findOneAndUpdate(
-			{ email },
-			{
-				email,
-				token,
-				createdAt: new Date()
-			},
-			{ upsert: true, new: true }
-		);
+		const token = await TokenService.createToken({
+			type: TOKEN_EMAIL_CONFIRMATION,
+			email
+		});

 		// send mail
 		await sendMail({
@ -62,12 +53,11 @@ const checkEmailVerification = async ({
 	code: string;
 }) => {
 	try {
-		const token = await Token.findOneAndDelete({
+		await TokenService.validateToken({
+			type: TOKEN_EMAIL_CONFIRMATION,
 			email,
 			token: code
 		});
-
-		if (!token) throw new Error('Failed to find email verification token');
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -103,18 +93,6 @@ const initializeDefaultOrg = async ({
 			roles: [OWNER],
 			statuses: [ACCEPTED]
 		});
-
-		// initialize a default workspace inside the new organization
-		const workspace = await createWorkspace({
-			name: `Example Project`,
-			organizationId: organization._id.toString()
-		});
-
-		await addMemberships({
-			userIds: [user._id.toString()],
-			workspaceId: workspace._id.toString(),
-			roles: [ADMIN]
-		});
 	} catch (err) {
 		throw new Error(`Failed to initialize default organization and workspace [err=${err}]`);
 	}
--- a/backend/src/helpers/token.ts
+++ b/backend/src/helpers/token.ts
@ -0,0 +1,217 @@
+import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
+import { TokenData } from '../models';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import {
+    TOKEN_EMAIL_CONFIRMATION,
+    TOKEN_EMAIL_MFA,
+    TOKEN_EMAIL_ORG_INVITATION,
+    TOKEN_EMAIL_PASSWORD_RESET
+} from '../variables';
+import {
+    SALT_ROUNDS
+} from '../config';
+import { UnauthorizedRequestError } from '../utils/errors';
+
+/**
+ * Create and store a token in the database for purpose [type]
+ * @param {Object} obj
+ * @param {String} obj.type
+ * @param {String} obj.email
+ * @param {String} obj.phoneNumber
+ * @param {Types.ObjectId} obj.organizationId
+ * @returns {String} token - the created token
+ */
+const createTokenHelper = async ({
+    type,
+    email,
+    phoneNumber,
+    organizationId
+}: {
+    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+    email?: string;
+    phoneNumber?: string;
+    organizationId?: Types.ObjectId
+}) => {
+    let token, expiresAt, triesLeft;
+    try {
+        // generate random token based on specified token use-case
+        // type [type]
+        switch (type) {
+            case TOKEN_EMAIL_CONFIRMATION:
+                // generate random 6-digit code
+                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+                expiresAt = new Date((new Date()).getTime() + 86400000);
+                break;
+            case TOKEN_EMAIL_MFA:
+                // generate random 6-digit code
+                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+                triesLeft = 5;
+                expiresAt = new Date((new Date()).getTime() + 300000);
+                break;
+            case TOKEN_EMAIL_ORG_INVITATION:
+                // generate random hex
+                token = crypto.randomBytes(16).toString('hex');
+                expiresAt = new Date((new Date()).getTime() + 259200000);
+                break;
+            case TOKEN_EMAIL_PASSWORD_RESET:
+                // generate random hex
+                token = crypto.randomBytes(16).toString('hex');
+                expiresAt = new Date((new Date()).getTime() + 86400000); 
+                break;
+            default:
+                token = crypto.randomBytes(16).toString('hex');
+                expiresAt = new Date();
+                break;
+        }
+        
+       interface TokenDataQuery {
+            type: string;
+            email?: string;
+            phoneNumber?: string;
+            organization?: Types.ObjectId;
+        }
+        
+        interface TokenDataUpdate {
+            type: string;
+            email?: string;
+            phoneNumber?: string;
+            organization?: Types.ObjectId;
+            tokenHash: string;
+            triesLeft?: number;
+            expiresAt: Date;
+        }
+
+        const query: TokenDataQuery = { type };
+        const update: TokenDataUpdate = {
+            type,
+            tokenHash: await bcrypt.hash(token, SALT_ROUNDS),
+            expiresAt
+        }
+
+        if (email) {
+            query.email = email; 
+            update.email = email; 
+        }
+        if (phoneNumber) { 
+            query.phoneNumber = phoneNumber; 
+            update.phoneNumber = phoneNumber; 
+        }
+        if (organizationId) { 
+            query.organization = organizationId 
+            update.organization = organizationId 
+        } 
+        
+        if (triesLeft) {
+            update.triesLeft = triesLeft;
+        }
+       
+        await TokenData.findOneAndUpdate(
+            query,
+            update,
+            {
+                new: true,
+                upsert: true
+            }
+        );
+    } catch (err) {
+        Sentry.setUser(null);
+        Sentry.captureException(err);
+        throw new Error(
+            "Failed to create token"
+        ); 
+    }
+    
+    return token;
+}
+
+/**
+ * 
+ * @param {Object} obj
+ * @param {String} obj.email - email associated with the token
+ * @param {String} obj.token - value of the token
+ */
+const validateTokenHelper = async ({
+    type,
+    email,
+    phoneNumber,
+    organizationId,
+    token
+}: {
+    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+    email?: string;
+    phoneNumber?: string;
+    organizationId?: Types.ObjectId;
+    token: string;
+}) => {
+    interface Query {
+        type: string;
+        email?: string;
+        phoneNumber?: string;
+        organization?: Types.ObjectId;
+    }
+
+    const query: Query = { type };
+
+    if (email) { query.email = email; }
+    if (phoneNumber) { query.phoneNumber = phoneNumber; }
+    if (organizationId) { query.organization = organizationId; }
+
+    const tokenData = await TokenData.findOne(query).select('+tokenHash');
+    
+    if (!tokenData) throw new Error('Failed to find token to validate');
+    
+    if (tokenData.expiresAt < new Date()) {
+        // case: token expired
+        await TokenData.findByIdAndDelete(tokenData._id);
+        throw UnauthorizedRequestError({
+            message: 'MFA session expired. Please log in again',
+            context: {
+                code: 'mfa_expired'
+            }
+        });
+    }
+
+    const isValid = await bcrypt.compare(token, tokenData.tokenHash);
+    if (!isValid) {
+        // case: token is not valid
+        if (tokenData?.triesLeft !== undefined) {
+            // case: token has a try-limit
+            if (tokenData.triesLeft === 1) {
+                // case: token is out of tries
+                await TokenData.findByIdAndDelete(tokenData._id);
+            } else {
+                // case: token has more than 1 try left
+                await TokenData.findByIdAndUpdate(tokenData._id, {
+                    triesLeft: tokenData.triesLeft - 1
+                }, {
+                    new: true
+                });
+            }
+
+            throw UnauthorizedRequestError({
+                message: 'MFA code is invalid',
+                context: {
+                    code: 'mfa_invalid',
+                    triesLeft: tokenData.triesLeft - 1
+                }
+            });
+        }
+
+        throw UnauthorizedRequestError({
+            message: 'MFA code is invalid',
+            context: {
+                code: 'mfa_invalid'
+            }
+        });
+    }
+
+    // case: token is valid
+    await TokenData.findByIdAndDelete(tokenData._id);
+}
+
+export {
+    createTokenHelper,
+    validateTokenHelper
+}
--- a/backend/src/helpers/user.ts
+++ b/backend/src/helpers/user.ts
@ -1,5 +1,6 @@
 import * as Sentry from '@sentry/node';
-import { User, IUser } from '../models';
+import { IUser, User } from '../models';
+import { sendMail } from './nodemailer';

 /**
 * Initialize a user under email [email]
@ -28,10 +29,14 @@ const setupAccount = async ({ email }: { email: string }) => {
 * @param {String} obj.userId - id of user to finish setting up
 * @param {String} obj.firstName - first name of user
 * @param {String} obj.lastName - last name of user
+ * @param {Number} obj.encryptionVersion - version of auth encryption scheme used
+ * @param {String} obj.protectedKey - protected key in encryption version 2
+ * @param {String} obj.protectedKeyIV - IV of protected key in encryption version 2
+ * @param {String} obj.protectedKeyTag - tag of protected key in encryption version 2
 * @param {String} obj.publicKey - publickey of user
 * @param {String} obj.encryptedPrivateKey - (encrypted) private key of user
- * @param {String} obj.iv - iv for (encrypted) private key of user
- * @param {String} obj.tag - tag for (encrypted) private key of user
+ * @param {String} obj.encryptedPrivateKeyIV - iv for (encrypted) private key of user
+ * @param {String} obj.encryptedPrivateKeyTag - tag for (encrypted) private key of user
 * @param {String} obj.salt - salt for auth SRP
 * @param {String} obj.verifier - verifier for auth SRP
 * @returns {Object} user - the completed user
@ -40,20 +45,28 @@ const completeAccount = async ({
 	userId,
 	firstName,
 	lastName,
+	encryptionVersion,
+	protectedKey,
+	protectedKeyIV,
+	protectedKeyTag,
 	publicKey,
 	encryptedPrivateKey,
-	iv,
-	tag,
+	encryptedPrivateKeyIV,
+	encryptedPrivateKeyTag,
 	salt,
 	verifier
 }: {
 	userId: string;
 	firstName: string;
 	lastName: string;
+	encryptionVersion: number;
+	protectedKey: string;
+	protectedKeyIV: string;
+	protectedKeyTag: string;
 	publicKey: string;
 	encryptedPrivateKey: string;
-	iv: string;
-	tag: string;
+	encryptedPrivateKeyIV: string;
+	encryptedPrivateKeyTag: string;
 	salt: string;
 	verifier: string;
 }) => {
@ -67,10 +80,14 @@ const completeAccount = async ({
 			{
 				firstName,
 				lastName,
+				encryptionVersion,
+				protectedKey,
+				protectedKeyIV,
+				protectedKeyTag,
 				publicKey,
 				encryptedPrivateKey,
-				iv,
-				tag,
+				iv: encryptedPrivateKeyIV,
+				tag: encryptedPrivateKeyTag,
 				salt,
 				verifier
 			},
@ -85,4 +102,48 @@ const completeAccount = async ({
 	return user;
 };

-export { setupAccount, completeAccount };
+/**
+ * Check if device with ip [ip] and user-agent [userAgent] has been seen for user [user].
+ * If the device is unseen, then notify the user of the new device
+ * @param {Object} obj
+ * @param {String} obj.ip - login ip address
+ * @param {String} obj.userAgent - login user-agent
+ */
+const checkUserDevice = async ({
+	user,
+	ip,
+	userAgent
+}: {
+	user: IUser;
+	ip: string;
+	userAgent: string;
+}) => {
+	const isDeviceSeen = user.devices.some((device) => device.ip === ip && device.userAgent === userAgent);
+		
+	if (!isDeviceSeen) {
+		// case: unseen login ip detected for user
+		// -> notify user about the sign-in from new ip 
+		
+		user.devices = user.devices.concat([{
+			ip: String(ip),
+			userAgent
+		}]);
+		
+		await user.save();
+
+		// send MFA code [code] to [email]
+		await sendMail({
+			template: 'newDevice.handlebars',
+			subjectLine: `Successful login from new device`,
+			recipients: [user.email],
+			substitutions: {
+				email: user.email,
+				timestamp: new Date().toString(),
+				ip,
+				userAgent
+			}
+		}); 
+	}
+}
+
+export { setupAccount, completeAccount, checkUserDevice };
--- a/backend/src/integrations/apps.ts
+++ b/backend/src/integrations/apps.ts
@ -1,20 +1,25 @@
-import axios from 'axios';
-import * as Sentry from '@sentry/node';
-import { Octokit } from '@octokit/rest';
-import { IIntegrationAuth } from '../models';
+import axios from "axios";
+import * as Sentry from "@sentry/node";
+import { Octokit } from "@octokit/rest";
+import { IIntegrationAuth } from "../models";
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
  INTEGRATION_HEROKU_API_URL,
  INTEGRATION_VERCEL_API_URL,
  INTEGRATION_NETLIFY_API_URL,
  INTEGRATION_RENDER_API_URL,
-  INTEGRATION_FLYIO_API_URL
-} from '../variables';
+  INTEGRATION_FLYIO_API_URL,
+  INTEGRATION_CIRCLECI_API_URL,
+} from "../variables";

