Merge pull request #612 from Infisical/migration-script

Add migration script for server key re-encryption
Add encryption key validation to validation script
2025-03-21 13:15:54 +00:00 · 2023-05-30 21:03:14 +03:00 · 2023-05-30 20:46:20 +03:00 · 2023-05-30 20:30:58 +03:00 · 2023-05-30 11:19:15 -04:00 · 2023-05-30 11:14:22 -04:00
715 changed files with 39716 additions and 27476 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,2 @@
+backend/node_modules
+frontend/node_modules
--- a/.env.example
+++ b/.env.example
@ -1,5 +1,6 @@
 # Keys
 # Required key for platform encryption/decryption ops
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NOT BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218

 # JWT
@ -30,14 +31,12 @@ MONGO_PASSWORD=example
 # Required
 SITE_URL=http://localhost:8080

-# Mail/SMTP
-SMTP_HOST= 
-SMTP_USERNAME= 
-SMTP_PASSWORD= 
-SMTP_PORT=587
-SMTP_SECURE=false
-SMTP_FROM_ADDRESS= 
-SMTP_FROM_NAME=Infisical
+# Mail/SMTP 
+SMTP_HOST=
+SMTP_PORT=
+SMTP_NAME=
+SMTP_USERNAME=
+SMTP_PASSWORD=

 # Integration
 # Optional only if integration is used
--- a/.github/resources/docker-compose.be-test.yml
+++ b/.github/resources/docker-compose.be-test.yml
@ -13,6 +13,7 @@ services:
      - MONGO_URL=mongodb://test:example@mongo:27017/?authSource=admin
      - MONGO_USERNAME=test
      - MONGO_PASSWORD=example
+      - ENCRYPTION_KEY=a984ecdf82ec779e55dbcc21303a900f
    networks:
      - infisical-test

--- a/.github/workflows/check-be-pull-request.yml
+++ b/.github/workflows/check-be-pull-request.yml
@ -13,6 +13,7 @@ jobs:
  check-be-pr:
    name: Check
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: ☁️ Checkout source
@ -26,17 +27,17 @@ jobs:
      - name: 📦 Install dependencies
        run: npm ci --only-production
        working-directory: backend
-      - name: 🧪 Run tests
-        run: npm run test:ci
-        working-directory: backend
-      - name: 📁 Upload test results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: be-test-results
-          path: |
-            ./backend/reports
-            ./backend/coverage
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      # - name: 📁 Upload test results
+      #   uses: actions/upload-artifact@v3
+      #   if: always()
+      #   with:
+      #     name: be-test-results
+      #     path: |
+      #       ./backend/reports
+      #       ./backend/coverage
      - name: 🏗️ Run build
        run: npm run build
        working-directory: backend
--- a/.github/workflows/check-fe-pull-request.yml
+++ b/.github/workflows/check-fe-pull-request.yml
@ -2,40 +2,35 @@ name: Check Frontend Pull Request

 on:
  pull_request:
-    types: [ opened, synchronize ]
+    types: [opened, synchronize]
    paths:
-      - 'frontend/**'
-      - '!frontend/README.md'
-      - '!frontend/.*'
-      - 'frontend/.eslintrc.js'
-
+      - "frontend/**"
+      - "!frontend/README.md"
+      - "!frontend/.*"
+      - "frontend/.eslintrc.js"

 jobs:
-
  check-fe-pr:
    name: Check
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
-      -
-        name: ☁️ Checkout source
+      - name: ☁️ Checkout source
        uses: actions/checkout@v3
-      -
-        name: 🔧 Setup Node 16
+      - name: 🔧 Setup Node 16
        uses: actions/setup-node@v3
        with:
-          node-version: '16'
-          cache: 'npm'
+          node-version: "16"
+          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
-      -
-        name: 📦 Install dependencies
+      - name: 📦 Install dependencies
        run: npm ci --only-production --ignore-scripts
        working-directory: frontend
      # -
      #   name: 🧪 Run tests
      #   run: npm run test:ci
      #   working-directory: frontend
-      -
-        name: 🏗️ Run build
+      - name: 🏗️ Run build
        run: npm run build
        working-directory: frontend
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -1,12 +1,17 @@
 name: Build, Publish and Deploy to Gamma
-on: [workflow_dispatch]
+on:
+  push:
+    tags:
+      - "infisical/v*.*.*"

 jobs:
  backend-image:
    name: Build backend image
    runs-on: ubuntu-latest
-
    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: 📦 Install dependencies to test all dependencies
@ -51,15 +56,19 @@ jobs:
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          push: true
          context: backend
-          tags: infisical/backend:${{ steps.commit.outputs.short }},
+          tags: |
+            infisical/backend:${{ steps.commit.outputs.short }}
            infisical/backend:latest
+            infisical/backend:${{ steps.extract_version.outputs.version }}
          platforms: linux/amd64,linux/arm64

  frontend-image:
    name: Build frontend image
    runs-on: ubuntu-latest
-
    steps:
+      - name: Extract version from tag
+        id: extract_version
+        run: echo "::set-output name=version::${GITHUB_REF_NAME#infisical/}"
      - name: ☁️ Checkout source
        uses: actions/checkout@v3
      - name: Save commit hashes for tag
@ -100,8 +109,10 @@ jobs:
          push: true
          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
          context: frontend
-          tags: infisical/frontend:${{ steps.commit.outputs.short }},
+          tags: |
+            infisical/frontend:${{ steps.commit.outputs.short }}
            infisical/frontend:latest
+            infisical/frontend:${{ steps.extract_version.outputs.version }}
          platforms: linux/amd64,linux/arm64
          build-args: |
            POSTHOG_API_KEY=${{ secrets.PUBLIC_POSTHOG_API_KEY }}
--- a/.github/workflows/release-standalone-docker-img.yml
+++ b/.github/workflows/release-standalone-docker-img.yml
@ -0,0 +1,68 @@
+name: Release standalone docker image
+on: [workflow_dispatch]
+
+jobs:
+  infisical-standalone:
+    name: Build infisical standalone image
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: 📦 Install dependencies to test all dependencies
+        run: npm ci --only-production
+        working-directory: backend
+      - uses: paulhatch/semantic-version@v5.0.2
+        id: version
+        with:
+          # The prefix to use to identify tags
+          tag_prefix: "infisical-standalone/v"
+          # A string which, if present in a git commit, indicates that a change represents a
+          # major (breaking) change, supports regular expressions wrapped with '/'
+          major_pattern: "(MAJOR)"
+          # Same as above except indicating a minor change, supports regular expressions wrapped with '/'
+          minor_pattern: "(MINOR)"
+          # A string to determine the format of the version output
+          version_format: "${major}.${minor}.${patch}-prerelease${increment}"
+          # Optional path to check for changes. If any changes are detected in the path the
+          # 'changed' output will true. Enter multiple paths separated by spaces.
+          change_path: "backend,frontend"
+          # Prevents pre-v1.0.0 version from automatically incrementing the major version.
+          # If enabled, when the major version is 0, major releases will be treated as minor and minor as patch. Note that the version_type output is unchanged.
+          enable_prerelease_mode: true
+      # - name: 🧪 Run tests
+      #   run: npm run test:ci
+      #   working-directory: backend
+      - name: version output
+        run: |
+          echo "Output Value: ${{ steps.version.outputs.major }}"
+          echo "Output Value: ${{ steps.version.outputs.minor }}"
+          echo "Output Value: ${{ steps.version.outputs.patch }}"
+          echo "Output Value: ${{ steps.version.outputs.version }}"
+          echo "Output Value: ${{ steps.version.outputs.version_type }}"
+          echo "Output Value: ${{ steps.version.outputs.increment }}"
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 📦 Build backend and export to Docker
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          tags: |
+            infisical/infisical:latest
+            infisical/infisical:${{ steps.commit.outputs.short }}
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile.standalone-infisical
--- a/.github/workflows/release_build.yml
+++ b/.github/workflows/release_build.yml
@ -4,7 +4,7 @@ on:
  push:
    # run only against tags
    tags:
-      - "v*"
+      - "infisical-cli/v*.*.*"

 permissions:
  contents: write
@ -41,13 +41,15 @@ jobs:
          git clone https://github.com/plentico/osxcross-target.git ../../osxcross/target
      - uses: goreleaser/goreleaser-action@v4
        with:
-          distribution: goreleaser
+          distribution: goreleaser-pro
          version: latest
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
+          POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
          FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
          AUR_KEY: ${{ secrets.AUR_KEY }}
+          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
      - uses: actions/setup-python@v4
      - run: pip install --upgrade cloudsmith-cli
      - name: Publish to CloudSmith
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@ -11,10 +11,16 @@ before:
    - ./cli/scripts/completions.sh
    - ./cli/scripts/manpages.sh