 /**
 * Return list of names of apps for integration named [integration]
@ -26,7 +31,7 @@ import {
 */
 const getApps = async ({
  integrationAuth,
-  accessToken
+  accessToken,
 }: {
  integrationAuth: IIntegrationAuth;
  accessToken: string;
@ -40,42 +45,56 @@ const getApps = async ({
  let apps: App[];
  try {
    switch (integrationAuth.integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        apps = [];
+        break;
+      case INTEGRATION_AWS_PARAMETER_STORE:
+        apps = [];
+        break;
+      case INTEGRATION_AWS_SECRET_MANAGER:
+        apps = [];
+        break;
      case INTEGRATION_HEROKU:
        apps = await getAppsHeroku({
-          accessToken
+          accessToken,
        });
        break;
      case INTEGRATION_VERCEL:
        apps = await getAppsVercel({
          integrationAuth,
-          accessToken
+          accessToken,
        });
        break;
      case INTEGRATION_NETLIFY:
        apps = await getAppsNetlify({
-          accessToken
+          accessToken,
        });
        break;
      case INTEGRATION_GITHUB:
        apps = await getAppsGithub({
-          accessToken
+          accessToken,
        });
        break;
      case INTEGRATION_RENDER:
        apps = await getAppsRender({
-          accessToken
+          accessToken,
        });
        break;
      case INTEGRATION_FLYIO:
        apps = await getAppsFlyio({
-          accessToken
+          accessToken,
+        });
+        break;
+      case INTEGRATION_CIRCLECI:
+        apps = await getAppsCircleCI({
+          accessToken,
        });
        break;
    }
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get integration apps');
+    throw new Error("Failed to get integration apps");
  }

  return apps;
@ -94,19 +113,19 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
    const res = (
      await axios.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
        headers: {
-          Accept: 'application/vnd.heroku+json; version=3',
-          Authorization: `Bearer ${accessToken}`
-        }
+          Accept: "application/vnd.heroku+json; version=3",
+          Authorization: `Bearer ${accessToken}`,
+        },
      })
    ).data;

    apps = res.map((a: any) => ({
-      name: a.name
+      name: a.name,
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get Heroku integration apps');
+    throw new Error("Failed to get Heroku integration apps");
  }

  return apps;
@ -119,10 +138,10 @@ const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names of Vercel apps
 * @returns {String} apps.name - name of Vercel app
 */
-const getAppsVercel = async ({ 
+const getAppsVercel = async ({
  integrationAuth,
-  accessToken 
-}: { 
+  accessToken,
+}: {
  integrationAuth: IIntegrationAuth;
  accessToken: string;
 }) => {
@ -131,23 +150,26 @@ const getAppsVercel = async ({
    const res = (
      await axios.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`
+          Authorization: `Bearer ${accessToken}`,
+          'Accept-Encoding': 'application/json'
        },
-       ...( integrationAuth?.teamId ? { 
-        params: {
-          teamId: integrationAuth.teamId
-        }
-      } : {}) 
+        ...(integrationAuth?.teamId
+          ? {
+              params: {
+                teamId: integrationAuth.teamId,
+              },
+            }
+          : {}),
      })
    ).data;
-    
+
    apps = res.projects.map((a: any) => ({
-      name: a.name
+      name: a.name,
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get Vercel integration apps');
+    throw new Error("Failed to get Vercel integration apps");
  }

  return apps;
@ -160,29 +182,26 @@ const getAppsVercel = async ({
 * @returns {Object[]} apps - names of Netlify sites
 * @returns {String} apps.name - name of Netlify site
 */
-const getAppsNetlify = async ({
-  accessToken
-}: {
-  accessToken: string;
-}) => {
+const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
  let apps;
  try {
    const res = (
      await axios.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`
+          Authorization: `Bearer ${accessToken}`,
+          'Accept-Encoding': 'application/json'
        }
      })
    ).data;

    apps = res.map((a: any) => ({
      name: a.name,
-      appId: a.site_id
+      appId: a.site_id,
    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get Netlify integration apps');
+    throw new Error("Failed to get Netlify integration apps");
  }

  return apps;
@ -195,35 +214,32 @@ const getAppsNetlify = async ({
 * @returns {Object[]} apps - names of Netlify sites
 * @returns {String} apps.name - name of Netlify site
 */
-const getAppsGithub = async ({
-  accessToken
-}: {
-  accessToken: string;
-}) => {
+const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
  let apps;
  try {
    const octokit = new Octokit({
-      auth: accessToken
+      auth: accessToken,
    });

-    const repos = (await octokit.request(
-      'GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}',
-      {
-        per_page: 100
-      }
-    )).data;
+    const repos = (
+      await octokit.request(
+        "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
+        {
+          per_page: 100,
+        }
+      )
+    ).data;

    apps = repos
-      .filter((a:any) => a.permissions.admin === true)
+      .filter((a: any) => a.permissions.admin === true)
      .map((a: any) => ({
-          name: a.name,
-          owner: a.owner.login
-        })
-      );
+        name: a.name,
+        owner: a.owner.login,
+      }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get Github repos');
+    throw new Error("Failed to get Github repos");
  }

  return apps;
@ -237,18 +253,16 @@ const getAppsGithub = async ({
 * @returns {String} apps.name - name of Render service
 * @returns {String} apps.appId - id of Render service
 */
-const getAppsRender = async ({
-  accessToken
-}: {
-  accessToken: string;
-}) => {
+const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
  let apps: any;
  try {
    const res = (
      await axios.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
        headers: {
-          Authorization: `Bearer ${accessToken}`
-        }
+          Authorization: `Bearer ${accessToken}`,
+          Accept: 'application/json',
+          'Accept-Encoding': 'application/json',
+        },
      })
    ).data;
    
@ -257,14 +271,15 @@ const getAppsRender = async ({
        name: a.service.name,
        appId: a.service.id
      })); 
+    
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get Render services');
+    throw new Error("Failed to get Render services");
  }
-  
+
  return apps;
-}
+};

 /**
 * Return list of apps for Fly.io integration
@ -273,11 +288,7 @@ const getAppsRender = async ({
 * @returns {Object[]} apps - names and ids of Fly.io apps
 * @returns {String} apps.name - name of Fly.io apps
 */
-const getAppsFlyio = async ({
-  accessToken
-}: {
-  accessToken: string;
-}) => {
+const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
  let apps;
  try {
    const query = `
@ -291,32 +302,71 @@ const getAppsFlyio = async ({
        }
      }
    `;
-    
-    const res = (await axios({
-      url: INTEGRATION_FLYIO_API_URL,
-      method: 'post',
-      headers: {
-        'Authorization': 'Bearer ' + accessToken
-      },
-      data: {
-        query,
-        variables: {
-          role: null
-        }
-      }
-    })).data.data.apps.nodes;
-    
-    apps = res
-      .map((a: any) => ({
-        name: a.name
-      })); 
+
+    const res = (
+      await axios({
+        url: INTEGRATION_FLYIO_API_URL,
+        method: "post",
+        headers: {
+          Authorization: "Bearer " + accessToken,
+        'Accept': 'application/json',
+        'Accept-Encoding': 'application/json',
+        },
+        data: {
+          query,
+          variables: {
+            role: null,
+          },
+        },
+      })
+    ).data.data.apps.nodes;
+
+    apps = res.map((a: any) => ({
+      name: a.name,
+    }));
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get Fly.io apps');
+    throw new Error("Failed to get Fly.io apps");
+  }
+
+  return apps;
+};
+
+/**
+ * Return list of projects for CircleCI integration
+ * @param {Object} obj
+ * @param {String} obj.accessToken - access token for CircleCI API
+ * @returns {Object[]} apps -
+ * @returns {String} apps.name - name of CircleCI apps
+ */
+const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
+  let apps: any;
+  try {    
+    const res = (
+      await axios.get(
+        `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
+        {
+          headers: {
+            "Circle-Token": accessToken,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      )
+    ).data
+
+    apps = res?.map((a: any) => {
+      return {
+        name: a?.reponame
+      }
+    });
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error("Failed to get CircleCI projects");
  }
  
  return apps;
-}
+};

 export { getApps };
--- a/backend/src/integrations/exchange.ts
+++ b/backend/src/integrations/exchange.ts
@ -1,10 +1,12 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
+  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
@ -12,15 +14,27 @@ import {
 } from '../variables';
 import {
  SITE_URL,
+  CLIENT_ID_AZURE,
  CLIENT_ID_VERCEL,
  CLIENT_ID_NETLIFY,
  CLIENT_ID_GITHUB,
+  CLIENT_SECRET_AZURE,
  CLIENT_SECRET_HEROKU,
  CLIENT_SECRET_VERCEL,
  CLIENT_SECRET_NETLIFY,
  CLIENT_SECRET_GITHUB
 } from '../config';

+interface ExchangeCodeAzureResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  ext_expires_in: number;
+  access_token: string;
+  refresh_token: string;
+  id_token: string;
+}
+
 interface ExchangeCodeHerokuResponse {
  token_type: string;
  access_token: string;
@ -75,6 +89,11 @@ const exchangeCode = async ({

  try {
    switch (integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        obj = await exchangeCodeAzure({
+          code
+        });
+        break;
      case INTEGRATION_HEROKU:
        obj = await exchangeCodeHeroku({
          code
@ -105,6 +124,46 @@ const exchangeCode = async ({
  return obj;
 };

+/**
+ * Return [accessToken] for Azure OAuth2 code-token exchange
+ * @param param0 
+ */
+const exchangeCodeAzure = async ({
+  code
+}: {
+  code: string;
+}) => {
+  const accessExpiresAt = new Date();
+  let res: ExchangeCodeAzureResponse;
+  try {
+    res = (await axios.post(
+      INTEGRATION_AZURE_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: code,
+        scope: 'https://vault.azure.net/.default openid offline_access',
+        client_id: CLIENT_ID_AZURE,
+        client_secret: CLIENT_SECRET_AZURE,
+        redirect_uri: `${SITE_URL}/integrations/azure-key-vault/oauth2/callback`
+      } as any)
+    )).data;
+
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + res.expires_in
+    );
+  } catch (err: any) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Azure');
+  }
+
+  return ({
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt
+  });
+}
+
 /**
 * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
 * OAuth2 code-token exchange
@ -116,36 +175,36 @@ const exchangeCode = async ({
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
 const exchangeCodeHeroku = async ({
-    code
+  code
 }: {
-    code: string;
+  code: string;
 }) => {
-    let res: ExchangeCodeHerokuResponse;
-    const accessExpiresAt = new Date();
-    try {
-        res = (await axios.post(
-            INTEGRATION_HEROKU_TOKEN_URL,
-            new URLSearchParams({
-				grant_type: 'authorization_code',
-				code: code,
-				client_secret: CLIENT_SECRET_HEROKU
-			} as any)
-        )).data;
-        
-        accessExpiresAt.setSeconds(
-            accessExpiresAt.getSeconds() + res.expires_in
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed OAuth2 code-token exchange with Heroku');
-    }
-    
-    return ({
-        accessToken: res.access_token,
-        refreshToken: res.refresh_token,
-        accessExpiresAt
-    });
+  let res: ExchangeCodeHerokuResponse;
+  const accessExpiresAt = new Date();
+  try {
+    res = (await axios.post(
+      INTEGRATION_HEROKU_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: 'authorization_code',
+        code: code,
+        client_secret: CLIENT_SECRET_HEROKU
+      } as any)
+    )).data;
+
+    accessExpiresAt.setSeconds(
+      accessExpiresAt.getSeconds() + res.expires_in
+    );
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed OAuth2 code-token exchange with Heroku');
+  }
+
+  return ({
+    accessToken: res.access_token,
+    refreshToken: res.refresh_token,
+    accessExpiresAt
+  });
 }

 /**
@ -168,14 +227,14 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
          code: code,
          client_id: CLIENT_ID_VERCEL,
          client_secret: CLIENT_SECRET_VERCEL,
-          redirect_uri: `${SITE_URL}/vercel`
+          redirect_uri: `${SITE_URL}/integrations/vercel/oauth2/callback`
        } as any)
      )
    ).data;
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Vercel');
+    throw new Error(`Failed OAuth2 code-token exchange with Vercel [err=${err}]`);
  }

  return {
@ -208,7 +267,7 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
          code: code,
          client_id: CLIENT_ID_NETLIFY,
          client_secret: CLIENT_SECRET_NETLIFY,
-          redirect_uri: `${SITE_URL}/netlify`
+          redirect_uri: `${SITE_URL}/integrations/netlify/oauth2/callback`
        } as any)
      )
    ).data;
@ -260,10 +319,11 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
          client_id: CLIENT_ID_GITHUB,
          client_secret: CLIENT_SECRET_GITHUB,
          code: code,
-          redirect_uri: `${SITE_URL}/github`
+          redirect_uri: `${SITE_URL}/integrations/github/oauth2/callback`
        },
        headers: {
-          Accept: 'application/json'
+          'Accept': 'application/json',
+          'Accept-Encoding': 'application/json'
        }
      })
    ).data;
--- a/backend/src/integrations/refresh.ts
+++ b/backend/src/integrations/refresh.ts
@ -1,13 +1,26 @@
 import axios from 'axios';
 import * as Sentry from '@sentry/node';
-import { INTEGRATION_HEROKU } from '../variables';
+import { INTEGRATION_AZURE_KEY_VAULT, INTEGRATION_HEROKU } from '../variables';
 import {
-    CLIENT_SECRET_HEROKU
+  SITE_URL,
+  CLIENT_ID_AZURE,
+  CLIENT_SECRET_AZURE,
+  CLIENT_SECRET_HEROKU
 } from '../config';
 import {
-    INTEGRATION_HEROKU_TOKEN_URL
+  INTEGRATION_AZURE_TOKEN_URL,
+  INTEGRATION_HEROKU_TOKEN_URL
 } from '../variables';

+interface RefreshTokenAzureResponse {
+  token_type: string;
+  scope: string;
+  expires_in: number;
+  ext_expires_in: 4871;
+  access_token: string;
+  refresh_token: string;
+}
+
 /**
 * Return new access token by exchanging refresh token [refreshToken] for integration
 * named [integration]
@ -25,6 +38,11 @@ const exchangeRefresh = async ({
  let accessToken;
  try {
    switch (integration) {
+      case INTEGRATION_AZURE_KEY_VAULT:
+        accessToken = await exchangeRefreshAzure({
+          refreshToken
+        });
+        break;
      case INTEGRATION_HEROKU:
        accessToken = await exchangeRefreshHeroku({
          refreshToken
@ -40,6 +58,38 @@ const exchangeRefresh = async ({
  return accessToken;
 };

+/**
+ * Return new access token by exchanging refresh token [refreshToken] for the
+ * Azure integration
+ * @param {Object} obj
+ * @param {String} obj.refreshToken - refresh token to use to get new access token for Azure
+ * @returns
+ */
+const exchangeRefreshAzure = async ({
+  refreshToken
+}: {
+  refreshToken: string;
+}) => {
+  try {
+    const res: RefreshTokenAzureResponse = (await axios.post(
+      INTEGRATION_AZURE_TOKEN_URL,
+       new URLSearchParams({
+        client_id: CLIENT_ID_AZURE,
+        scope: 'openid offline_access',
+        refresh_token: refreshToken,
+        grant_type: 'refresh_token',
+        client_secret: CLIENT_SECRET_AZURE
+      } as any)
+    )).data;
+    
+    return res.access_token;
+  } catch (err) {
+    Sentry.setUser(null);
+    Sentry.captureException(err);
+    throw new Error('Failed to get refresh OAuth2 access token for Azure'); 
+  }
+}
+
 /**
 * Return new access token by exchanging refresh token [refreshToken] for the
 * Heroku integration
@ -52,23 +102,23 @@ const exchangeRefreshHeroku = async ({
 }: {
  refreshToken: string;
 }) => {
-    let accessToken;
-	//TODO: Refactor code to take advantage of using RequestError. It's possible to create new types of errors for more detailed errors
-    try {
-        const res = await axios.post(
-            INTEGRATION_HEROKU_TOKEN_URL,
-            new URLSearchParams({
-                grant_type: 'refresh_token',
-                refresh_token: refreshToken,
-                client_secret: CLIENT_SECRET_HEROKU
-            } as any)
-        );
+  
+  let accessToken;
+  try {
+    const res = await axios.post(
+        INTEGRATION_HEROKU_TOKEN_URL,
+        new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: refreshToken,
+            client_secret: CLIENT_SECRET_HEROKU
+        } as any)
+    );

    accessToken = res.data.access_token;
  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
-    throw new Error('Failed to get new OAuth2 access token for Heroku');
+    throw new Error('Failed to refresh OAuth2 access token for Heroku');
  }

  return accessToken;
--- a/backend/src/integrations/sync.ts
+++ b/backend/src/integrations/sync.ts
--- a/backend/src/middleware/index.ts
+++ b/backend/src/middleware/index.ts
@ -1,4 +1,5 @@
 import requireAuth from './requireAuth';
+import requireMfaAuth from './requireMfaAuth';
 import requireBotAuth from './requireBotAuth';
 import requireSignupAuth from './requireSignupAuth';
 import requireWorkspaceAuth from './requireWorkspaceAuth';
@ -15,6 +16,7 @@ import validateRequest from './validateRequest';

 export {
 	requireAuth,
+	requireMfaAuth,
 	requireBotAuth,
 	requireSignupAuth,
 	requireWorkspaceAuth,
--- a/backend/src/middleware/requestErrorHandler.ts
+++ b/backend/src/middleware/requestErrorHandler.ts
@ -1,11 +1,12 @@
 import { ErrorRequestHandler } from "express";

 import * as Sentry from '@sentry/node';
-import { InternalServerError } from "../utils/errors";
+import { InternalServerError, UnauthorizedRequestError } from "../utils/errors";
 import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
 import { NODE_ENV } from "../config";

+import { TokenExpiredError } from 'jsonwebtoken';

 export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
    if (res.headersSent) return next();
--- a/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
@ -45,9 +45,10 @@ const requireIntegrationAuthorizationAuth = ({

 		req.integrationAuth = integrationAuth;
 		if (attachAccessToken) {
-			req.accessToken = await IntegrationService.getIntegrationAuthAccess({
+			const access = await IntegrationService.getIntegrationAuthAccess({
 				integrationAuthId: integrationAuth._id.toString()
 			});
+			req.accessToken = access.accessToken;
 		}
 		
 		return next();
--- a/backend/src/middleware/requireMfaAuth.ts
+++ b/backend/src/middleware/requireMfaAuth.ts
@ -0,0 +1,43 @@
+import jwt from 'jsonwebtoken';
+import { Request, Response, NextFunction } from 'express';
+import { User } from '../models';
+import { JWT_MFA_SECRET } from '../config';
+import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
+
+declare module 'jsonwebtoken' {
+	export interface UserIDJwtPayload extends jwt.JwtPayload {
+		userId: string;
+	}
+}
+
+/**
+ * Validate if (MFA) JWT temporary token on request is valid (e.g. not expired)
+ * and if there is an associated user.
+ */
+const requireMfaAuth = async (
+	req: Request,
+	res: Response,
+	next: NextFunction
+) => {
+	// JWT (temporary) authentication middleware for complete signup
+	const [ AUTH_TOKEN_TYPE, AUTH_TOKEN_VALUE ] = <[string, string]>req.headers['authorization']?.split(' ', 2) ?? [null, null]
+	if(AUTH_TOKEN_TYPE === null) return next(BadRequestError({message: `Missing Authorization Header in the request header.`}))
+	if(AUTH_TOKEN_TYPE.toLowerCase() !== 'bearer') return next(BadRequestError({message: `The provided authentication type '${AUTH_TOKEN_TYPE}' is not supported.`}))
+	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
+	
+	const decodedToken = <jwt.UserIDJwtPayload>(
+		jwt.verify(AUTH_TOKEN_VALUE, JWT_MFA_SECRET)
+	);
+
+	const user = await User.findOne({
+		_id: decodedToken.userId
+	}).select('+publicKey');
+
+	if (!user)
+		return next(UnauthorizedRequestError({message: 'Unable to authenticate for User account completion. Try logging in again'}))
+
+	req.user = user;
+	return next();
+};
+
+export default requireMfaAuth;
--- a/backend/src/models/LoginSRPDetail.ts
+++ b/backend/src/models/LoginSRPDetail.ts
@ -1,23 +0,0 @@
-import mongoose, { Schema, model } from 'mongoose';
-
-const LoginSRPDetailSchema = new Schema(
-	{
-		clientPublicKey: {
-			type: String,
-			required: true
-		},
-		email: {
-			type: String,
-			required: true,
-			unique: true
-		},
-		serverBInt: { type: mongoose.Schema.Types.Buffer },
-		expireAt: { type: Date }
-	}
-);
-
-const LoginSRPDetail = model('LoginSRPDetail', LoginSRPDetailSchema);
-
-// LoginSRPDetailSchema.index({ "expireAt": 1 }, { expireAfterSeconds: 0 });
-
-export default LoginSRPDetail;
--- a/backend/src/models/index.ts
+++ b/backend/src/models/index.ts
@ -10,12 +10,13 @@ import MembershipOrg, { IMembershipOrg } from './membershipOrg';
 import Organization, { IOrganization } from './organization';
 import Secret, { ISecret } from './secret';
 import ServiceToken, { IServiceToken } from './serviceToken';
-import Token, { IToken } from './token';
+import TokenData, { ITokenData } from './tokenData';
 import User, { IUser } from './user';
 import UserAction, { IUserAction } from './userAction';
 import Workspace, { IWorkspace } from './workspace';
 import ServiceTokenData, { IServiceTokenData } from './serviceTokenData';
 import APIKeyData, { IAPIKeyData } from './apiKeyData';
+import LoginSRPDetail, { ILoginSRPDetail } from './loginSRPDetail';

 export {
 	BackupPrivateKey,
@ -42,8 +43,8 @@ export {
 	ISecret,
 	ServiceToken,
 	IServiceToken,
-	Token,
-	IToken,
+	TokenData,
+	ITokenData,
 	User,
 	IUser,
 	UserAction,
@ -53,5 +54,7 @@ export {
 	ServiceTokenData,
 	IServiceTokenData,
 	APIKeyData,
-	IAPIKeyData
+	IAPIKeyData,
+	LoginSRPDetail,
+	ILoginSRPDetail
 };
--- a/backend/src/models/integration.ts
+++ b/backend/src/models/integration.ts
@ -1,12 +1,16 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
-  INTEGRATION_FLYIO
-} from '../variables';
+  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
+} from "../variables";

 export interface IIntegration {
  _id: Types.ObjectId;
@ -17,68 +21,96 @@ export interface IIntegration {
  owner: string;
  targetEnvironment: string;
  appId: string;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio';
+  path: string;
+  region: string;
+  integration:
+    | 'azure-key-vault' 
+    | 'aws-parameter-store'
+    | 'aws-secret-manager'
+    | 'heroku' 
+    | 'vercel' 
+    | 'netlify' 
+    | 'github' 
+    | 'render' 
+    | 'flyio'
+    | 'circleci';
  integrationAuth: Types.ObjectId;
 }

 const integrationSchema = new Schema<IIntegration>(
  {
    workspace: {
-        type: Schema.Types.ObjectId,
-        ref: 'Workspace',
-        required: true
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
    },
    environment: {
      type: String,
-      required: true
+      required: true,
    },
    isActive: {
      type: Boolean,
-      required: true
+      required: true,
    },
    app: {
      // name of app in provider
      type: String,
-      default: null
+      default: null,
    },
-    appId: { // (new)
+    appId: {
+      // (new)
      // id of app in provider
      type: String,
-      default: null
+      default: null,
    },
-    targetEnvironment: { // (new)
-      // target environment 
+    targetEnvironment: {
+      // (new)
+      // target environment
      type: String,
-      default: null
+      default: null,
    },
    owner: {
      // github-specific repo owner-login
      type: String,
+      default: null,
+    },
+    path: {
+      // aws-parameter-store-specific path
+      type: String,
+      default: null
+    },
+    region: {
+      // aws-parameter-store-specific path
+      type: String,
      default: null
    },
    integration: {
      type: String,
      enum: [
+        INTEGRATION_AZURE_KEY_VAULT,
+        INTEGRATION_AWS_PARAMETER_STORE,
+        INTEGRATION_AWS_SECRET_MANAGER,
        INTEGRATION_HEROKU,
        INTEGRATION_VERCEL,
        INTEGRATION_NETLIFY,
        INTEGRATION_GITHUB,
        INTEGRATION_RENDER,
-        INTEGRATION_FLYIO
+        INTEGRATION_FLYIO,
+        INTEGRATION_CIRCLECI,
      ],
-      required: true
+      required: true,
    },
    integrationAuth: {
      type: Schema.Types.ObjectId,
-      ref: 'IntegrationAuth',
-      required: true
-    }
+      ref: "IntegrationAuth",
+      required: true,
+    },
  },
  {
-    timestamps: true
+    timestamps: true,
  }
 );

-const Integration = model<IIntegration>('Integration', integrationSchema);
+const Integration = model<IIntegration>("Integration", integrationSchema);

 export default Integration;
--- a/backend/src/models/integrationAuth.ts
+++ b/backend/src/models/integrationAuth.ts
@ -1,20 +1,29 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types } from "mongoose";
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
-  INTEGRATION_GITHUB
-} from '../variables';
+  INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
+} from "../variables";

 export interface IIntegrationAuth {
  _id: Types.ObjectId;
  workspace: Types.ObjectId;
-  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio';
+  integration: 'heroku' | 'vercel' | 'netlify' | 'github' | 'render' | 'flyio' | 'azure-key-vault' | 'circleci' | 'aws-parameter-store' | 'aws-secret-manager';
  teamId: string;
  accountId: string;
  refreshCiphertext?: string;
  refreshIV?: string;
  refreshTag?: string;
+  accessIdCiphertext?: string; // new
+  accessIdIV?: string; // new
+  accessIdTag?: string; // new
  accessCiphertext?: string;
  accessIV?: string;
  accessTag?: string;
@ -24,64 +33,82 @@ export interface IIntegrationAuth {
 const integrationAuthSchema = new Schema<IIntegrationAuth>(
  {
    workspace: {
-        type: Schema.Types.ObjectId,
-        ref: 'Workspace',
-        required: true
+      type: Schema.Types.ObjectId,
+      ref: "Workspace",
+      required: true,
    },
    integration: {
      type: String,
      enum: [
+        INTEGRATION_AZURE_KEY_VAULT,
+        INTEGRATION_AWS_PARAMETER_STORE,
+        INTEGRATION_AWS_SECRET_MANAGER,
        INTEGRATION_HEROKU,
        INTEGRATION_VERCEL,
        INTEGRATION_NETLIFY,
-        INTEGRATION_GITHUB
+        INTEGRATION_GITHUB,
+        INTEGRATION_RENDER,
+        INTEGRATION_FLYIO,
+        INTEGRATION_CIRCLECI,
      ],
-      required: true
+      required: true,
    },
    teamId: {
      // vercel-specific integration param
-      type: String
+      type: String,
    },
    accountId: {
      // netlify-specific integration param
-      type: String
+      type: String,
    },
    refreshCiphertext: {
      type: String,
-      select: false
+      select: false,
    },
    refreshIV: {
      type: String,
-      select: false
+      select: false,
    },
    refreshTag: {
+      type: String,
+      select: false,
+    },
+    accessIdCiphertext: {
+      type: String,
+      select: false
+    },
+    accessIdIV: {
+      type: String,
+      select: false
+    },
+    accessIdTag: {
      type: String,
      select: false
    },
    accessCiphertext: {
      type: String,
-      select: false
+      select: false,
    },
    accessIV: {
      type: String,
-      select: false
+      select: false,
    },
    accessTag: {
      type: String,
-      select: false
+      select: false,
    },
    accessExpiresAt: {
      type: Date,
-      select: false
-    }
+      select: false,
+    },
  },
  {
-    timestamps: true
+    timestamps: true,
  }
 );

 const IntegrationAuth = model<IIntegrationAuth>(
-  'IntegrationAuth',
+  "IntegrationAuth",
  integrationAuthSchema
 );