+monorepo:
+  tag_prefix: infisical-cli/
+  dir: cli
+
 builds:
  - id: darwin-build
    binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
    flags:
      - -trimpath
    env:
@ -32,7 +38,9 @@ builds:
    env:
      - CGO_ENABLED=0
    binary: infisical
-    ldflags: -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+    ldflags:
+      - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
+      - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
    flags:
      - -trimpath
    goos:
@ -61,10 +69,10 @@ archives:
      - goos: windows
        format: zip
    files:
-      - README*
-      - LICENSE*
-      - manpages/*
-      - completions/*
+      - ../README*
+      - ../LICENSE*
+      - ../manpages/*
+      - ../completions/*

 release:
  replace_existing_draft: true
@ -74,14 +82,7 @@ checksum:
  name_template: "checksums.txt"

 snapshot:
-  name_template: "{{ incpatch .Version }}-devel"
-
-changelog:
-  sort: asc
-  filters:
-    exclude:
-      - "^docs:"
-      - "^test:"
+  name_template: "{{ .Version }}-devel"

 # publishers:
 #   - name: fury.io
@ -164,7 +165,7 @@ aurs:
      mkdir -p "${pkgdir}/usr/share/zsh/site-functions/"
      mkdir -p "${pkgdir}/usr/share/fish/vendor_completions.d/"
      install -Dm644 "./completions/infisical.bash" "${pkgdir}/usr/share/bash-completion/completions/infisical"
-      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/infisical"
+      install -Dm644 "./completions/infisical.zsh" "${pkgdir}/usr/share/zsh/site-functions/_infisical"
      install -Dm644 "./completions/infisical.fish" "${pkgdir}/usr/share/fish/vendor_completions.d/infisical.fish"
      # man pages
      install -Dm644 "./manpages/infisical.1.gz" "${pkgdir}/usr/share/man/man1/infisical.1.gz"
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -3,3 +3,5 @@
 . "$(dirname -- "$0")/_/husky.sh"

 npx lint-staged
+
+infisical scan git-changes --staged -v
--- a/.infisicalignore
+++ b/.infisicalignore
@ -0,0 +1 @@
+.github/resources/docker-compose.be-test.yml:generic-api-key:16
--- a/Dockerfile.standalone-infisical
+++ b/Dockerfile.standalone-infisical
@ -0,0 +1,102 @@
+ARG POSTHOG_HOST=https://app.posthog.com
+ARG POSTHOG_API_KEY=posthog-api-key
+
+FROM node:16-alpine AS frontend-dependencies
+
+WORKDIR /app
+
+COPY frontend/package.json frontend/package-lock.json frontend/next.config.js ./
+
+# Install dependencies
+RUN npm ci --only-production --ignore-scripts
+
+# Rebuild the source code only when needed
+FROM node:16-alpine AS frontend-builder
+WORKDIR /app
+
+# Copy dependencies
+COPY --from=frontend-dependencies /app/node_modules ./node_modules
+# Copy all files 
+COPY /frontend .
+
+ENV NODE_ENV production
+ENV NEXT_PUBLIC_ENV production
+ARG POSTHOG_HOST
+ENV NEXT_PUBLIC_POSTHOG_HOST $POSTHOG_HOST
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY $POSTHOG_API_KEY
+
+# Build
+RUN npm run build
+
+# Production image
+FROM node:16-alpine AS frontend-runner
+WORKDIR /app
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+RUN mkdir -p /app/.next/cache/images && chown nextjs:nodejs /app/.next/cache/images
+VOLUME /app/.next/cache/images
+
+ARG POSTHOG_API_KEY
+ENV NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY \
+  BAKED_NEXT_PUBLIC_POSTHOG_API_KEY=$POSTHOG_API_KEY
+
+COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts
+COPY --from=frontend-builder /app/public ./public
+RUN chown nextjs:nodejs ./public/data
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+ENV NEXT_TELEMETRY_DISABLED 1
+
+##
+## BACKEND
+##
+FROM node:16-alpine AS backend-build
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY /backend .
+RUN npm run build
+
+# Production stage
+FROM node:16-alpine AS backend-runner
+
+WORKDIR /app
+
+COPY backend/package*.json ./
+RUN npm ci --only-production
+
+COPY --from=backend-build /app .
+
+# Production stage
+FROM node:16-alpine AS production
+
+WORKDIR / 
+
+# Install PM2
+RUN npm install -g pm2
+# Copy ecosystem.config.js
+COPY ecosystem.config.js .
+
+RUN apk add --no-cache nginx
+
+COPY nginx/default-stand-alone-docker.conf /etc/nginx/nginx.conf
+
+COPY --from=backend-runner /app /backend
+
+COPY --from=frontend-runner /app/ /app/
+
+EXPOSE 80
+ENV HTTPS_ENABLED false 
+
+CMD ["pm2-runtime", "start", "ecosystem.config.js"]
+
+
--- a/README.md
+++ b/README.md
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,9 +1,13 @@
 # Security Policy

-## Supported Versions
+## Supported versions

 We always recommend using the latest version of Infisical to ensure you get all security updates.