--- a/backend/src/models/loginSRPDetail.ts
+++ b/backend/src/models/loginSRPDetail.ts
@ -0,0 +1,29 @@
+import mongoose, { Schema, model, Types } from 'mongoose';
+
+export interface ILoginSRPDetail {
+	_id: Types.ObjectId;
+	clientPublicKey: string;
+	email: string;
+	serverBInt: mongoose.Schema.Types.Buffer;
+	expireAt: Date;
+}
+
+const loginSRPDetailSchema = new Schema<ILoginSRPDetail>(
+	{
+		clientPublicKey: {
+			type: String,
+			required: true
+		},
+		email: {
+			type: String,
+			required: true,
+			unique: true
+		},
+		serverBInt: { type: mongoose.Schema.Types.Buffer },
+		expireAt: { type: Date }
+	}
+);
+
+const LoginSRPDetail = model('LoginSRPDetail', loginSRPDetailSchema);
+
+export default LoginSRPDetail;
--- a/backend/src/models/secret.ts
+++ b/backend/src/models/secret.ts
@ -23,6 +23,7 @@ export interface ISecret {
 	secretCommentIV?: string;
 	secretCommentTag?: string;
 	secretCommentHash?: string;
+	tags?: string[];
 }

 const secretSchema = new Schema<ISecret>(
@ -47,6 +48,11 @@ const secretSchema = new Schema<ISecret>(
 			type: Schema.Types.ObjectId,
 			ref: 'User'
 		},
+		tags: {
+			ref: 'Tag',
+			type: [Schema.Types.ObjectId],
+			default: []
+		},
 		environment: {
 			type: String,
 			required: true
@ -103,6 +109,9 @@ const secretSchema = new Schema<ISecret>(
 	}
 );

+
+secretSchema.index({ tags: 1 }, { background: true })
+
 const Secret = model<ISecret>('Secret', secretSchema);

 export default Secret;
--- a/backend/src/models/secretApprovalRequest.ts
+++ b/backend/src/models/secretApprovalRequest.ts
@ -0,0 +1,83 @@
+import mongoose, { Schema, model } from 'mongoose';
+import Secret, { ISecret } from './secret';
+
+interface ISecretApprovalRequest {
+	secret: mongoose.Types.ObjectId;
+	requestedChanges: ISecret;
+	requestedBy: mongoose.Types.ObjectId;
+	approvers: IApprover[];
+	status: ApprovalStatus;
+	timestamp: Date;
+	requestType: RequestType;
+	requestId: string;
+}
+
+interface IApprover {
+	userId: mongoose.Types.ObjectId;
+	status: ApprovalStatus;
+}
+
+export enum ApprovalStatus {
+	PENDING = 'pending',
+	APPROVED = 'approved',
+	REJECTED = 'rejected'
+}
+
+export enum RequestType {
+	UPDATE = 'update',
+	DELETE = 'delete',
+	CREATE = 'create'
+}
+
+const approverSchema = new mongoose.Schema({
+	user: {
+		type: mongoose.Schema.Types.ObjectId,
+		ref: 'User',
+		required: true
+	},
+	status: {
+		type: String,
+		enum: [ApprovalStatus],
+		default: ApprovalStatus.PENDING
+	}
+});
+
+const secretApprovalRequestSchema = new Schema<ISecretApprovalRequest>(
+	{
+		secret: {
+			type: mongoose.Schema.Types.ObjectId,
+			ref: 'Secret'
+		},
+		requestedChanges: Secret,
+		requestedBy: {
+			type: mongoose.Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		approvers: [approverSchema],
+		status: {
+			type: String,
+			enum: ApprovalStatus,
+			default: ApprovalStatus.PENDING
+		},
+		timestamp: {
+			type: Date,
+			default: Date.now
+		},
+		requestType: {
+			type: String,
+			enum: RequestType,
+			required: true
+		},
+		requestId: {
+			type: String,
+			required: false
+		}
+	},
+	{
+		timestamps: true
+	}
+);
+
+const SecretApprovalRequest = model<ISecretApprovalRequest>('SecretApprovalRequest', secretApprovalRequestSchema);
+
+export default SecretApprovalRequest;
--- a/backend/src/models/tag.ts
+++ b/backend/src/models/tag.ts
@ -0,0 +1,49 @@
+import { Schema, model, Types } from 'mongoose';
+
+export interface ITag {
+	_id: Types.ObjectId;
+	name: string;
+	slug: string;
+	user: Types.ObjectId;
+	workspace: Types.ObjectId;
+}
+
+const tagSchema = new Schema<ITag>(
+	{
+		name: {
+			type: String,
+			required: true,
+			trim: true,
+		},
+		slug: {
+			type: String,
+			required: true,
+			trim: true,
+			lowercase: true,
+			validate: [
+				function (value: any) {
+					return value.indexOf(' ') === -1;
+				},
+				'slug cannot contain spaces'
+			]
+		},
+		user: {
+			type: Schema.Types.ObjectId,
+			ref: 'User'
+		},
+		workspace: {
+			type: Schema.Types.ObjectId,
+			ref: 'Workspace'
+		},
+	},
+	{
+		timestamps: true
+	}
+);
+
+tagSchema.index({ slug: 1, workspace: 1 }, { unique: true })
+tagSchema.index({ workspace: 1 })
+
+const Tag = model<ITag>('Tag', tagSchema);
+
+export default Tag;
--- a/backend/src/models/token.ts
+++ b/backend/src/models/token.ts
@ -5,6 +5,7 @@ export interface IToken {
  email: string;
  token: string;
  createdAt: Date;
+  ttl: number;
 }

 const tokenSchema = new Schema<IToken>({
@ -19,14 +20,13 @@ const tokenSchema = new Schema<IToken>({
  createdAt: {
    type: Date,
    default: Date.now
+  },
+  ttl: {
+    type: Number,
  }
 });

-tokenSchema.index({ 
-  createdAt: 1 
-}, { 
-  expireAfterSeconds: parseInt(EMAIL_TOKEN_LIFETIME) 
-});
+tokenSchema.index({ email: 1 });

 const Token = model<IToken>('Token', tokenSchema);

--- a/backend/src/models/tokenData.ts
+++ b/backend/src/models/tokenData.ts
@ -0,0 +1,61 @@
+import { Schema, Types, model } from 'mongoose';
+
+export interface ITokenData {
+  type: string;
+  email?: string;
+  phoneNumber?: string;
+  organization?: Types.ObjectId;
+  tokenHash: string;
+  triesLeft?: number;
+  expiresAt: Date;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+const tokenDataSchema = new Schema<ITokenData>({
+  type: {
+    type: String,
+    enum: [
+      'emailConfirmation', 
+      'emailMfa', 
+      'organizationInvitation', 
+      'passwordReset'
+    ],
+    required: true
+  },
+  email: {
+    type: String
+  },
+  phoneNumber: {
+    type: String
+  },
+  organization: { // organizationInvitation-specific field
+    type: Schema.Types.ObjectId,
+    ref: 'Organization'
+  },
+  tokenHash: {
+    type: String,
+    select: false,
+    required: true
+  },
+  triesLeft: {
+    type: Number
+  },
+  expiresAt: {
+    type: Date,
+    expires: 0,
+    required: true
+  }
+}, {
+  timestamps: true
+});
+
+tokenDataSchema.index({
+  expiresAt: 1
+}, {
+  expireAfterSeconds: 0
+});
+
+const TokenData = model<ITokenData>('TokenData', tokenDataSchema);
+
+export default TokenData;
--- a/backend/src/models/user.ts
+++ b/backend/src/models/user.ts
@ -1,10 +1,14 @@
-import { Schema, model, Types } from 'mongoose';
+import { Schema, model, Types, Document } from 'mongoose';

-export interface IUser {
+export interface IUser extends Document {
 	_id: Types.ObjectId;
 	email: string;
 	firstName?: string;
 	lastName?: string;
+	encryptionVersion: number;
+	protectedKey: string;
+	protectedKeyIV: string;
+	protectedKeyTag: string;
 	publicKey?: string;
 	encryptedPrivateKey?: string;
 	iv?: string;
@ -12,6 +16,12 @@ export interface IUser {
 	salt?: string;
 	verifier?: string;
 	refreshVersion?: number;
+	isMfaEnabled: boolean;
+	mfaMethods: boolean;
+	devices: {
+		ip: string;
+		userAgent: string;
+	}[];
 }

 const userSchema = new Schema<IUser>(
@ -26,6 +36,23 @@ const userSchema = new Schema<IUser>(
 		lastName: {
 			type: String
 		},
+		encryptionVersion: {
+			type: Number,
+			select: false,
+			default: 1 // to resolve backward-compatibility issues
+		},
+		protectedKey: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
+		protectedKeyIV: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
+		protectedKeyTag: { // introduced as part of encryption version 2
+			type: String,
+			select: false
+		},
 		publicKey: {
 			type: String,
 			select: false
@ -34,11 +61,11 @@ const userSchema = new Schema<IUser>(
 			type: String,
 			select: false
 		},
-		iv: {
+		iv: { // iv of [encryptedPrivateKey]
 			type: String,
 			select: false
 		},
-		tag: {
+		tag: { // tag of [encryptedPrivateKey]
 			type: String,
 			select: false
 		},
@ -54,8 +81,22 @@ const userSchema = new Schema<IUser>(
 			type: Number,
 			default: 0,
 			select: false
+		},
+		isMfaEnabled: {
+			type: Boolean,
+			default: false
+		},
+		mfaMethods: [{
+			type: String
+		}],
+		devices: {
+			type: [{
+				ip: String,
+				userAgent: String
+			}],
+			default: []
 		}
-	},
+	}, 
 	{
 		timestamps: true
 	}
--- a/backend/src/models/workspace.ts
+++ b/backend/src/models/workspace.ts
@ -8,6 +8,7 @@ export interface IWorkspace {
 		name: string;
 		slug: string;
 	}>;
+	autoCapitalization: boolean;
 }

 const workspaceSchema = new Schema<IWorkspace>({
@ -15,6 +16,10 @@ const workspaceSchema = new Schema<IWorkspace>({
 		type: String,
 		required: true
 	},
+	autoCapitalization: {
+		type: Boolean,
+		default: true,
+	},
 	organization: {
 		type: Schema.Types.ObjectId,
 		ref: 'Organization',
--- a/backend/src/routes/v1/auth.ts
+++ b/backend/src/routes/v1/auth.ts
@ -7,7 +7,7 @@ import { authLimiter } from '../../helpers/rateLimiter';

 router.post('/token', validateRequest, authController.getNewToken);

-router.post(
+router.post( // deprecated (moved to api/v2/auth/login1)
  '/login1',
  authLimiter,
  body('email').exists().trim().notEmpty(),
@ -16,7 +16,7 @@ router.post(
  authController.login1
 );

-router.post(
+router.post( // deprecated (moved to api/v2/auth/login2)
  '/login2',
  authLimiter,
  body('email').exists().trim().notEmpty(),
--- a/backend/src/routes/v1/bot.ts
+++ b/backend/src/routes/v1/bot.ts
@ -31,7 +31,7 @@ router.patch(
    requireBotAuth({
 		acceptedRoles: [ADMIN, MEMBER]
    }),
-    body('isActive').isBoolean(),
+    body('isActive').exists().isBoolean(),
    body('botKey'),
    validateRequest,
    botController.setBotActiveState
--- a/backend/src/routes/v1/integration.ts
+++ b/backend/src/routes/v1/integration.ts
@ -10,7 +10,7 @@ import { ADMIN, MEMBER } from '../../variables';
 import { body, param } from 'express-validator';
 import { integrationController } from '../../controllers/v1';

-router.post( // new: add new integration
+router.post( // new: add new integration for integration auth
 	'/',
 	requireAuth({
        acceptedAuthModes: ['jwt', 'apiKey']
@ -19,7 +19,15 @@ router.post( // new: add new integration
 		acceptedRoles: [ADMIN, MEMBER],
 		location: 'body'
 	}),
-	body('integrationAuthId').exists().trim(),
+	body('integrationAuthId').exists().isString().trim(),
+	body('app').trim(),
+	body('isActive').exists().isBoolean(),
+	body('appId').trim(),
+	body('sourceEnvironment').trim(),
+	body('targetEnvironment').trim(),
+	body('owner').trim(),
+	body('path').trim(),
+	body('region').trim(),
 	validateRequest,
 	integrationController.createIntegration
 );
--- a/backend/src/routes/v1/integrationAuth.ts
+++ b/backend/src/routes/v1/integrationAuth.ts
@ -18,6 +18,19 @@ router.get(
 	integrationAuthController.getIntegrationOptions
 );

+router.get(
+	'/:integrationAuthId',
+	requireAuth({
+        acceptedAuthModes: ['jwt']
+    }),
+	requireIntegrationAuthorizationAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('integrationAuthId'),
+	validateRequest,
+	integrationAuthController.getIntegrationAuth	
+);
+
 router.post(
 	'/oauth-token',
 	requireAuth({
@ -44,6 +57,7 @@ router.post(
 		location: 'body'
 	}),
 	body('workspaceId').exists().trim().notEmpty(),
+	body('accessId').trim(),
 	body('accessToken').exists().trim().notEmpty(),
 	body('integration').exists().trim().notEmpty(),
 	validateRequest,
--- a/backend/src/routes/v1/organization.ts
+++ b/backend/src/routes/v1/organization.ts
@ -156,4 +156,19 @@ router.get(
 	organizationController.getOrganizationSubscriptions
 );

+router.get(
+	'/:organizationId/workspace-memberships',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireOrganizationAuth({
+		acceptedRoles: [OWNER, ADMIN, MEMBER],
+		acceptedStatuses: [ACCEPTED]
+	}),
+	param('organizationId').exists().trim(),
+	validateRequest,
+	organizationController.getOrganizationMembersAndTheirWorkspaces
+);
+
+
 export default router;
--- a/backend/src/routes/v1/password.ts
+++ b/backend/src/routes/v1/password.ts
@ -10,7 +10,7 @@ router.post(
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
-	body('clientPublicKey').exists().trim().notEmpty(),
+	body('clientPublicKey').exists().isString().trim().notEmpty(),
 	validateRequest,
 	passwordController.srp1
 );
@ -22,11 +22,14 @@ router.post(
 		acceptedAuthModes: ['jwt']
 	}),
 	body('clientProof').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty().notEmpty(), // private key encrypted under new pwd
-	body('iv').exists().trim().notEmpty(), // new iv for private key
-	body('tag').exists().trim().notEmpty(), // new tag for private key
-	body('salt').exists().trim().notEmpty(), // part of new pwd
-	body('verifier').exists().trim().notEmpty(), // part of new pwd
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // private key encrypted under new pwd
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(), // new iv for private key
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(), // new tag for private key
+	body('salt').exists().isString().trim().notEmpty(), // part of new pwd
+	body('verifier').exists().isString().trim().notEmpty(), // part of new pwd
 	validateRequest,
 	passwordController.changePassword
 );
@ -34,7 +37,7 @@ router.post(
 router.post(
 	'/email/password-reset',
 	passwordLimiter,
-	body('email').exists().trim().notEmpty(),
+	body('email').exists().isString().trim().notEmpty().isEmail(),
 	validateRequest,
 	passwordController.emailPasswordReset
 );
@ -42,8 +45,8 @@ router.post(
 router.post(
 	'/email/password-reset-verify',
 	passwordLimiter,
-	body('email').exists().trim().notEmpty().isEmail(),
-	body('code').exists().trim().notEmpty(),
+	body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('code').exists().isString().trim().notEmpty(),
 	validateRequest,
 	passwordController.emailPasswordResetVerify
 );
@ -61,12 +64,12 @@ router.post(
 	requireAuth({
 		acceptedAuthModes: ['jwt']
 	}),
-	body('clientProof').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty(), // (backup) private key encrypted under a strong key
-	body('iv').exists().trim().notEmpty(), // new iv for (backup) private key
-	body('tag').exists().trim().notEmpty(), // new tag for (backup) private key
-	body('salt').exists().trim().notEmpty(), // salt generated from strong key
-	body('verifier').exists().trim().notEmpty(), // salt generated from strong key
+	body('clientProof').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // (backup) private key encrypted under a strong key
+	body('iv').exists().isString().trim().notEmpty(), // new iv for (backup) private key
+	body('tag').exists().isString().trim().notEmpty(), // new tag for (backup) private key
+	body('salt').exists().isString().trim().notEmpty(), // salt generated from strong key
+	body('verifier').exists().isString().trim().notEmpty(), // salt generated from strong key
 	validateRequest,
 	passwordController.createBackupPrivateKey
 );
@ -74,11 +77,14 @@ router.post(
 router.post(
 	'/password-reset',
 	requireSignupAuth,
-	body('encryptedPrivateKey').exists().trim().notEmpty(), // private key encrypted under new pwd
-	body('iv').exists().trim().notEmpty(), // new iv for private key
-	body('tag').exists().trim().notEmpty(), // new tag for private key 
-	body('salt').exists().trim().notEmpty(), // part of new pwd
-	body('verifier').exists().trim().notEmpty(), // part of new pwd
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(), // private key encrypted under new pwd
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(), // new iv for private key
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(), // new tag for private key 
+	body('salt').exists().isString().trim().notEmpty(), // part of new pwd
+	body('verifier').exists().isString().trim().notEmpty(), // part of new pwd
 	validateRequest,
 	passwordController.resetPassword
 );
--- a/backend/src/routes/v1/signup.ts
+++ b/backend/src/routes/v1/signup.ts
@ -1,7 +1,7 @@
 import express from 'express';
 const router = express.Router();
 import { body } from 'express-validator';
-import { requireSignupAuth, validateRequest } from '../../middleware';
+import { validateRequest } from '../../middleware';
 import { signupController } from '../../controllers/v1';
 import { authLimiter } from '../../helpers/rateLimiter';

@ -22,39 +22,4 @@ router.post(
 	signupController.verifyEmailSignup
 );

-router.post(
-	'/complete-account/signup',
-	authLimiter,
-	requireSignupAuth,
-	body('email').exists().trim().notEmpty().isEmail(),
-	body('firstName').exists().trim().notEmpty(),
-	body('lastName').exists().trim().notEmpty(),
-	body('publicKey').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty(),
-	body('iv').exists().trim().notEmpty(),
-	body('tag').exists().trim().notEmpty(),
-	body('salt').exists().trim().notEmpty(),
-	body('verifier').exists().trim().notEmpty(),
-	body('organizationName').exists().trim().notEmpty(),
-	validateRequest,
-	signupController.completeAccountSignup
-);
-
-router.post(
-	'/complete-account/invite',
-	authLimiter,
-	requireSignupAuth,
-	body('email').exists().trim().notEmpty().isEmail(),
-	body('firstName').exists().trim().notEmpty(),
-	body('lastName').exists().trim().notEmpty(),
-	body('publicKey').exists().trim().notEmpty(),
-	body('encryptedPrivateKey').exists().trim().notEmpty(),
-	body('iv').exists().trim().notEmpty(),
-	body('tag').exists().trim().notEmpty(),
-	body('salt').exists().trim().notEmpty(),
-	body('verifier').exists().trim().notEmpty(),
-	validateRequest,
-	signupController.completeAccountInvite
-);
-
 export default router;
--- a/backend/src/routes/v2/auth.ts
+++ b/backend/src/routes/v2/auth.ts
@ -0,0 +1,44 @@
+import express from 'express';
+const router = express.Router();
+import { body } from 'express-validator';
+import { requireMfaAuth, validateRequest } from '../../middleware';
+import { authController } from '../../controllers/v2';
+import { authLimiter } from '../../helpers/rateLimiter';
+
+router.post(
+  '/login1',
+  authLimiter,
+  body('email').isString().trim().notEmpty(),
+  body('clientPublicKey').isString().trim().notEmpty(),
+  validateRequest,
+  authController.login1
+);
+
+router.post(
+  '/login2',
+  authLimiter,
+  body('email').isString().trim().notEmpty(),
+  body('clientProof').isString().trim().notEmpty(),
+  validateRequest,
+  authController.login2
+);
+
+router.post(
+  '/mfa/send',
+  authLimiter,
+  body('email').isString().trim().notEmpty(),
+  validateRequest,
+  authController.sendMfaToken
+);
+
+router.post(
+  '/mfa/verify',
+  authLimiter,
+  requireMfaAuth,
+  body('email').isString().trim().notEmpty(),
+  body('mfaToken').isString().trim().notEmpty(),
+  validateRequest,
+  authController.verifyMfaToken
+);
+
+export default router;
--- a/backend/src/routes/v2/index.ts
+++ b/backend/src/routes/v2/index.ts
@ -1,3 +1,5 @@
+import auth from './auth';
+import signup from './signup';
 import users from './users';
 import organizations from './organizations';
 import workspace from './workspace';
@ -6,8 +8,11 @@ import secrets from './secrets';
 import serviceTokenData from './serviceTokenData';
 import apiKeyData from './apiKeyData';
 import environment from "./environment"
+import tags from "./tags"

 export {
+    auth,
+    signup,
    users,
    organizations,
    workspace,
@ -15,5 +20,6 @@ export {
    secrets,
    serviceTokenData,
    apiKeyData,
-    environment
+    environment,
+    tags
 }
--- a/backend/src/routes/v2/organizations.ts
+++ b/backend/src/routes/v2/organizations.ts
@ -30,7 +30,7 @@ router.patch(
    '/:organizationId/memberships/:membershipId',
    param('organizationId').exists().trim(),
    param('membershipId').exists().trim(),
-    body('role').exists().isString().trim().isIn([ADMIN, MEMBER]),
+    body('role').exists().isString().trim().isIn([OWNER, ADMIN, MEMBER]),
    validateRequest,
    requireAuth({
        acceptedAuthModes: ['jwt', 'apiKey']
--- a/backend/src/routes/v2/secrets.ts
+++ b/backend/src/routes/v2/secrets.ts
@ -6,14 +6,52 @@ import {
    requireSecretsAuth,
    validateRequest
 } from '../../middleware';
-import { query, check, body } from 'express-validator';
+import { query, body } from 'express-validator';
 import { secretsController } from '../../controllers/v2';
+import { validateSecrets } from '../../helpers/secret';
 import {
    ADMIN,
    MEMBER,
    SECRET_PERSONAL,
    SECRET_SHARED
 } from '../../variables';
+import {
+    BatchSecretRequest
+} from '../../types/secret';
+
+router.post(
+    '/batch',
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    requireWorkspaceAuth({
+        acceptedRoles: [ADMIN, MEMBER],
+        location: 'body'
+    }),
+    body('workspaceId').exists().isString().trim(),
+    body('environment').exists().isString().trim(),
+    body('requests')
+        .exists()
+        .custom(async (requests: BatchSecretRequest[], { req }) => {
+            if (Array.isArray(requests)) {
+                const secretIds = requests
+                    .map((request) => request.secret._id)
+                    .filter((secretId) => secretId !== undefined)
+                
+                if (secretIds.length > 0) {
+                    const relevantSecrets = await validateSecrets({
+                        userId: req.user._id.toString(),
+                        secretIds
+                    });
+                    
+                    req.secrets = relevantSecrets;
+                }
+            }
+        return true;
+    }),
+    validateRequest,
+    secretsController.batchSecrets
+);

 router.post(
    '/',
@ -74,6 +112,7 @@ router.get(
    '/',
    query('workspaceId').exists().trim(),
    query('environment').exists().trim(),
+    query('tagSlugs'),
    validateRequest,
    requireAuth({
        acceptedAuthModes: ['jwt', 'apiKey', 'serviceToken']
--- a/backend/src/routes/v2/signup.ts
+++ b/backend/src/routes/v2/signup.ts
@ -0,0 +1,49 @@
+import express from 'express';
+const router = express.Router();
+import { body } from 'express-validator';
+import { requireSignupAuth, validateRequest } from '../../middleware';
+import { signupController } from '../../controllers/v2';
+import { authLimiter } from '../../helpers/rateLimiter';
+
+router.post(
+    '/complete-account/signup',
+    authLimiter,
+    requireSignupAuth,
+    body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('firstName').exists().isString().trim().notEmpty(),
+	body('lastName').exists().isString().trim().notEmpty(),
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('publicKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(),
+	body('salt').exists().isString().trim().notEmpty(),
+	body('verifier').exists().isString().trim().notEmpty(),
+	body('organizationName').exists().isString().trim().notEmpty(),
+    validateRequest,
+    signupController.completeAccountSignup
+);
+
+router.post(
+	'/complete-account/invite',
+	authLimiter,
+	requireSignupAuth,
+	body('email').exists().isString().trim().notEmpty().isEmail(),
+	body('firstName').exists().isString().trim().notEmpty(),
+	body('lastName').exists().isString().trim().notEmpty(),
+	body('protectedKey').exists().isString().trim().notEmpty(),
+	body('protectedKeyIV').exists().isString().trim().notEmpty(),
+	body('protectedKeyTag').exists().isString().trim().notEmpty(),
+	body('publicKey').exists().trim().notEmpty(),
+	body('encryptedPrivateKey').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyIV').exists().isString().trim().notEmpty(),
+	body('encryptedPrivateKeyTag').exists().isString().trim().notEmpty(),
+	body('salt').exists().isString().trim().notEmpty(),
+	body('verifier').exists().isString().trim().notEmpty(),
+	validateRequest,
+	signupController.completeAccountInvite
+);
+
+export default router;
--- a/backend/src/routes/v2/tags.ts
+++ b/backend/src/routes/v2/tags.ts
@ -0,0 +1,50 @@
+import express, { Response, Request } from 'express';
+const router = express.Router();
+import { body, param } from 'express-validator';
+import { tagController } from '../../controllers/v2';
+import {
+  requireAuth,
+  requireWorkspaceAuth,
+  validateRequest,
+} from '../../middleware';
+import { ADMIN, MEMBER } from '../../variables';
+
+router.get(
+  '/:workspaceId/tags',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  validateRequest,
+  tagController.getWorkspaceTags
+);
+
+router.delete(
+  '/tags/:tagId',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  param('tagId').exists().trim(),
+  validateRequest,
+  tagController.deleteWorkspaceTag
+);
+
+router.post(
+  '/:workspaceId/tags',
+  requireAuth({
+    acceptedAuthModes: ['jwt'],
+  }),
+  requireWorkspaceAuth({
+    acceptedRoles: [MEMBER, ADMIN],
+  }),
+  param('workspaceId').exists().trim(),
+  body('name').exists().trim(),
+  body('slug').exists().trim(),
+  validateRequest,
+  tagController.createWorkspaceTag
+);
+
+export default router;
--- a/backend/src/routes/v2/users.ts
+++ b/backend/src/routes/v2/users.ts
@ -1,8 +1,10 @@
 import express from 'express';
 const router = express.Router();
 import {
-    requireAuth
+    requireAuth,
+    validateRequest
 } from '../../middleware';
+import { body } from 'express-validator';
 import { usersController } from '../../controllers/v2';

 router.get(
@ -13,6 +15,16 @@ router.get(
    usersController.getMe
 );

+router.patch(
+    '/me/mfa',
+    requireAuth({
+        acceptedAuthModes: ['jwt', 'apiKey']
+    }),
+    body('isMfaEnabled').exists().isBoolean(),
+    validateRequest,
+    usersController.updateMyMfaEnabled
+);
+
 router.get(
    '/me/organizations',
    requireAuth({
--- a/backend/src/routes/v2/workspace.ts
+++ b/backend/src/routes/v2/workspace.ts
@ -118,4 +118,19 @@ router.delete( // TODO - rewire dashboard to this route
 	workspaceController.deleteWorkspaceMembership
 );

+
+router.patch(
+	'/:workspaceId/auto-capitalization',
+	requireAuth({
+		acceptedAuthModes: ['jwt']
+	}),
+	requireWorkspaceAuth({
+		acceptedRoles: [ADMIN, MEMBER]
+	}),
+	param('workspaceId').exists().trim(),
+	body('autoCapitalization').exists().trim().notEmpty(),
+	validateRequest,
+	workspaceController.toggleAutoCapitalization
+);
+
 export default router;
--- a/backend/src/services/IntegrationService.ts
+++ b/backend/src/services/IntegrationService.ts
@ -1,7 +1,3 @@
-import * as Sentry from '@sentry/node';
-import {
-    Integration
-} from '../models';
 import { 
    handleOAuthExchangeHelper,
    syncIntegrationsHelper,
@ -10,7 +6,6 @@ import {
    setIntegrationAuthRefreshHelper,
    setIntegrationAuthAccessHelper,
 } from '../helpers/integration';
-import { exchangeCode } from '../integrations';