-## Reporting a Vulnerability
+## Reporting vulnerabilities

-Please report security vulnerabilities or concerns to team@infisical.com.
+Please do not file GitHub issues or post on our public forum for security vulnerabilities, as they are public!
+
+Infisical takes security issues very seriously. If you have any concerns about Infisical or believe you have uncovered a vulnerability, please get in touch via the e-mail address security@infisical.com. In the message, try to provide a description of the issue and ideally a way of reproducing it. The security team will get back to you as soon as possible.
+
+Note that this security address should be used only for undisclosed vulnerabilities. Please report any security problems to us before disclosing it publicly.
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -1,36 +1,38 @@
 {
  "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.303.0",
-    "@godaddy/terminus": "^4.11.2",
+    "@aws-sdk/client-secrets-manager": "^3.319.0",
+    "@godaddy/terminus": "^4.12.0",
    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.45.0",
-    "@sentry/tracing": "^7.46.0",
-    "@sentry/node": "^7.41.0",
+    "@sentry/node": "^7.49.0",
+    "@sentry/tracing": "^7.48.0",
    "@types/crypto-js": "^4.1.1",
    "@types/libsodium-wrappers": "^0.7.10",
+    "argon2": "^0.30.3",
    "await-to-js": "^3.0.0",
-    "aws-sdk": "^2.1338.0",
-    "axios": "^1.1.3",
+    "aws-sdk": "^2.1364.0",
+    "axios": "^1.3.5",
    "axios-retry": "^3.4.0",
    "bcrypt": "^5.1.0",
-    "bigint-conversion": "^2.2.2",
+    "bigint-conversion": "^2.4.0",
    "builder-pattern": "^2.2.0",
    "cookie-parser": "^1.4.6",
    "cors": "^2.8.5",
    "crypto-js": "^4.1.1",
    "dotenv": "^16.0.1",
    "express": "^4.18.1",
+    "express-async-errors": "^3.1.1",
    "express-rate-limit": "^6.7.0",
    "express-validator": "^6.14.2",
    "handlebars": "^4.7.7",
    "helmet": "^5.1.1",
-    "infisical-node": "^1.0.37",
+    "infisical-node": "^1.2.1",
    "js-yaml": "^4.1.0",
    "jsonwebtoken": "^9.0.0",
    "jsrp": "^0.2.4",
    "libsodium-wrappers": "^0.7.10",
    "lodash": "^4.17.21",
-    "mongoose": "^6.10.4",
+    "mongoose": "^6.10.5",
+    "node-cache": "^5.1.2",
    "nodemailer": "^6.8.0",
    "posthog-node": "^2.6.0",
    "query-string": "^7.1.3",
--- a/backend/spec.json
+++ b/backend/spec.json
@ -1532,7 +1532,15 @@
    "/api/v1/invite-org/signup": {
      "post": {
        "description": "",
-        "parameters": [],
+        "parameters": [
+          {
+            "name": "host",
+            "in": "header",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
        "responses": {
          "200": {
            "description": "OK"
@ -2071,6 +2079,15 @@
                  "targetEnvironment": {
                    "example": "any"
                  },
+                  "targetEnvironmentId": {
+                    "example": "any"
+                  },
+                  "targetService": {
+                    "example": "any"
+                  },
+                  "targetServiceId": {
+                    "example": "any"
+                  },
                  "owner": {
                    "example": "any"
                  },
@ -2297,6 +2314,13 @@
            "schema": {
              "type": "string"
            }
+          },
+          {
+            "name": "teamId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
          }
        ],
        "responses": {
@ -2309,6 +2333,107 @@
        }
      }
    },
+    "/api/v1/integration-auth/{integrationAuthId}/teams": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/vercel/branches": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/railway/environments": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v1/integration-auth/{integrationAuthId}/railway/services": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "integrationAuthId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "appId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
    "/api/v2/signup/complete-account/signup": {
      "post": {
        "description": "",
@ -2870,9 +2995,6 @@
                }
              }
            }
-          },
-          "400": {
-            "description": "Bad Request"
          }
        },
        "security": [
@ -2882,6 +3004,26 @@
        ]
      }
    },
+    "/api/v2/organizations/{organizationId}/service-accounts": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
    "/api/v2/workspace/{workspaceId}/environments": {
      "post": {
        "description": "",
@ -4018,9 +4160,6 @@
        "responses": {
          "200": {
            "description": "OK"
-          },
-          "400": {
-            "description": "Bad Request"
          }
        },
        "requestBody": {
@ -4073,6 +4212,138 @@
            }
          }
        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/me": {
+      "get": {
+        "description": "",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/": {
+      "post": {
+        "description": "",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/name": {
+      "patch": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/permissions/workspace": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
        "responses": {
          "200": {
            "description": "OK"
@ -4080,6 +4351,90 @@
          "400": {
            "description": "Bad Request"
          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "environment": {
+                    "example": "any"
+                  },
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "read": {
+                    "example": "any"
+                  },
+                  "write": {
+                    "example": "any"
+                  },
+                  "encryptedKey": {
+                    "example": "any"
+                  },
+                  "nonce": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/permissions/workspace/{serviceAccountWorkspacePermissionId}": {
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "serviceAccountWorkspacePermissionId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v2/service-accounts/{serviceAccountId}/keys": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "serviceAccountId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
        }
      }
    },
@ -4149,6 +4504,297 @@
        }
      }
    },
+    "/api/v3/secrets/": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "environment",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/secrets/{secretName}": {
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  },
+                  "secretKeyCiphertext": {
+                    "example": "any"
+                  },
+                  "secretKeyIV": {
+                    "example": "any"
+                  },
+                  "secretKeyTag": {
+                    "example": "any"
+                  },
+                  "secretValueCiphertext": {
+                    "example": "any"
+                  },
+                  "secretValueIV": {
+                    "example": "any"
+                  },
+                  "secretValueTag": {
+                    "example": "any"
+                  },
+                  "secretCommentCiphertext": {
+                    "example": "any"
+                  },
+                  "secretCommentIV": {
+                    "example": "any"
+                  },
+                  "secretCommentTag": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "workspaceId",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "environment",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "type",
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      },
+      "patch": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  },
+                  "secretValueCiphertext": {
+                    "example": "any"
+                  },
+                  "secretValueIV": {
+                    "example": "any"
+                  },
+                  "secretValueTag": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      },
+      "delete": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "secretName",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "workspaceId": {
+                    "example": "any"
+                  },
+                  "environment": {
+                    "example": "any"
+                  },
+                  "type": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets/blind-index-status": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets": {
+      "get": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        }
+      }
+    },
+    "/api/v3/workspaces/{workspaceId}/secrets/names": {
+      "post": {
+        "description": "",
+        "parameters": [
+          {
+            "name": "workspaceId",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK"
+          }
+        },
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "secretsToUpdate": {
+                    "example": "any"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
    "/api/status": {
      "get": {
        "description": "",
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -1,64 +1,89 @@
-import infisical from 'infisical-node';
-export const getPort = () => infisical.get('PORT')! || 4000;
-export const getInviteOnlySignup = () => infisical.get('INVITE_ONLY_SIGNUP')! == undefined ? false : infisical.get('INVITE_ONLY_SIGNUP');
-export const getEncryptionKey = () => infisical.get('ENCRYPTION_KEY')!;
-export const getSaltRounds = () => parseInt(infisical.get('SALT_ROUNDS')!) || 10;
-export const getJwtAuthLifetime = () => infisical.get('JWT_AUTH_LIFETIME')! || '10d';
-export const getJwtAuthSecret = () => infisical.get('JWT_AUTH_SECRET')!;
-export const getJwtMfaLifetime = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtMfaSecret = () => infisical.get('JWT_MFA_LIFETIME')! || '5m';
-export const getJwtRefreshLifetime = () => infisical.get('JWT_REFRESH_LIFETIME')! || '90d';
-export const getJwtRefreshSecret = () => infisical.get('JWT_REFRESH_SECRET')!;
-export const getJwtServiceSecret = () => infisical.get('JWT_SERVICE_SECRET')!;
-export const getJwtSignupLifetime = () => infisical.get('JWT_SIGNUP_LIFETIME')! || '15m';
-export const getJwtSignupSecret = () => infisical.get('JWT_SIGNUP_SECRET')!;
-export const getMongoURL = () => infisical.get('MONGO_URL')!;
-export const getNodeEnv = () => infisical.get('NODE_ENV')! || 'production';
-export const getVerboseErrorOutput = () => infisical.get('VERBOSE_ERROR_OUTPUT')! === 'true' && true;
-export const getLokiHost = () => infisical.get('LOKI_HOST')!;
-export const getClientIdAzure = () => infisical.get('CLIENT_ID_AZURE')!;
-export const getClientIdHeroku = () => infisical.get('CLIENT_ID_HEROKU')!;
-export const getClientIdVercel = () => infisical.get('CLIENT_ID_VERCEL')!;
-export const getClientIdNetlify = () => infisical.get('CLIENT_ID_NETLIFY')!;
-export const getClientIdGitHub = () => infisical.get('CLIENT_ID_GITHUB')!;
-export const getClientIdGitLab = () => infisical.get('CLIENT_ID_GITLAB')!;
-export const getClientSecretAzure = () => infisical.get('CLIENT_SECRET_AZURE')!;
-export const getClientSecretHeroku = () => infisical.get('CLIENT_SECRET_HEROKU')!;
-export const getClientSecretVercel = () => infisical.get('CLIENT_SECRET_VERCEL')!;
-export const getClientSecretNetlify = () => infisical.get('CLIENT_SECRET_NETLIFY')!;
-export const getClientSecretGitHub = () => infisical.get('CLIENT_SECRET_GITHUB')!;
-export const getClientSecretGitLab = () => infisical.get('CLIENT_SECRET_GITLAB')!;
-export const getClientSlugVercel = () => infisical.get('CLIENT_SLUG_VERCEL')!;
-export const getPostHogHost = () => infisical.get('POSTHOG_HOST')! || 'https://app.posthog.com';
-export const getPostHogProjectApiKey = () => infisical.get('POSTHOG_PROJECT_API_KEY')! || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
-export const getSentryDSN = () => infisical.get('SENTRY_DSN')!;
-export const getSiteURL = () => infisical.get('SITE_URL')!;
-export const getSmtpHost = () => infisical.get('SMTP_HOST')!;
-export const getSmtpSecure = () => infisical.get('SMTP_SECURE')! === 'true' || false;
-export const getSmtpPort = () => parseInt(infisical.get('SMTP_PORT')!) || 587;
-export const getSmtpUsername = () => infisical.get('SMTP_USERNAME')!;
-export const getSmtpPassword = () => infisical.get('SMTP_PASSWORD')!;
-export const getSmtpFromAddress = () => infisical.get('SMTP_FROM_ADDRESS')!;
-export const getSmtpFromName = () => infisical.get('SMTP_FROM_NAME')! || 'Infisical';
-export const getStripeProductStarter = () => infisical.get('STRIPE_PRODUCT_STARTER')!;
-export const getStripeProductPro = () => infisical.get('STRIPE_PRODUCT_PRO')!;
-export const getStripeProductTeam = () => infisical.get('STRIPE_PRODUCT_TEAM')!;
-export const getStripePublishableKey = () => infisical.get('STRIPE_PUBLISHABLE_KEY')!;
-export const getStripeSecretKey = () => infisical.get('STRIPE_SECRET_KEY')!;
-export const getStripeWebhookSecret = () => infisical.get('STRIPE_WEBHOOK_SECRET')!;
-export const getTelemetryEnabled = () => infisical.get('TELEMETRY_ENABLED')! !== 'false' && true;
-export const getLoopsApiKey = () => infisical.get('LOOPS_API_KEY')!;
-export const getSmtpConfigured = () => infisical.get('SMTP_HOST') == '' || infisical.get('SMTP_HOST') == undefined ? false : true
-export const getHttpsEnabled = () => {
-  if (getNodeEnv() != "production") {
+import InfisicalClient from 'infisical-node';
+
+export const client = new InfisicalClient({
+  token: process.env.INFISICAL_TOKEN!
+});
+
+export const getPort = async () => (await client.getSecret('PORT')).secretValue || 4000;
+export const getEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ENCRYPTION_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getRootEncryptionKey = async () => {
+  const secretValue = (await client.getSecret('ROOT_ENCRYPTION_KEY')).secretValue; 
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getInviteOnlySignup = async () => (await client.getSecret('INVITE_ONLY_SIGNUP')).secretValue === 'true'
+export const getSaltRounds = async () => parseInt((await client.getSecret('SALT_ROUNDS')).secretValue) || 10;
+export const getJwtAuthLifetime = async () => (await client.getSecret('JWT_AUTH_LIFETIME')).secretValue || '10d';
+export const getJwtAuthSecret = async () => (await client.getSecret('JWT_AUTH_SECRET')).secretValue;
+export const getJwtMfaLifetime = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtMfaSecret = async () => (await client.getSecret('JWT_MFA_LIFETIME')).secretValue || '5m';
+export const getJwtRefreshLifetime = async () => (await client.getSecret('JWT_REFRESH_LIFETIME')).secretValue || '90d';
+export const getJwtRefreshSecret = async () => (await client.getSecret('JWT_REFRESH_SECRET')).secretValue;
+export const getJwtServiceSecret = async () => (await client.getSecret('JWT_SERVICE_SECRET')).secretValue;
+export const getJwtSignupLifetime = async () => (await client.getSecret('JWT_SIGNUP_LIFETIME')).secretValue || '15m';
+export const getJwtSignupSecret = async () => (await client.getSecret('JWT_SIGNUP_SECRET')).secretValue;
+export const getMongoURL = async () => (await client.getSecret('MONGO_URL')).secretValue;
+export const getNodeEnv = async () => (await client.getSecret('NODE_ENV')).secretValue || 'production';
+export const getVerboseErrorOutput = async () => (await client.getSecret('VERBOSE_ERROR_OUTPUT')).secretValue === 'true' && true;
+export const getLokiHost = async () => (await client.getSecret('LOKI_HOST')).secretValue;
+export const getClientIdAzure = async () => (await client.getSecret('CLIENT_ID_AZURE')).secretValue;
+export const getClientIdHeroku = async () => (await client.getSecret('CLIENT_ID_HEROKU')).secretValue;
+export const getClientIdVercel = async () => (await client.getSecret('CLIENT_ID_VERCEL')).secretValue;
+export const getClientIdNetlify = async () => (await client.getSecret('CLIENT_ID_NETLIFY')).secretValue;
+export const getClientIdGitHub = async () => (await client.getSecret('CLIENT_ID_GITHUB')).secretValue;
+export const getClientIdGitLab = async () => (await client.getSecret('CLIENT_ID_GITLAB')).secretValue;
+export const getClientSecretAzure = async () => (await client.getSecret('CLIENT_SECRET_AZURE')).secretValue;
+export const getClientSecretHeroku = async () => (await client.getSecret('CLIENT_SECRET_HEROKU')).secretValue;
+export const getClientSecretVercel = async () => (await client.getSecret('CLIENT_SECRET_VERCEL')).secretValue;
+export const getClientSecretNetlify = async () => (await client.getSecret('CLIENT_SECRET_NETLIFY')).secretValue;
+export const getClientSecretGitHub = async () => (await client.getSecret('CLIENT_SECRET_GITHUB')).secretValue;
+export const getClientSecretGitLab = async () => (await client.getSecret('CLIENT_SECRET_GITLAB')).secretValue;
+export const getClientSlugVercel = async () => (await client.getSecret('CLIENT_SLUG_VERCEL')).secretValue;
+export const getPostHogHost = async () => (await client.getSecret('POSTHOG_HOST')).secretValue || 'https://app.posthog.com';
+export const getPostHogProjectApiKey = async () => (await client.getSecret('POSTHOG_PROJECT_API_KEY')).secretValue || 'phc_nSin8j5q2zdhpFDI1ETmFNUIuTG4DwKVyIigrY10XiE';
+export const getSentryDSN = async () => (await client.getSecret('SENTRY_DSN')).secretValue;
+export const getSiteURL = async () => (await client.getSecret('SITE_URL')).secretValue;
+export const getSmtpHost = async () => (await client.getSecret('SMTP_HOST')).secretValue;
+export const getSmtpSecure = async () => (await client.getSecret('SMTP_SECURE')).secretValue === 'true' || false;
+export const getSmtpPort = async () => parseInt((await client.getSecret('SMTP_PORT')).secretValue) || 587;
+export const getSmtpUsername = async () => (await client.getSecret('SMTP_USERNAME')).secretValue;
+export const getSmtpPassword = async () => (await client.getSecret('SMTP_PASSWORD')).secretValue;
+export const getSmtpFromAddress = async () => (await client.getSecret('SMTP_FROM_ADDRESS')).secretValue;
+export const getSmtpFromName = async () => (await client.getSecret('SMTP_FROM_NAME')).secretValue || 'Infisical';
+
+export const getLicenseKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerKey = async () => {
+  const secretValue = (await client.getSecret('LICENSE_SERVER_KEY')).secretValue;
+  return secretValue === '' ? undefined : secretValue;
+}
+export const getLicenseServerUrl = async () => (await client.getSecret('LICENSE_SERVER_URL')).secretValue || 'https://portal.infisical.com';
+
+// TODO: deprecate from here
+export const getStripeProductStarter = async () => (await client.getSecret('STRIPE_PRODUCT_STARTER')).secretValue;
+export const getStripeProductPro = async () => (await client.getSecret('STRIPE_PRODUCT_PRO')).secretValue;
+export const getStripeProductTeam = async () => (await client.getSecret('STRIPE_PRODUCT_TEAM')).secretValue;
+export const getStripePublishableKey = async () => (await client.getSecret('STRIPE_PUBLISHABLE_KEY')).secretValue;
+export const getStripeSecretKey = async () => (await client.getSecret('STRIPE_SECRET_KEY')).secretValue;
+export const getStripeWebhookSecret = async () => (await client.getSecret('STRIPE_WEBHOOK_SECRET')).secretValue;
+
+export const getTelemetryEnabled = async () => (await client.getSecret('TELEMETRY_ENABLED')).secretValue !== 'false' && true;
+export const getLoopsApiKey = async () => (await client.getSecret('LOOPS_API_KEY')).secretValue;
+export const getSmtpConfigured = async () => (await client.getSecret('SMTP_HOST')).secretValue == '' || (await client.getSecret('SMTP_HOST')).secretValue == undefined ? false : true
+export const getHttpsEnabled = async () => {
+  if ((await getNodeEnv()) != "production") {
    // no https for anything other than prod
    return false
  }