 // should sync stuff be here too? Probably.
 // TODO: move bot functions to IntegrationService.
@ -26,11 +21,12 @@ class IntegrationService {
     * - Store integration access and refresh tokens returned from the OAuth2 code-token exchange
     * - Add placeholder inactive integration
     * - Create bot sequence for integration
-     * @param {Object} obj
-     * @param {String} obj.workspaceId - id of workspace
-     * @param {String} obj.environment - workspace environment
-     * @param {String} obj.integration - name of integration 
-     * @param {String} obj.code - code
+     * @param {Object} obj1
+     * @param {String} obj1.workspaceId - id of workspace
+     * @param {String} obj1.environment - workspace environment
+     * @param {String} obj1.integration - name of integration 
+     * @param {String} obj1.code - code
+     * @returns {IntegrationAuth} integrationAuth - integration authorization after OAuth2 code-token exchange
     */
    static async handleOAuthExchange({ 
        workspaceId,
@ -43,7 +39,7 @@ class IntegrationService {
        code: string;
        environment: string;
    }) {
-        await handleOAuthExchangeHelper({
+        return await handleOAuthExchangeHelper({
            workspaceId,
            integration,
            code,
@ -116,26 +112,30 @@ class IntegrationService {
    }

    /**
-     * Encrypt access token [accessToken] using the bot's copy
-     * of the workspace key for workspace belonging to integration auth
+     * Encrypt access token [accessToken] and (optionally) access id using the 
+     * bot's copy of the workspace key for workspace belonging to integration auth
     * with id [integrationAuthId]
     * @param {Object} obj
     * @param {String} obj.integrationAuthId - id of integration auth
+     * @param {String} obj.accessId - access id
     * @param {String} obj.accessToken - access token
     * @param {Date} obj.accessExpiresAt - expiration date of access token
     * @returns {IntegrationAuth} - updated integration auth
     */
    static async setIntegrationAuthAccess({ 
        integrationAuthId,
+        accessId,
        accessToken,
        accessExpiresAt
    }: { 
        integrationAuthId: string;
+        accessId: string | null;
        accessToken: string;
        accessExpiresAt: Date | undefined;
    }) {
        return await setIntegrationAuthAccessHelper({
            integrationAuthId,
+            accessId,
            accessToken,
            accessExpiresAt
        });
--- a/backend/src/services/TokenService.ts
+++ b/backend/src/services/TokenService.ts
@ -0,0 +1,69 @@
+import { Types } from 'mongoose';
+import { createTokenHelper, validateTokenHelper } from '../helpers/token';
+
+/**
+ * Class to handle token actions
+ * TODO: elaborate more on this class
+ */
+class TokenService {
+    /**
+     * Create a token [token] for type [type] with associated details
+     * @param {Object} obj
+     * @param {String} obj.type - type or context of token (e.g. emailConfirmation)
+     * @param {String} obj.email - email associated with the token
+     * @param {String} obj.phoneNumber - phone number associated with the token
+     * @param {Types.ObjectId} obj.organizationId - id of organization associated with the token
+     * @returns {String} token - the token to create
+     */
+    static async createToken({
+        type,
+        email,
+        phoneNumber,
+        organizationId
+    }: {
+        type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+        email?: string;
+        phoneNumber?: string;
+        organizationId?: Types.ObjectId;
+    }) {
+        return await createTokenHelper({
+            type,
+            email,
+            phoneNumber,
+            organizationId
+        });
+    }
+    
+    /**
+     * Validate whether or not token [token] and its associated details match a token in the DB
+     * @param {Object} obj
+     * @param {String} obj.type - type or context of token (e.g. emailConfirmation)
+     * @param {String} obj.email - email associated with the token
+     * @param {String} obj.phoneNumber - phone number associated with the token
+     * @param {Types.ObjectId} obj.organizationId - id of organization associated with the token
+     * @param {String} obj.token - the token to validate
+     */
+    static async validateToken({
+        type,
+        email,
+        phoneNumber,
+        organizationId,
+        token
+    }: {
+        type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+        email?: string;
+        phoneNumber?: string;
+        organizationId?: Types.ObjectId;
+        token: string;
+    }) {
+        return await validateTokenHelper({
+            type,
+            email,
+            phoneNumber,
+            organizationId,
+            token
+        });
+    }
+}
+
+export default TokenService;
--- a/backend/src/services/index.ts
+++ b/backend/src/services/index.ts
@ -3,11 +3,13 @@ import postHogClient from './PostHogClient';
 import BotService from './BotService';
 import EventService from './EventService';
 import IntegrationService from './IntegrationService';
+import TokenService from './TokenService';

 export {
    DatabaseService,
    postHogClient,
    BotService,
    EventService,
-    IntegrationService
+    IntegrationService,
+    TokenService
 }
--- a/backend/src/services/smtp.ts
+++ b/backend/src/services/smtp.ts
@ -1,6 +1,10 @@
 import nodemailer from 'nodemailer';
 import { SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, SMTP_SECURE } from '../config';
-import { SMTP_HOST_SENDGRID, SMTP_HOST_MAILGUN } from '../variables';
+import {
+  SMTP_HOST_SENDGRID, 
+  SMTP_HOST_MAILGUN,
+  SMTP_HOST_SOCKETLABS
+} from '../variables';
 import SMTPConnection from 'nodemailer/lib/smtp-connection';
 import * as Sentry from '@sentry/node';

@ -27,6 +31,12 @@ if (SMTP_SECURE) {
        ciphers: 'TLSv1.2'
      }
      break;
+    case SMTP_HOST_SOCKETLABS:
+      mailOpts.requireTLS = true; 
+      mailOpts.tls = {
+        ciphers: 'TLSv1.2'
+      }
+      break;
    default:
      if (SMTP_HOST.includes('amazonaws.com')) {
        mailOpts.tls = {
--- a/backend/src/templates/emailMfa.handlebars
+++ b/backend/src/templates/emailMfa.handlebars
@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>MFA Code</title>
+</head>
+
+<body>
+    <h2>Infisical</h2>
+    <h2>Sign in attempt requires further verification</h2>
+    <p>Your MFA code is below — enter it where you started signing in to Infisical.</p>
+    <h2>{{code}}</h2>
+    <p>The MFA code will be valid for 2 minutes.</p>
+    <p>Not you? Contact Infisical or your administrator immediately.</p>
+</body>
+
+</html>
--- a/backend/src/templates/emailVerification.handlebars
+++ b/backend/src/templates/emailVerification.handlebars
@ -1,15 +1,17 @@
 <!DOCTYPE html>
 <html>
+
 <head>
    <meta charset="utf-8">
    <meta http-equiv="x-ua-compatible" content="ie=edge">
-    <title>Email Verification</title>
+    <title>Code</title>
 </head>
+
 <body>
-    <h2>Infisical</h2>
    <h2>Confirm your email address</h2>
    <p>Your confirmation code is below — enter it in the browser window where you've started signing up for Infisical.</p>
-    <h2>{{code}}</h2>
+    <h1>{{code}}</h1>
    <p>Questions about setting up Infisical? Email us at support@infisical.com</p>
 </body>
+
 </html>
--- a/backend/src/templates/newDevice.handlebars
+++ b/backend/src/templates/newDevice.handlebars
@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="x-ua-compatible" content="ie=edge">
+    <title>Successful login for {{email}} from new device</title>
+</head>
+
+<body>
+    <h2>Infisical</h2>
+    <p>We're verifying a recent login for {{email}}:</p>
+    <p><strong>Timestamp</strong>: {{timestamp}}</p>
+    <p><strong>IP address</strong>: {{ip}}</p>
+    <p><strong>User agent</strong>: {{userAgent}}</p>
+    <p>If you believe that this login is suspicious, please contact Infisical or reset your password immediately.</p>
+</body>
+
+</html>
--- a/backend/src/templates/organizationInvitation.handlebars
+++ b/backend/src/templates/organizationInvitation.handlebars
@ -7,12 +7,10 @@
    <title>Organization Invitation</title>
 </head>
 <body>
-    <h2>Infisical</h2>
-    <h2>Join your team on Infisical</h2>
-    <p>{{inviterFirstName}}({{inviterEmail}}) has invited you to their Infisical organization — {{organizationName}}</p>
+    <h2>Join your organization on Infisical</h2>
+    <p>{{inviterFirstName}} ({{inviterEmail}}) has invited you to their Infisical organization — {{organizationName}}</p>
    <a href="{{callback_url}}?token={{token}}&to={{email}}">Join now</a>
    <h3>What is Infisical?</h3>
-    <p>Infisical is a simple end-to-end encrypted solution that enables teams to sync and manage their environment
-        variables.</p>
+    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets and configs.</p>
 </body>
 </html>
--- a/backend/src/templates/passwordReset.handlebars
+++ b/backend/src/templates/passwordReset.handlebars
@ -6,7 +6,6 @@
    <title>Account Recovery</title>
 </head>
 <body>
-    <h2>Infisical</h2>
    <h2>Reset your password</h2>
    <p>Someone requested a password reset.</p>
    <a href="{{callback_url}}?token={{token}}&to={{email}}">Reset password</a>
--- a/backend/src/templates/workspaceInvitation.handlebars
+++ b/backend/src/templates/workspaceInvitation.handlebars
@ -6,11 +6,10 @@
    <title>Project Invitation</title>
 </head>
 <body>
-    <h2>Infisical</h2>
    <h2>Join your team on Infisical</h2>
-    <p>{{inviterFirstName}}({{inviterEmail}}) has invited you to their Infisical workspace — {{workspaceName}}</p>
+    <p>{{inviterFirstName}} ({{inviterEmail}}) has invited you to their Infisical project — {{workspaceName}}</p>
    <a href="{{callback_url}}">Join now</a>
    <h3>What is Infisical?</h3>
-    <p>Infisical is a simple end-to-end encrypted solution that enables teams to sync and manage their environment variables.</p>
+    <p>Infisical is an easy-to-use end-to-end encrypted tool that enables developers to sync and manage their secrets and configs.</p>
 </body>
 </html>
--- a/backend/src/types/secret/index.d.ts
+++ b/backend/src/types/secret/index.d.ts
@ -1,5 +1,7 @@
+import { Types } from 'mongoose';
 import { Assign, Omit } from 'utility-types';
 import { ISecret } from '../../models';
+import { mongo } from 'mongoose';

 // Everything is required, except the omitted types
 export type CreateSecretRequestBody = Omit<ISecret, "user" | "version" | "environment" | "workspace">;
@ -12,3 +14,39 @@ export type SanitizedSecretModify = Partial<Omit<ISecret, "user" | "version" | "

 // Everything is required, except the omitted types
 export type SanitizedSecretForCreate = Omit<ISecret, "version" | "_id">;
+
+export interface BatchSecretRequest {
+    id: string;
+    method: 'POST' | 'PATCH' | 'DELETE';
+    secret: Secret;
+}
+
+export interface BatchSecret {
+    _id: string;
+    type: 'shared' | 'personal',
+    secretKeyCiphertext: string;
+    secretKeyIV: string;
+    secretKeyTag: string;
+    secretValueCiphertext: string;
+    secretValueIV: string;
+    secretValueTag: string;
+    secretCommentCiphertext: string;
+    secretCommentIV: string;
+    secretCommentTag: string;
+    tags: string[];
+}
+
+export interface BatchSecret {
+    _id: string;
+    type: 'shared' | 'personal',
+    secretKeyCiphertext: string;
+    secretKeyIV: string;
+    secretKeyTag: string;
+    secretValueCiphertext: string;
+    secretValueIV: string;
+    secretValueTag: string;
+    secretCommentCiphertext: string;
+    secretCommentIV: string;
+    secretCommentTag: string;
+    tags: string[];
+}
--- a/backend/src/variables/action.ts
+++ b/backend/src/variables/action.ts
@ -1,9 +1,13 @@
+const ACTION_LOGIN = 'login';
+const ACTION_LOGOUT = 'logout';
 const ACTION_ADD_SECRETS = 'addSecrets';
 const ACTION_DELETE_SECRETS = 'deleteSecrets';
 const ACTION_UPDATE_SECRETS = 'updateSecrets';
 const ACTION_READ_SECRETS = 'readSecrets';