-  if (infisical.get('HTTPS_ENABLED') == undefined || infisical.get('HTTPS_ENABLED') == "") {
+  if ((await client.getSecret('HTTPS_ENABLED')).secretValue == undefined || (await client.getSecret('HTTPS_ENABLED')).secretValue == "") {
    // default when no value present
    return true
  }

-  return infisical.get('HTTPS_ENABLED') === 'true' && true
+  return (await client.getSecret('HTTPS_ENABLED')).secretValue === 'true' && true
 }
--- a/backend/src/config/request.ts
+++ b/backend/src/config/request.ts
@ -1,10 +1,24 @@
 import axios from 'axios';
 import axiosRetry from 'axios-retry';
+import {
+  getLicenseServerKeyAuthToken,
+  setLicenseServerKeyAuthToken,
+  getLicenseKeyAuthToken,
+  setLicenseKeyAuthToken
+} from './storage';
+import {
+  getLicenseKey,
+  getLicenseServerKey, 
+  getLicenseServerUrl
+} from './index';

-const axiosInstance = axios.create();
+// should have JWT to interact with the license server
+export const licenseServerKeyRequest = axios.create();
+export const licenseKeyRequest = axios.create();
+export const standardRequest = axios.create();

 // add retry functionality to the axios instance
-axiosRetry(axiosInstance, {
+axiosRetry(standardRequest, {
  retries: 3,
  retryDelay: axiosRetry.exponentialDelay, // exponential back-off delay between retries
  retryCondition: (error) => {
@ -13,4 +27,98 @@ axiosRetry(axiosInstance, {
  },
 });