 export {
+    ACTION_LOGIN,
+    ACTION_LOGOUT,
    ACTION_ADD_SECRETS,
    ACTION_DELETE_SECRETS,
    ACTION_UPDATE_SECRETS,
--- a/backend/src/variables/index.ts
+++ b/backend/src/variables/index.ts
@ -3,17 +3,22 @@ import {
  ENV_TESTING,
  ENV_STAGING,
  ENV_PROD,
-  ENV_SET
-} from './environment';
+  ENV_SET,
+} from "./environment";
 import {
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
  INTEGRATION_SET,
  INTEGRATION_OAUTH2,
+  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
@ -23,25 +28,35 @@ import {
  INTEGRATION_NETLIFY_API_URL,
  INTEGRATION_RENDER_API_URL,
  INTEGRATION_FLYIO_API_URL,
-  INTEGRATION_OPTIONS
-} from './integration';
-import {
-  OWNER,
-  ADMIN,
-  MEMBER,
-  INVITED,
-  ACCEPTED,
-} from './organization';
-import { SECRET_SHARED, SECRET_PERSONAL } from './secret';
-import { EVENT_PUSH_SECRETS, EVENT_PULL_SECRETS } from './event';
+  INTEGRATION_CIRCLECI_API_URL,
+  INTEGRATION_OPTIONS,
+} from "./integration";
+import { OWNER, ADMIN, MEMBER, INVITED, ACCEPTED } from "./organization";
+import { SECRET_SHARED, SECRET_PERSONAL } from "./secret";
+import { EVENT_PUSH_SECRETS, EVENT_PULL_SECRETS } from "./event";
 import {
+  ACTION_LOGIN,
+  ACTION_LOGOUT,
  ACTION_ADD_SECRETS,
  ACTION_UPDATE_SECRETS,
  ACTION_DELETE_SECRETS,
  ACTION_READ_SECRETS
 } from './action';
-import { SMTP_HOST_SENDGRID, SMTP_HOST_MAILGUN } from './smtp';
+import { 
+  SMTP_HOST_SENDGRID, 
+  SMTP_HOST_MAILGUN,
+  SMTP_HOST_SOCKETLABS
+} from './smtp';
 import { PLAN_STARTER, PLAN_PRO } from './stripe';
+import {
+  MFA_METHOD_EMAIL
+} from './user';
+import {
+  TOKEN_EMAIL_CONFIRMATION,
+  TOKEN_EMAIL_MFA,
+  TOKEN_EMAIL_ORG_INVITATION,
+  TOKEN_EMAIL_PASSWORD_RESET
+} from './token';

 export {
  OWNER,
@ -56,14 +71,19 @@ export {
  ENV_STAGING,
  ENV_PROD,
  ENV_SET,
+  INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_AWS_PARAMETER_STORE,
+  INTEGRATION_AWS_SECRET_MANAGER,
  INTEGRATION_HEROKU,
  INTEGRATION_VERCEL,
  INTEGRATION_NETLIFY,
  INTEGRATION_GITHUB,
  INTEGRATION_RENDER,
  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
  INTEGRATION_SET,
  INTEGRATION_OAUTH2,
+  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
@ -73,8 +93,11 @@ export {
  INTEGRATION_NETLIFY_API_URL,
  INTEGRATION_RENDER_API_URL,
  INTEGRATION_FLYIO_API_URL,
+  INTEGRATION_CIRCLECI_API_URL,
  EVENT_PUSH_SECRETS,
  EVENT_PULL_SECRETS,
+  ACTION_LOGIN,
+  ACTION_LOGOUT,
  ACTION_ADD_SECRETS,
  ACTION_UPDATE_SECRETS,
  ACTION_DELETE_SECRETS,
@ -82,6 +105,12 @@ export {
  INTEGRATION_OPTIONS,
  SMTP_HOST_SENDGRID,
  SMTP_HOST_MAILGUN,
+  SMTP_HOST_SOCKETLABS,
  PLAN_STARTER,
  PLAN_PRO,
+  MFA_METHOD_EMAIL,
+  TOKEN_EMAIL_CONFIRMATION,
+  TOKEN_EMAIL_MFA,
+  TOKEN_EMAIL_ORG_INVITATION,
+  TOKEN_EMAIL_PASSWORD_RESET
 };
--- a/backend/src/variables/integration.ts
+++ b/backend/src/variables/integration.ts
@ -1,43 +1,55 @@
 import {
-    CLIENT_ID_HEROKU,
-    CLIENT_ID_NETLIFY,
-    CLIENT_ID_GITHUB,
-    CLIENT_SLUG_VERCEL
+    CLIENT_ID_AZURE,
+    TENANT_ID_AZURE
 } from '../config';
+import {
+  CLIENT_ID_HEROKU,
+  CLIENT_ID_NETLIFY,
+  CLIENT_ID_GITHUB,
+  CLIENT_SLUG_VERCEL,
+} from "../config";

 // integrations
-const INTEGRATION_HEROKU = 'heroku';
-const INTEGRATION_VERCEL = 'vercel';
-const INTEGRATION_NETLIFY = 'netlify';
-const INTEGRATION_GITHUB = 'github';
-const INTEGRATION_RENDER = 'render';
-const INTEGRATION_FLYIO = 'flyio';
+const INTEGRATION_AZURE_KEY_VAULT = 'azure-key-vault';
+const INTEGRATION_AWS_PARAMETER_STORE = 'aws-parameter-store';
+const INTEGRATION_AWS_SECRET_MANAGER = 'aws-secret-manager';
+const INTEGRATION_HEROKU = "heroku";
+const INTEGRATION_VERCEL = "vercel";
+const INTEGRATION_NETLIFY = "netlify";
+const INTEGRATION_GITHUB = "github";
+const INTEGRATION_RENDER = "render";
+const INTEGRATION_FLYIO = "flyio";
+const INTEGRATION_CIRCLECI = "circleci";
 const INTEGRATION_SET = new Set([
-    INTEGRATION_HEROKU,
-    INTEGRATION_VERCEL,
-    INTEGRATION_NETLIFY,
-    INTEGRATION_GITHUB,
-    INTEGRATION_RENDER,
-    INTEGRATION_FLYIO
+    INTEGRATION_AZURE_KEY_VAULT,
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
 ]);

 // integration types
-const INTEGRATION_OAUTH2 = 'oauth2';
+const INTEGRATION_OAUTH2 = "oauth2";

 // integration oauth endpoints
+const INTEGRATION_AZURE_TOKEN_URL = `https://login.microsoftonline.com/${TENANT_ID_AZURE}/oauth2/v2.0/token`;
 const INTEGRATION_HEROKU_TOKEN_URL = 'https://id.heroku.com/oauth/token';
 const INTEGRATION_VERCEL_TOKEN_URL =
-    'https://api.vercel.com/v2/oauth/access_token';
-const INTEGRATION_NETLIFY_TOKEN_URL = 'https://api.netlify.com/oauth/token';
+  "https://api.vercel.com/v2/oauth/access_token";
+const INTEGRATION_NETLIFY_TOKEN_URL = "https://api.netlify.com/oauth/token";
 const INTEGRATION_GITHUB_TOKEN_URL =
-    'https://github.com/login/oauth/access_token';
+  "https://github.com/login/oauth/access_token";

 // integration apps endpoints
-const INTEGRATION_HEROKU_API_URL = 'https://api.heroku.com';
-const INTEGRATION_VERCEL_API_URL = 'https://api.vercel.com';
-const INTEGRATION_NETLIFY_API_URL = 'https://api.netlify.com';
-const INTEGRATION_RENDER_API_URL = 'https://api.render.com';
-const INTEGRATION_FLYIO_API_URL = 'https://api.fly.io/graphql';
+const INTEGRATION_HEROKU_API_URL = "https://api.heroku.com";
+const INTEGRATION_VERCEL_API_URL = "https://api.vercel.com";
+const INTEGRATION_NETLIFY_API_URL = "https://api.netlify.com";
+const INTEGRATION_RENDER_API_URL = "https://api.render.com";
+const INTEGRATION_FLYIO_API_URL = "https://api.fly.io/graphql";
+const INTEGRATION_CIRCLECI_API_URL = "https://circleci.com/api";

 const INTEGRATION_OPTIONS = [
    {
@ -95,6 +107,43 @@ const INTEGRATION_OPTIONS = [
        clientId: '',
        docsLink: ''
    },
+    {
+        name: 'AWS Parameter Store',
+        slug: 'aws-parameter-store',
+        image: 'Amazon Web Services.png',
+        isAvailable: true,
+        type: 'custom',
+        clientId: '',
+        docsLink: ''
+    },
+    {
+        name: 'AWS Secret Manager',
+        slug: 'aws-secret-manager',
+        image: 'Amazon Web Services.png',
+        isAvailable: true,
+        type: 'custom',
+        clientId: '',
+        docsLink: ''
+    },
+    {
+        name: 'Circle CI',
+        slug: 'circleci',
+        image: 'Circle CI.png',
+        isAvailable: true,
+        type: 'pat',
+        clientId: '',
+        docsLink: ''
+    },
+    {
+        name: 'Azure Key Vault',
+        slug: 'azure-key-vault',
+        image: 'Microsoft Azure.png',
+        isAvailable: false,
+        type: 'oauth',
+        clientId: CLIENT_ID_AZURE,
+        tenantId: TENANT_ID_AZURE,
+        docsLink: ''
+    },
    {
        name: 'Google Cloud Platform',
        slug: 'gcp',
@ -104,24 +153,6 @@ const INTEGRATION_OPTIONS = [
        clientId: '',
        docsLink: ''
    },
-    {
-        name: 'Amazon Web Services',
-        slug: 'aws',
-        image: 'Amazon Web Services.png',
-        isAvailable: false,
-        type: '',
-        clientId: '',
-        docsLink: ''
-    },
-    {
-        name: 'Microsoft Azure',
-        slug: 'azure',
-        image: 'Microsoft Azure.png',
-        isAvailable: false,
-        type: '',
-        clientId: '',
-        docsLink: ''
-    },
    {
        name: 'Travis CI',
        slug: 'travisci',
@ -130,35 +161,32 @@ const INTEGRATION_OPTIONS = [
        type: '',
        clientId: '',
        docsLink: ''
-    },
-    {
-        name: 'Circle CI',
-        slug: 'circleci',
-        image: 'Circle CI.png',
-        isAvailable: false,
-        type: '',
-        clientId: '',
-        docsLink: ''
    }
 ]

 export {
-    INTEGRATION_HEROKU,
-    INTEGRATION_VERCEL,
-    INTEGRATION_NETLIFY,
-    INTEGRATION_GITHUB,
-    INTEGRATION_RENDER,
-    INTEGRATION_FLYIO,
-    INTEGRATION_SET,
-    INTEGRATION_OAUTH2,
-    INTEGRATION_HEROKU_TOKEN_URL,
-    INTEGRATION_VERCEL_TOKEN_URL,
-    INTEGRATION_NETLIFY_TOKEN_URL,
-    INTEGRATION_GITHUB_TOKEN_URL,
-    INTEGRATION_HEROKU_API_URL,
-    INTEGRATION_VERCEL_API_URL,
-    INTEGRATION_NETLIFY_API_URL,
-    INTEGRATION_RENDER_API_URL,
-    INTEGRATION_FLYIO_API_URL,
-    INTEGRATION_OPTIONS
+    INTEGRATION_AZURE_KEY_VAULT,
+    INTEGRATION_AWS_PARAMETER_STORE,
+    INTEGRATION_AWS_SECRET_MANAGER,
+  INTEGRATION_HEROKU,
+  INTEGRATION_VERCEL,
+  INTEGRATION_NETLIFY,
+  INTEGRATION_GITHUB,
+  INTEGRATION_RENDER,
+  INTEGRATION_FLYIO,
+  INTEGRATION_CIRCLECI,
+  INTEGRATION_SET,
+  INTEGRATION_OAUTH2,
+    INTEGRATION_AZURE_TOKEN_URL,
+  INTEGRATION_HEROKU_TOKEN_URL,
+  INTEGRATION_VERCEL_TOKEN_URL,
+  INTEGRATION_NETLIFY_TOKEN_URL,
+  INTEGRATION_GITHUB_TOKEN_URL,
+  INTEGRATION_HEROKU_API_URL,
+  INTEGRATION_VERCEL_API_URL,
+  INTEGRATION_NETLIFY_API_URL,
+  INTEGRATION_RENDER_API_URL,
+  INTEGRATION_FLYIO_API_URL,
+  INTEGRATION_CIRCLECI_API_URL,
+  INTEGRATION_OPTIONS,
 };
--- a/backend/src/variables/organization.ts
+++ b/backend/src/variables/organization.ts
@ -1,24 +1,16 @@
 // membership roles
-const OWNER = 'owner';
-const ADMIN = 'admin';
-const MEMBER = 'member';
+const OWNER = "owner";
+const ADMIN = "admin";
+const MEMBER = "member";

 // membership statuses
-const INVITED = 'invited';
+const INVITED = "invited";

 // membership permissions ability
-const ABILITY_READ = 'read';
-const ABILITY_WRITE = 'write';
+const ABILITY_READ = "read";
+const ABILITY_WRITE = "write";

 // -- organization
-const ACCEPTED = 'accepted';
+const ACCEPTED = "accepted";

-export {
-    OWNER,
-    ADMIN,
-    MEMBER,
-    INVITED,
-    ACCEPTED,
-    ABILITY_READ,
-    ABILITY_WRITE
-}
+export { OWNER, ADMIN, MEMBER, INVITED, ACCEPTED, ABILITY_READ, ABILITY_WRITE };
--- a/backend/src/variables/smtp.ts
+++ b/backend/src/variables/smtp.ts
@ -1,7 +1,9 @@
 const SMTP_HOST_SENDGRID = 'smtp.sendgrid.net';
 const SMTP_HOST_MAILGUN = 'smtp.mailgun.org';
+const SMTP_HOST_SOCKETLABS = 'smtp.socketlabs.com';

 export {
    SMTP_HOST_SENDGRID,
-    SMTP_HOST_MAILGUN
+    SMTP_HOST_MAILGUN,
+    SMTP_HOST_SOCKETLABS
 }
--- a/backend/src/variables/token.ts
+++ b/backend/src/variables/token.ts
@ -0,0 +1,11 @@
+const TOKEN_EMAIL_CONFIRMATION = 'emailConfirmation';
+const TOKEN_EMAIL_MFA = 'emailMfa';
+const TOKEN_EMAIL_ORG_INVITATION = 'organizationInvitation';
+const TOKEN_EMAIL_PASSWORD_RESET = 'passwordReset';
+
+export {
+    TOKEN_EMAIL_CONFIRMATION,
+    TOKEN_EMAIL_MFA,
+    TOKEN_EMAIL_ORG_INVITATION,
+    TOKEN_EMAIL_PASSWORD_RESET
+}
--- a/backend/src/variables/user.ts
+++ b/backend/src/variables/user.ts
@ -0,0 +1,5 @@
+const MFA_METHOD_EMAIL = 'email';
+
+export {
+    MFA_METHOD_EMAIL
+}
--- a/cli/docker/Dockerfile
+++ b/cli/docker/Dockerfile
@ -0,0 +1,4 @@
+FROM alpine
+RUN apk add --no-cache tini
+COPY infisical /bin/infisical
+ENTRYPOINT ["/sbin/tini", "--", "/bin/infisical"]
--- a/cli/go.mod
+++ b/cli/go.mod
@ -7,8 +7,8 @@ require (
 	github.com/muesli/mango-cobra v1.2.0
 	github.com/muesli/roff v0.1.0
 	github.com/spf13/cobra v1.6.1
-	golang.org/x/crypto v0.3.0
-	golang.org/x/term v0.3.0
+	golang.org/x/crypto v0.6.0
+	golang.org/x/term v0.5.0
 )

 require (
@ -31,8 +31,8 @@ require (
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	go.mongodb.org/mongo-driver v1.10.0 // indirect
-	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/net v0.6.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
 )

 require (
--- a/cli/go.sum
+++ b/cli/go.sum
@ -106,10 +106,14 @@ go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAV
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -123,9 +127,13 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
 golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/cli/main.go
+++ b/cli/main.go
@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package main