-export default axiosInstance;
+export const refreshLicenseServerKeyToken = async () => {
+  const licenseServerKey = await getLicenseServerKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-server-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseServerKey
+      }
+    }
+  );
+
+  setLicenseServerKeyAuthToken(token);
+
+  return token;
+}
+
+export const refreshLicenseKeyToken = async () => {
+  const licenseKey = await getLicenseKey();
+  const licenseServerUrl = await getLicenseServerUrl();
+
+  const { data: { token } } = await standardRequest.post(
+    `${licenseServerUrl}/api/auth/v1/license-login`, {},
+    {
+      headers: {
+        'X-API-KEY': licenseKey
+      }
+    }
+  );
+
+  setLicenseKeyAuthToken(token);
+
+  return token;
+}
+
+licenseServerKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseServerKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseServerKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseServerKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseServerKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.request.use((config) => {
+  const token = getLicenseKeyAuthToken();
+
+  if (token && config.headers) {
+      // eslint-disable-next-line no-param-reassign
+      config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+}, (err) => {
+  return Promise.reject(err);
+});
+
+licenseKeyRequest.interceptors.response.use((response) => {
+  return response
+}, async function (err) {
+  const originalRequest = err.config;
+  
+  if (err.response.status === 401 && !originalRequest._retry) {
+    originalRequest._retry = true;
+    
+    // refresh
+    const token = await refreshLicenseKeyToken();            
+    
+    axios.defaults.headers.common['Authorization'] = 'Bearer ' + token;
+    return licenseKeyRequest(originalRequest);
+  }
+
+  return Promise.reject(err);
+});
--- a/backend/src/config/storage.ts
+++ b/backend/src/config/storage.ts
@ -0,0 +1,30 @@
+const MemoryLicenseServerKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const MemoryLicenseKeyTokenStorage = () => {
+    let authToken: string;
+  
+    return {
+      setToken: (token: string) => {
+        authToken = token;
+      },
+      getToken: () => authToken
+    };
+};
+
+const licenseServerTokenStorage = MemoryLicenseServerKeyTokenStorage();
+const licenseTokenStorage = MemoryLicenseKeyTokenStorage();
+
+export const getLicenseServerKeyAuthToken = licenseServerTokenStorage.getToken;
+export const setLicenseServerKeyAuthToken = licenseServerTokenStorage.setToken;
+
+export const getLicenseKeyAuthToken = licenseTokenStorage.getToken;
+export const setLicenseKeyAuthToken = licenseTokenStorage.setToken;
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -126,7 +126,7 @@ export const login2 = async (req: Request, res: Response) => {
            httpOnly: true,
            path: '/',
            sameSite: 'strict',
-            secure: getHttpsEnabled()
+            secure: await getHttpsEnabled()
          });

          const loginAction = await EELogService.createAction({
@ -182,7 +182,7 @@ export const logout = async (req: Request, res: Response) => {
      httpOnly: true,
      path: '/',
      sameSite: 'strict',
-      secure: getHttpsEnabled() as boolean
+      secure: (await getHttpsEnabled()) as boolean
    });

    const logoutAction = await EELogService.createAction({
@ -237,7 +237,7 @@ export const getNewToken = async (req: Request, res: Response) => {
    }

    const decodedToken = <jwt.UserIDJwtPayload>(
-      jwt.verify(refreshToken, getJwtRefreshSecret())
+      jwt.verify(refreshToken, await getJwtRefreshSecret())
    );

    const user = await User.findOne({
@ -252,8 +252,8 @@ export const getNewToken = async (req: Request, res: Response) => {
      payload: {
        userId: decodedToken.userId
      },
-      expiresIn: getJwtAuthLifetime(),
-      secret: getJwtAuthSecret()
+      expiresIn: await getJwtAuthLifetime(),
+      secret: await getJwtAuthSecret()
    });

    return res.status(200).send({
--- a/backend/src/controllers/v1/botController.ts
+++ b/backend/src/controllers/v1/botController.ts
@ -1,4 +1,5 @@
 import { Request, Response } from 'express';
+import { Types } from 'mongoose';
 import * as Sentry from '@sentry/node';
 import { Bot, BotKey } from '../../models';
 import { createBot } from '../../helpers/bot';
@ -29,7 +30,7 @@ export const getBotByWorkspaceId = async (req: Request, res: Response) => {
            // -> create a new bot and return it
            bot = await createBot({
                name: 'Infisical Bot',
-                workspaceId
+                workspaceId: new Types.ObjectId(workspaceId)
            });
        }
 	} catch (err) {
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -5,7 +5,7 @@ import {
 	IntegrationAuth,
 	Bot 
 } from '../../models';
-import { INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, INTEGRATION_SET, getIntegrationOptions as getIntegrationOptionsFunc } from '../../variables';
 import { IntegrationService } from '../../services';
 import {
 	getApps, 
@ -16,7 +16,7 @@ import {
 	INTEGRATION_VERCEL_API_URL,
 	INTEGRATION_RAILWAY_API_URL
 } from '../../variables';
-import request from '../../config/request';
+import { standardRequest } from '../../config/request';

 /***
 * Return integration authorization with id [integrationAuthId]
@ -44,7 +44,7 @@ export const getIntegrationAuth = async (req: Request, res: Response) => {
 }

 export const getIntegrationOptions = async (req: Request, res: Response) => {
-	const INTEGRATION_OPTIONS = getIntegrationOptionsFunc();
+	const INTEGRATION_OPTIONS = await getIntegrationOptionsFunc();

 	return res.status(200).send({
 		integrationOptions: INTEGRATION_OPTIONS,
@ -129,7 +129,9 @@ export const saveIntegrationAccessToken = async (
            integration
        }, {
            workspace: new Types.ObjectId(workspaceId),
-            integration
+            integration,
+			algorithm: ALGORITHM_AES_256_GCM,
+			keyEncoding: ENCODING_SCHEME_UTF8
 		}, {
            new: true,
            upsert: true
@ -229,7 +231,7 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
 	let branches: string[] = [];
 	
 	if (appId && appId !== '') {
-		const { data }: { data: VercelBranch[] } = await request.get(
+		const { data }: { data: VercelBranch[] } = await standardRequest.get(
 			`${INTEGRATION_VERCEL_API_URL}/v1/integrations/git-branches`,
 			{
 				params,
@ -292,7 +294,7 @@ export const getIntegrationAuthRailwayEnvironments = async (req: Request, res: R
 			projectId: appId
 		}
 		
-		const { data: { data: { environments: { edges } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+		const { data: { data: { environments: { edges } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
 			query,
 			variables,
 		}, {
@ -372,7 +374,7 @@ export const getIntegrationAuthRailwayServices = async (req: Request, res: Respo
 			id: appId
 		}
 		
-		const { data: { data: { project: { services: { edges } } } } } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+		const { data: { data: { project: { services: { edges } } } } } = await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
 			query,
 			variables
 		}, {
--- a/backend/src/controllers/v1/integrationController.ts
+++ b/backend/src/controllers/v1/integrationController.ts
@ -56,7 +56,8 @@ export const createIntegration = async (req: Request, res: Response) => {
 			// trigger event - push secrets
 			EventService.handleEvent({
 				event: eventPushSecrets({
-					workspaceId: integration.workspace.toString()
+					workspaceId: integration.workspace,
+          environment: sourceEnvironment
 				})
 			});
 		}
@ -117,7 +118,8 @@ export const updateIntegration = async (req: Request, res: Response) => {
      // trigger event - push secrets
      EventService.handleEvent({
        event: eventPushSecrets({
-          workspaceId: integration.workspace.toString(),
+          workspaceId: integration.workspace,
+          environment
        }),
      });
    }
--- a/backend/src/controllers/v1/membershipController.ts
+++ b/backend/src/controllers/v1/membershipController.ts
@ -215,7 +215,7 @@ export const inviteUserToWorkspace = async (req: Request, res: Response) => {
 				inviterFirstName: req.user.firstName,
 				inviterEmail: req.user.email,
 				workspaceName: req.membership.workspace.name,
-				callback_url: getSiteURL() + '/login'
+				callback_url: (await getSiteURL()) + '/login'
 			}
 		});
 	} catch (err) {
--- a/backend/src/controllers/v1/membershipOrgController.ts
+++ b/backend/src/controllers/v1/membershipOrgController.ts
@ -1,3 +1,4 @@
+import { Types } from 'mongoose';
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
 import { MembershipOrg, Organization, User } from '../../models';
@ -134,12 +135,13 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 			}

 			if (!inviteeMembershipOrg) {
+				
 				await new MembershipOrg({
 					user: invitee,
 					inviteEmail: inviteeEmail,
 					organization: organizationId,
 					role: MEMBER,
-					status: invitee?.publicKey ? ACCEPTED : INVITED
+					status: INVITED
 				}).save();
 			}
 		} else {
@ -164,6 +166,7 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 		const organization = await Organization.findOne({ _id: organizationId });

 		if (organization) {
+
 			const token = await TokenService.createToken({
 				type: TOKEN_EMAIL_ORG_INVITATION,
 				email: inviteeEmail,
@ -179,13 +182,14 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 					inviterEmail: req.user.email,
 					organizationName: organization.name,
 					email: inviteeEmail,
+					organizationId: organization._id.toString(),
 					token,
-					callback_url: getSiteURL() + '/signupinvite'
+					callback_url: (await getSiteURL()) + '/signupinvite'
 				}
 			});

-			if (!getSmtpConfigured()) {
-				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}`
+			if (!(await getSmtpConfigured())) {
+				completeInviteLink = `${siteUrl + '/signupinvite'}?token=${token}&to=${inviteeEmail}&organization_id=${organization._id}`
 			}
 		}

@ -214,13 +218,18 @@ export const inviteUserToOrganization = async (req: Request, res: Response) => {
 export const verifyUserToOrganization = async (req: Request, res: Response) => {
 	let user, token;
 	try {
-		const { email, code } = req.body;
+		const {
+			email,
+			organizationId,
+			code
+		} = req.body;

 		user = await User.findOne({ email }).select('+publicKey');

 		const membershipOrg = await MembershipOrg.findOne({
 			inviteEmail: email,
-			status: INVITED
+			status: INVITED,
+			organization: new Types.ObjectId(organizationId)
 		});

 		if (!membershipOrg)
@ -238,6 +247,10 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			// membership can be approved and redirected to login/dashboard
 			membershipOrg.status = ACCEPTED;
 			await membershipOrg.save();
+			
+			await updateSubscriptionOrgQuantity({
+				organizationId
+			});

 			return res.status(200).send({
 				message: 'Successfully verified email',
@ -257,8 +270,8 @@ export const verifyUserToOrganization = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
--- a/backend/src/controllers/v1/organizationController.ts
+++ b/backend/src/controllers/v1/organizationController.ts
@ -19,7 +19,8 @@ export const getOrganizations = async (req: Request, res: Response) => {
 	try {
 		organizations = (
 			await MembershipOrg.find({
-				user: req.user._id
+				user: req.user._id,
+				status: ACCEPTED
 			}).populate('organization')
 		).map((m) => m.organization);
 	} catch (err) {
@ -85,7 +86,7 @@ export const createOrganization = async (req: Request, res: Response) => {
 export const getOrganization = async (req: Request, res: Response) => {
 	let organization;
 	try {
-		organization = req.membershipOrg.organization;
+		organization = req.organization
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
@ -317,29 +318,29 @@ export const createOrganizationPortalSession = async (
 ) => {
 	let session;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});

 		// check if there is a payment method on file
 		const paymentMethods = await stripe.paymentMethods.list({
-			customer: req.membershipOrg.organization.customerId,
+			customer: req.organization.customerId,
 			type: 'card'
 		});
-
+		
 		if (paymentMethods.data.length < 1) {
 			// case: no payment method on file
 			session = await stripe.checkout.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
+				customer: req.organization.customerId,
 				mode: 'setup',
 				payment_method_types: ['card'],
-				success_url: getSiteURL() + '/dashboard',
-				cancel_url: getSiteURL() + '/dashboard'
+				success_url: (await getSiteURL()) + '/dashboard',
+				cancel_url: (await getSiteURL()) + '/dashboard'
 			});
 		} else {
 			session = await stripe.billingPortal.sessions.create({
-				customer: req.membershipOrg.organization.customerId,
-				return_url: getSiteURL() + '/dashboard'
+				customer: req.organization.customerId,
+				return_url: (await getSiteURL()) + '/dashboard'
 			});
 		}

@ -365,12 +366,12 @@ export const getOrganizationSubscriptions = async (
 ) => {
 	let subscriptions;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});
 		
 		subscriptions = await stripe.subscriptions.list({
-			customer: req.membershipOrg.organization.customerId
+			customer: req.organization.customerId
 		});
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/controllers/v1/passwordController.ts
+++ b/backend/src/controllers/v1/passwordController.ts
@ -44,7 +44,7 @@ export const emailPasswordReset = async (req: Request, res: Response) => {
 			substitutions: {
 				email,
 				token,
-				callback_url: getSiteURL() + '/password-reset'
+				callback_url: (await getSiteURL()) + '/password-reset'
 			}
 		});
 	} catch (err) {
@ -91,8 +91,8 @@ export const emailPasswordResetVerify = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
--- a/backend/src/controllers/v1/secretController.ts
+++ b/backend/src/controllers/v1/secretController.ts
@ -1,5 +1,6 @@
 import { Request, Response } from 'express';
 import * as Sentry from '@sentry/node';
+import { Types } from 'mongoose';
 import { Key, Secret } from '../../models';
 import {
 	v1PushSecrets as push,
@ -38,7 +39,7 @@ export const pushSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]

 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@ -84,7 +85,8 @@ export const pushSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});

@ -112,7 +114,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@ -181,7 +183,7 @@ export const pullSecretsServiceToken = async (req: Request, res: Response) => {
 	let secrets;
 	let key;
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
--- a/backend/src/controllers/v1/secretsFolderController.ts
+++ b/backend/src/controllers/v1/secretsFolderController.ts
@ -0,0 +1,107 @@
+import { Request, Response } from 'express';
+import { Secret } from '../../models';
+import Folder from '../../models/folder';
+import { BadRequestError } from '../../utils/errors';
+import { ROOT_FOLDER_PATH, getFolderPath, getParentPath, normalizePath, validateFolderName } from '../../utils/folder';
+import { ADMIN, MEMBER } from '../../variables';
+import { validateMembership } from '../../helpers/membership';
+
+// TODO
+// verify workspace id/environment
+export const createFolder = async (req: Request, res: Response) => {
+  const { workspaceId, environment, folderName, parentFolderId } = req.body
+  if (!validateFolderName(folderName)) {
+    throw BadRequestError({ message: "Folder name cannot contain spaces. Only underscore and dashes" })
+  }
+
+  if (parentFolderId) {
+    const parentFolder = await Folder.find({ environment: environment, workspace: workspaceId, id: parentFolderId });
+    if (!parentFolder) {
+      throw BadRequestError({ message: "The parent folder doesn't exist" })
+    }
+  }
+
+  let completePath = await getFolderPath(parentFolderId)
+  if (completePath == ROOT_FOLDER_PATH) {
+    completePath = ""
+  }
+
+  const currentFolderPath = completePath + "/" + folderName // construct new path with current folder to be created
+  const normalizedCurrentPath = normalizePath(currentFolderPath)
+  const normalizedParentPath = getParentPath(normalizedCurrentPath)
+
+  const existingFolder = await Folder.findOne({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath
+  });
+
+  if (existingFolder) {
+    return res.json(existingFolder)
+  }
+
+  const newFolder = new Folder({
+    name: folderName,
+    workspace: workspaceId,
+    environment: environment,
+    parent: parentFolderId,
+    path: normalizedCurrentPath,
+    parentPath: normalizedParentPath
+  });
+
+  await newFolder.save();
+
+  return res.json(newFolder)
+}
+
+export const deleteFolder = async (req: Request, res: Response) => {
+  const { folderId } = req.params
+  const queue: any[] = [folderId];
+
+  const folder = await Folder.findById(folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" })
+  }
+
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  while (queue.length > 0) {
+    const currentFolderId = queue.shift();
+
+    const childFolders = await Folder.find({ parent: currentFolderId });
+    for (const childFolder of childFolders) {
+      queue.push(childFolder._id);
+    }
+
+    await Secret.deleteMany({ folder: currentFolderId });
+
+    await Folder.deleteOne({ _id: currentFolderId });
+  }
+
+  res.send()
+}
+
+// TODO: validate workspace
+export const getFolderById = async (req: Request, res: Response) => {
+  const { folderId } = req.params
+
+  const folder = await Folder.findById(folderId);
+  if (!folder) {
+    throw BadRequestError({ message: "The folder doesn't exist" })
+  }
+  // check that user is a member of the workspace
+  await validateMembership({
+    userId: req.user._id.toString(),
+    workspaceId: folder.workspace as any,
+    acceptedRoles: [ADMIN, MEMBER]
+  });
+
+  res.send({ folder })
+}
--- a/backend/src/controllers/v1/serviceTokenController.ts
+++ b/backend/src/controllers/v1/serviceTokenController.ts
@ -61,7 +61,7 @@ export const createServiceToken = async (req: Request, res: Response) => {
 				workspaceId
 			},
 			expiresIn: expiresIn,
-			secret: getJwtServiceSecret()
+			secret: await getJwtServiceSecret()
 		});
 	} catch (err) {
 		return res.status(400).send({
--- a/backend/src/controllers/v1/signupController.ts
+++ b/backend/src/controllers/v1/signupController.ts
@ -21,14 +21,6 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 	try {
 		email = req.body.email;