--- a/cli/packages/api/api.go
+++ b/cli/packages/api/api.go
@ -114,6 +114,7 @@ func CallGetSecretsV2(httpClient *resty.Client, request GetEncryptedSecretsV2Req
 		SetHeader("User-Agent", USER_AGENT).
 		SetQueryParam("environment", request.Environment).
 		SetQueryParam("workspaceId", request.WorkspaceId).
+		SetQueryParam("tagSlugs", request.TagSlugs).
 		Get(fmt.Sprintf("%v/v2/secrets", config.INFISICAL_URL))

 	if err != nil {
@ -127,6 +128,68 @@ func CallGetSecretsV2(httpClient *resty.Client, request GetEncryptedSecretsV2Req
 	return secretsResponse, nil
 }

+func CallLogin1V2(httpClient *resty.Client, request GetLoginOneV2Request) (GetLoginOneV2Response, error) {
+	var loginOneV2Response GetLoginOneV2Response
+	response, err := httpClient.
+		R().
+		SetResult(&loginOneV2Response).
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v2/auth/login1", config.INFISICAL_URL))
+
+	if err != nil {
+		return GetLoginOneV2Response{}, fmt.Errorf("CallLogin1V2: Unable to complete api request [err=%s]", err)
+	}
+
+	if response.IsError() {
+		return GetLoginOneV2Response{}, fmt.Errorf("CallLogin1V2: Unsuccessful response: [response=%s]", response)
+	}
+
+	return loginOneV2Response, nil
+}
+
+func CallVerifyMfaToken(httpClient *resty.Client, request VerifyMfaTokenRequest) (*VerifyMfaTokenResponse, *VerifyMfaTokenErrorResponse, error) {
+	var verifyMfaTokenResponse VerifyMfaTokenResponse
+	var responseError VerifyMfaTokenErrorResponse
+	response, err := httpClient.
+		R().
+		SetResult(&verifyMfaTokenResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		SetError(&responseError).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v2/auth/mfa/verify", config.INFISICAL_URL))
+
+	if err != nil {
+		return nil, nil, fmt.Errorf("CallVerifyMfaToken: Unable to complete api request [err=%s]", err)
+	}
+
+	if response.IsError() {
+		return nil, &responseError, nil
+	}
+
+	return &verifyMfaTokenResponse, nil, nil
+}
+
+func CallLogin2V2(httpClient *resty.Client, request GetLoginTwoV2Request) (GetLoginTwoV2Response, error) {
+	var loginTwoV2Response GetLoginTwoV2Response
+	response, err := httpClient.
+		R().
+		SetResult(&loginTwoV2Response).
+		SetHeader("User-Agent", USER_AGENT).
+		SetBody(request).
+		Post(fmt.Sprintf("%v/v2/auth/login2", config.INFISICAL_URL))
+
+	if err != nil {
+		return GetLoginTwoV2Response{}, fmt.Errorf("CallLogin2V2: Unable to complete api request [err=%s]", err)
+	}
+
+	if response.IsError() {
+		return GetLoginTwoV2Response{}, fmt.Errorf("CallLogin2V2: Unsuccessful response: [response=%s]", response)
+	}
+
+	return loginTwoV2Response, nil
+}
+
 func CallGetAllWorkSpacesUserBelongsTo(httpClient *resty.Client) (GetWorkSpacesResponse, error) {
 	var workSpacesResponse GetWorkSpacesResponse
 	response, err := httpClient.
@ -154,15 +217,33 @@ func CallIsAuthenticated(httpClient *resty.Client) bool {
 		SetHeader("User-Agent", USER_AGENT).
 		Post(fmt.Sprintf("%v/v1/auth/checkAuth", config.INFISICAL_URL))

-	log.Debugln(fmt.Errorf("CallIsAuthenticated: Unsuccessful response:  [response=%v]", response))
-
 	if err != nil {
 		return false
 	}

 	if response.IsError() {
+		log.Debugln(fmt.Errorf("CallIsAuthenticated: Unsuccessful response:  [response=%v]", response))
 		return false
 	}

 	return true
 }
+
+func CallGetAccessibleEnvironments(httpClient *resty.Client, request GetAccessibleEnvironmentsRequest) (GetAccessibleEnvironmentsResponse, error) {
+	var accessibleEnvironmentsResponse GetAccessibleEnvironmentsResponse
+	response, err := httpClient.
+		R().
+		SetResult(&accessibleEnvironmentsResponse).
+		SetHeader("User-Agent", USER_AGENT).
+		Get(fmt.Sprintf("%v/v2/workspace/%s/environments", config.INFISICAL_URL, request.WorkspaceId))
+
+	if err != nil {
+		return GetAccessibleEnvironmentsResponse{}, err
+	}
+
+	if response.IsError() {
+		return GetAccessibleEnvironmentsResponse{}, fmt.Errorf("CallGetAccessibleEnvironments: Unsuccessful response:  [response=%v]", response)
+	}
+
+	return accessibleEnvironmentsResponse, nil
+}
--- a/cli/packages/api/model.go
+++ b/cli/packages/api/model.go
@ -197,25 +197,35 @@ type GetSecretsByWorkspaceIdAndEnvironmentRequest struct {
 type GetEncryptedSecretsV2Request struct {
 	Environment string `json:"environment"`
 	WorkspaceId string `json:"workspaceId"`
+	TagSlugs    string `json:"tagSlugs"`
 }

 type GetEncryptedSecretsV2Response struct {
 	Secrets []struct {
-		ID                    string    `json:"_id"`
-		Version               int       `json:"version"`
-		Workspace             string    `json:"workspace"`
-		Type                  string    `json:"type"`
-		Environment           string    `json:"environment"`
-		SecretKeyCiphertext   string    `json:"secretKeyCiphertext"`
-		SecretKeyIV           string    `json:"secretKeyIV"`
-		SecretKeyTag          string    `json:"secretKeyTag"`
-		SecretValueCiphertext string    `json:"secretValueCiphertext"`
-		SecretValueIV         string    `json:"secretValueIV"`
-		SecretValueTag        string    `json:"secretValueTag"`
-		V                     int       `json:"__v"`
-		CreatedAt             time.Time `json:"createdAt"`
-		UpdatedAt             time.Time `json:"updatedAt"`
-		User                  string    `json:"user,omitempty"`
+		ID                      string    `json:"_id"`
+		Version                 int       `json:"version"`
+		Workspace               string    `json:"workspace"`
+		Type                    string    `json:"type"`
+		Environment             string    `json:"environment"`
+		SecretKeyCiphertext     string    `json:"secretKeyCiphertext"`
+		SecretKeyIV             string    `json:"secretKeyIV"`
+		SecretKeyTag            string    `json:"secretKeyTag"`
+		SecretValueCiphertext   string    `json:"secretValueCiphertext"`
+		SecretValueIV           string    `json:"secretValueIV"`
+		SecretValueTag          string    `json:"secretValueTag"`
+		SecretCommentCiphertext string    `json:"secretCommentCiphertext"`
+		SecretCommentIV         string    `json:"secretCommentIV"`
+		SecretCommentTag        string    `json:"secretCommentTag"`
+		V                       int       `json:"__v"`
+		CreatedAt               time.Time `json:"createdAt"`
+		UpdatedAt               time.Time `json:"updatedAt"`
+		User                    string    `json:"user,omitempty"`
+		Tags                    []struct {
+			ID        string `json:"_id"`
+			Name      string `json:"name"`
+			Slug      string `json:"slug"`
+			Workspace string `json:"workspace"`
+		} `json:"tags"`
 	} `json:"secrets"`
 }

@ -241,3 +251,75 @@ type GetServiceTokenDetailsResponse struct {
 	UpdatedAt    time.Time `json:"updatedAt"`
 	V            int       `json:"__v"`
 }
+
+type GetAccessibleEnvironmentsRequest struct {
+	WorkspaceId string `json:"workspaceId"`
+}
+
+type GetAccessibleEnvironmentsResponse struct {
+	AccessibleEnvironments []struct {
+		Name          string `json:"name"`
+		Slug          string `json:"slug"`
+		IsWriteDenied bool   `json:"isWriteDenied"`
+	} `json:"accessibleEnvironments"`
+}
+
+type GetLoginOneV2Request struct {
+	Email           string `json:"email"`
+	ClientPublicKey string `json:"clientPublicKey"`
+}
+
+type GetLoginOneV2Response struct {
+	ServerPublicKey string `json:"serverPublicKey"`
+	Salt            string `json:"salt"`
+}
+
+type GetLoginTwoV2Request struct {
+	Email       string `json:"email"`
+	ClientProof string `json:"clientProof"`
+}
+
+type GetLoginTwoV2Response struct {
+	MfaEnabled          bool   `json:"mfaEnabled"`
+	EncryptionVersion   int    `json:"encryptionVersion"`
+	Token               string `json:"token"`
+	PublicKey           string `json:"publicKey"`
+	EncryptedPrivateKey string `json:"encryptedPrivateKey"`
+	Iv                  string `json:"iv"`
+	Tag                 string `json:"tag"`
+	ProtectedKey        string `json:"protectedKey"`
+	ProtectedKeyIV      string `json:"protectedKeyIV"`
+	ProtectedKeyTag     string `json:"protectedKeyTag"`
+}
+
+type VerifyMfaTokenRequest struct {
+	Email    string `json:"email"`
+	MFAToken string `json:"mfaToken"`
+}
+
+type VerifyMfaTokenResponse struct {
+	EncryptionVersion   int    `json:"encryptionVersion"`
+	Token               string `json:"token"`
+	PublicKey           string `json:"publicKey"`
+	EncryptedPrivateKey string `json:"encryptedPrivateKey"`
+	Iv                  string `json:"iv"`
+	Tag                 string `json:"tag"`
+	ProtectedKey        string `json:"protectedKey"`
+	ProtectedKeyIV      string `json:"protectedKeyIV"`
+	ProtectedKeyTag     string `json:"protectedKeyTag"`
+}
+
+type VerifyMfaTokenErrorResponse struct {
+	Type    string `json:"type"`
+	Message string `json:"message"`
+	Context struct {
+		Code      string `json:"code"`
+		TriesLeft int    `json:"triesLeft"`
+	} `json:"context"`
+	Level       int           `json:"level"`
+	LevelName   string        `json:"level_name"`
+	StatusCode  int           `json:"status_code"`
+	DatetimeIso time.Time     `json:"datetime_iso"`
+	Application string        `json:"application"`
+	Extra       []interface{} `json:"extra"`
+}
--- a/cli/packages/cmd/export.go
+++ b/cli/packages/cmd/export.go
@ -1,5 +1,5 @@
 /*
-Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+Copyright (c) 2023 Infisical Inc.
 */
 package cmd

@ -36,9 +36,12 @@ var exportCmd = &cobra.Command{
 		// util.RequireLocalWorkspaceFile()
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		envName, err := cmd.Flags().GetString("env")
-		if err != nil {
-			util.HandleError(err)
+		environmentName, _ := cmd.Flags().GetString("env")
+		if !cmd.Flags().Changed("env") {
+			environmentFromWorkspace := util.GetEnvelopmentBasedOnGitBranch()
+			if environmentFromWorkspace != "" {
+				environmentName = environmentFromWorkspace
+			}
 		}

 		shouldExpandSecrets, err := cmd.Flags().GetBool("expand")
@ -56,7 +59,17 @@ var exportCmd = &cobra.Command{
 			util.HandleError(err, "Unable to parse flag")
 		}

-		secrets, err := util.GetAllEnvironmentVariables(envName)
+		infisicalToken, err := cmd.Flags().GetString("token")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
+		tagSlugs, err := cmd.Flags().GetString("tags")
+		if err != nil {
+			util.HandleError(err, "Unable to parse flag")
+		}
+
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, InfisicalToken: infisicalToken, TagSlugs: tagSlugs})
 		if err != nil {
 			util.HandleError(err, "Unable to fetch secrets")
 		}
@ -91,6 +104,8 @@ func init() {
 	exportCmd.Flags().Bool("expand", true, "Parse shell parameter expansions in your secrets")
 	exportCmd.Flags().StringP("format", "f", "dotenv", "Set the format of the output file (dotenv, json, csv)")
 	exportCmd.Flags().Bool("secret-overriding", true, "Prioritizes personal secrets, if any, with the same name over shared secrets")
+	exportCmd.Flags().String("token", "", "Fetch secrets using the Infisical Token")
+	exportCmd.Flags().StringP("tags", "t", "", "filter secrets by tag slugs")
 }

 // Format according to the format flag
--- a/Show More
+++ b/Show More