-		if (getInviteOnlySignup()) {
-			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
-			const userCount = await User.countDocuments({})
-			if (userCount != 0) {
-				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
-			}
-		}
-
 		const user = await User.findOne({ email }).select('+publicKey');
 		if (user && user?.publicKey) {
 			// case: user has already completed account
@ -47,7 +39,7 @@ export const beginEmailSignup = async (req: Request, res: Response) => {
 			error: 'Failed to send email verification code'
 		});
 	}
-
+	
 	return res.status(200).send({
 		message: `Sent an email verification code to ${email}`
 	});
@ -74,8 +66,16 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			});
 		}

+		if (await getInviteOnlySignup()) {
+			// Only one user can create an account without being invited. The rest need to be invited in order to make an account
+			const userCount = await User.countDocuments({})
+			if (userCount != 0) {
+				throw BadRequestError({ message: "New user sign ups are not allowed at this time. You must be invited to sign up." })
+			}
+		}
+
 		// verify email
-		if (getSmtpConfigured()) {
+		if (await getSmtpConfigured()) {
 			await checkEmailVerification({
 				email,
 				code
@ -93,8 +93,8 @@ export const verifyEmailSignup = async (req: Request, res: Response) => {
 			payload: {
 				userId: user._id.toString()
 			},
-			expiresIn: getJwtSignupLifetime(),
-			secret: getJwtSignupSecret()
+			expiresIn: await getJwtSignupLifetime(),
+			secret: await getJwtSignupSecret()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
--- a/backend/src/controllers/v1/stripeController.ts
+++ b/backend/src/controllers/v1/stripeController.ts
@ -13,7 +13,7 @@ export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
 		// check request for valid stripe signature
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});

@ -21,7 +21,7 @@ export const handleWebhook = async (req: Request, res: Response) => {
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			getStripeWebhookSecret()
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/controllers/v2/apiKeyDataController.ts
+++ b/backend/src/controllers/v2/apiKeyDataController.ts
@ -43,7 +43,7 @@ export const createAPIKeyData = async (req: Request, res: Response) => {
        const { name, expiresIn } = req.body;
        
        const secret = crypto.randomBytes(16).toString('hex');
-        const secretHash = await bcrypt.hash(secret, getSaltRounds());
+        const secretHash = await bcrypt.hash(secret, await getSaltRounds());
        
 		const expiresAt = new Date();
 		expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
--- a/backend/src/controllers/v2/authController.ts
+++ b/backend/src/controllers/v2/authController.ts
@ -124,8 +124,8 @@ export const login2 = async (req: Request, res: Response) => {
              payload: {
                userId: user._id.toString()
              },
-              expiresIn: getJwtMfaLifetime(),
-              secret: getJwtMfaSecret()
+              expiresIn: await getJwtMfaLifetime(),
+              secret: await getJwtMfaSecret()
            });

            const code = await TokenService.createToken({
@ -163,7 +163,7 @@ export const login2 = async (req: Request, res: Response) => {
            httpOnly: true,
            path: '/',
            sameSite: 'strict',
-            secure: getHttpsEnabled()
+            secure: await getHttpsEnabled()
          });

          // case: user does not have MFA enablgged
@ -302,7 +302,7 @@ export const verifyMfaToken = async (req: Request, res: Response) => {
    httpOnly: true,
    path: '/',
    sameSite: 'strict',
-    secure: getHttpsEnabled()
+    secure: await getHttpsEnabled()
  });

  interface VerifyMfaTokenRes {
--- a/backend/src/controllers/v2/secretController.ts
+++ b/backend/src/controllers/v2/secretController.ts
@ -6,8 +6,10 @@ import { CreateSecretRequestBody, ModifySecretRequestBody, SanitizedSecretForCre
 const { ValidationError } = mongoose.Error;
 import { BadRequestError, InternalServerError, UnauthorizedRequestError, ValidationError as RouteValidationError } from '../../utils/errors';
 import { AnyBulkWriteOperation } from 'mongodb';
-import { SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
+import { ALGORITHM_AES_256_GCM, ENCODING_SCHEME_UTF8, SECRET_PERSONAL, SECRET_SHARED } from "../../variables";
 import { TelemetryService } from '../../services';
+import { User } from "../../models";
+import { AccountNotFoundError } from '../../utils/errors';

 /**
 * Create secret for workspace with id [workspaceId] and environment [environment]
@ -15,7 +17,7 @@ import { TelemetryService } from '../../services';
 * @param res 
 */
 export const createSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
  const secretToCreate: CreateSecretRequestBody = req.body.secret;
  const { workspaceId, environment } = req.params
  const sanitizedSecret: SanitizedSecretForCreate = {
@ -34,7 +36,9 @@ export const createSecret = async (req: Request, res: Response) => {
    workspace: new Types.ObjectId(workspaceId),
    environment,
    type: secretToCreate.type,
-    user: new Types.ObjectId(req.user._id)
+    user: new Types.ObjectId(req.user._id),
+    algorithm: ALGORITHM_AES_256_GCM,
+    keyEncoding: ENCODING_SCHEME_UTF8
  }


@ -68,7 +72,7 @@ export const createSecret = async (req: Request, res: Response) => {
 * @param res 
 */
 export const createSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
  const secretsToCreate: CreateSecretRequestBody[] = req.body.secrets;
  const { workspaceId, environment } = req.params
  const sanitizedSecretesToCreate: SanitizedSecretForCreate[] = []
@ -90,7 +94,9 @@ export const createSecrets = async (req: Request, res: Response) => {
      workspace: new Types.ObjectId(workspaceId),
      environment,
      type: rawSecret.type,
-      user: new Types.ObjectId(req.user._id)
+      user: new Types.ObjectId(req.user._id),
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
    }

    sanitizedSecretesToCreate.push(safeUpdateFields)
@ -130,7 +136,7 @@ export const createSecrets = async (req: Request, res: Response) => {
 * @param res 
 */
 export const deleteSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
  const { workspaceId, environmentName } = req.params
  const secretIdsToDelete: string[] = req.body.secretIds

@ -184,7 +190,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
 * @param res
 */
 export const deleteSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
  await Secret.findByIdAndDelete(req._secret._id)

  if (postHogClient) {
@ -213,7 +219,7 @@ export const deleteSecret = async (req: Request, res: Response) => {
 * @returns 
 */
 export const updateSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
  const { workspaceId, environmentName } = req.params
  const secretsModificationsRequested: ModifySecretRequestBody[] = req.body.secrets;
  const [secretIdsUserCanModifyError, secretIdsUserCanModify] = await to(Secret.find({ workspace: workspaceId, environment: environmentName }, { _id: 1 }).then())
@ -281,7 +287,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
 * @returns 
 */
 export const updateSecret = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
  const { workspaceId, environmentName } = req.params
  const secretModificationsRequested: ModifySecretRequestBody = req.body.secret;

@ -335,20 +341,23 @@ export const updateSecret = async (req: Request, res: Response) => {
 * @returns 
 */
 export const getSecrets = async (req: Request, res: Response) => {
-  const postHogClient = TelemetryService.getPostHogClient();
+  const postHogClient = await TelemetryService.getPostHogClient();
  const { environment } = req.query;
  const { workspaceId } = req.params;

  let userId: Types.ObjectId | undefined = undefined // used for getting personal secrets for user
-  let userEmail: Types.ObjectId | undefined = undefined // used for posthog 
+  let userEmail: string | undefined = undefined // used for posthog 
  if (req.user) {
    userId = req.user._id;
    userEmail = req.user.email;
  }

  if (req.serviceTokenData) {
-    userId = req.serviceTokenData.user._id
-    userEmail = req.serviceTokenData.user.email;
+    userId = req.serviceTokenData.user;
+    
+    const user = await User.findById(req.serviceTokenData.user, 'email');
+    if (!user) throw AccountNotFoundError();
+    userEmail = user.email;
  }

  const [err, secrets] = await to(Secret.find(
--- a/backend/src/controllers/v2/secretsController.ts
+++ b/backend/src/controllers/v2/secretsController.ts
@ -1,30 +1,32 @@
-import to from 'await-to-js';
 import { Types } from 'mongoose';
 import { Request, Response } from 'express';
-import { ISecret, Secret } from '../../models';
-import { IAction } from '../../ee/models';
+import { ISecret, Secret, Workspace } from '../../models';
+import { IAction, SecretVersion } from '../../ee/models';
 import {
    SECRET_PERSONAL,
-    SECRET_SHARED,
    ACTION_ADD_SECRETS,
    ACTION_READ_SECRETS,
    ACTION_UPDATE_SECRETS,
-    ACTION_DELETE_SECRETS
+    ACTION_DELETE_SECRETS,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8
 } from '../../variables';
-import { UnauthorizedRequestError, ValidationError } from '../../utils/errors';
+import { UnauthorizedRequestError, WorkspaceNotFoundError } from '../../utils/errors';
 import { EventService } from '../../services';
 import { eventPushSecrets } from '../../events';
-import { EESecretService, EELogService } from '../../ee/services';
-import { TelemetryService } from '../../services';
+import { EESecretService, EELogService, EELicenseService } from '../../ee/services';
+import { TelemetryService, SecretService } from '../../services';
 import { getChannelFromUserAgent } from '../../utils/posthog';
 import { PERMISSION_WRITE_SECRETS } from '../../variables';
 import { userHasNoAbility, userHasWorkspaceAccess, userHasWriteOnlyAbility } from '../../ee/helpers/checkMembershipPermissions';
 import Tag from '../../models/tag';
-import _, { eq } from 'lodash';
+import _ from 'lodash';
 import {
    BatchSecretRequest,
    BatchSecret
 } from '../../types/secret';
+import { getFolderPath, getFoldersInDirectory, normalizePath } from '../../utils/folder';
+import { ROOT_FOLDER_PATH } from '../../utils/folder';

 /**
 * Peform a batch of any specified CUD secret operations
@ -33,8 +35,9 @@ import {
 * @param res 
 */
 export const batchSecrets = async (req: Request, res: Response) => {
+
    const channel = getChannelFromUserAgent(req.headers['user-agent']);
-    const postHogClient = TelemetryService.getPostHogClient();
+    const postHogClient = await TelemetryService.getPostHogClient();

    const {
        workspaceId,
@ -45,34 +48,71 @@ export const batchSecrets = async (req: Request, res: Response) => {
        environment: string;
        requests: BatchSecretRequest[];
    } = req.body;
+    
+    const workspace = await Workspace.findById(workspaceId);
+    if (!workspace) throw WorkspaceNotFoundError();
+    
+    const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+    const isPaid = orgPlan.tier >= 1;

    const createSecrets: BatchSecret[] = [];
    const updateSecrets: BatchSecret[] = [];
    const deleteSecrets: Types.ObjectId[] = [];
    const actions: IAction[] = [];

-    requests.forEach((request) => {
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    for await (const request of requests) {
+        const folderId = request.secret.folderId
+
+        // TODO: need to auth folder
+        const fullFolderPath = await getFolderPath(folderId)
+
+        let secretBlindIndex = '';
        switch (request.method) {
            case 'POST':
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName: request.secret.secretName,
+                    salt
+                });
+
                createSecrets.push({
                    ...request.secret,
                    version: 1,
                    user: request.secret.type === SECRET_PERSONAL ? req.user : undefined,
                    environment,
-                    workspace: new Types.ObjectId(workspaceId)
+                    workspace: new Types.ObjectId(workspaceId),
+                    path: fullFolderPath,
+                    folder: folderId,
+                    secretBlindIndex,
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8
                });
                break;
            case 'PATCH':
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName: request.secret.secretName,
+                    salt,
+                });
+
                updateSecrets.push({
                    ...request.secret,
-                    _id: new Types.ObjectId(request.secret._id)
+                    _id: new Types.ObjectId(request.secret._id),
+                    secretBlindIndex,
+                    folder: folderId,
+                    path: fullFolderPath,
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8
                });
                break;
            case 'DELETE':
                deleteSecrets.push(new Types.ObjectId(request.secret._id));
                break;
        }
-    });
+    }

    // handle create secrets
    let createdSecrets: ISecret[] = [];
@ -109,7 +149,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
                    environment,
                    workspaceId,
                    channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: req.user.email
                }
            });
        }
@ -133,7 +175,10 @@ export const batchSecrets = async (req: Request, res: Response) => {

        const updateOperations = updateSecrets.map((u) => ({
            updateOne: {
-                filter: { _id: new Types.ObjectId(u._id) },
+                filter: {
+                    _id: new Types.ObjectId(u._id),
+                    workspace: new Types.ObjectId(workspaceId)
+                },
                update: {
                    $inc: {
                        version: 1
@ -146,13 +191,14 @@ export const batchSecrets = async (req: Request, res: Response) => {

        await Secret.bulkWrite(updateOperations);

-        const secretVersions = updateSecrets.map((u) => ({
+        const secretVersions = updateSecrets.map((u) => new SecretVersion({
            secret: new Types.ObjectId(u._id),
            version: listedSecretsObj[u._id.toString()].version,
            workspace: new Types.ObjectId(workspaceId),
            type: listedSecretsObj[u._id.toString()].type,
            environment,
            isDeleted: false,
+            secretBlindIndex: u.secretBlindIndex,
            secretKeyCiphertext: u.secretKeyCiphertext,
            secretKeyIV: u.secretKeyIV,
            secretKeyTag: u.secretKeyTag,
@ -162,6 +208,8 @@ export const batchSecrets = async (req: Request, res: Response) => {
            secretCommentCiphertext: u.secretCommentCiphertext,
            secretCommentIV: u.secretCommentIV,
            secretCommentTag: u.secretCommentTag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8,
            tags: u.tags
        }));

@ -192,7 +240,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
                    environment,
                    workspaceId,
                    channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: req.user.email
                }
            });
        }
@ -227,7 +277,9 @@ export const batchSecrets = async (req: Request, res: Response) => {
                    environment,
                    workspaceId,
                    channel: channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: req.user.email
                }
            });
        }
@ -247,13 +299,13 @@ export const batchSecrets = async (req: Request, res: Response) => {
    // // trigger event - push secrets
    await EventService.handleEvent({
        event: eventPushSecrets({
-            workspaceId
+            workspaceId: new Types.ObjectId(workspaceId)
        })
    });

    // (EE) take a secret snapshot
    await EESecretService.takeSecretSnapshot({
-        workspaceId
+        workspaceId: new Types.ObjectId(workspaceId)
    });

    const resObj: { [key: string]: ISecret[] | string[] } = {}
@ -342,6 +394,12 @@ export const createSecrets = async (req: Request, res: Response) => {
        }
    }

+    const workspace = await Workspace.findById(workspaceId);
+    if (!workspace) throw WorkspaceNotFoundError();
+    
+    const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+    const isPaid = orgPlan.tier >= 1;
+
    let listOfSecretsToCreate;
    if (Array.isArray(req.body.secrets)) {
        // case: create multiple secrets
@ -351,8 +409,14 @@ export const createSecrets = async (req: Request, res: Response) => {
        listOfSecretsToCreate = [req.body.secrets];
    }

+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
    type secretsToCreateType = {
        type: string;
+        secretName?: string;
        secretKeyCiphertext: string;
        secretKeyIV: string;
        secretKeyTag: string;
@ -365,25 +429,10 @@ export const createSecrets = async (req: Request, res: Response) => {
        tags: string[]
    }

-    const secretsToInsert: ISecret[] = listOfSecretsToCreate.map(({
-        type,
-        secretKeyCiphertext,
-        secretKeyIV,
-        secretKeyTag,
-        secretValueCiphertext,
-        secretValueIV,
-        secretValueTag,
-        secretCommentCiphertext,
-        secretCommentIV,
-        secretCommentTag,
-        tags
-    }: secretsToCreateType) => {
-        return ({
-            version: 1,
-            workspace: new Types.ObjectId(workspaceId),
+    const secretsToInsert: ISecret[] = await Promise.all(
+        listOfSecretsToCreate.map(async ({
            type,
-            user: (req.user && type === SECRET_PERSONAL) ? req.user : undefined,
-            environment,
+            secretName,
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
@ -394,8 +443,37 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretCommentIV,
            secretCommentTag,
            tags
-        });
-    });
+        }: secretsToCreateType) => {
+            let secretBlindIndex;
+            if (secretName) {
+                secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                    secretName,
+                    salt
+                });
+            }
+
+            return ({
+                version: 1,
+                workspace: new Types.ObjectId(workspaceId),
+                type,
+                ...(secretBlindIndex ? { secretBlindIndex } : {}),
+                user: (req.user && type === SECRET_PERSONAL) ? req.user : undefined,
+                environment,
+                secretKeyCiphertext,
+                secretKeyIV,
+                secretKeyTag,
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                secretCommentCiphertext,
+                secretCommentIV,
+                secretCommentTag,
+                algorithm: ALGORITHM_AES_256_GCM,
+                keyEncoding: ENCODING_SCHEME_UTF8,
+                tags
+            });
+        })
+    );

    const newlyCreatedSecrets: ISecret[] = (await Secret.insertMany(secretsToInsert)).map((insertedSecret) => insertedSecret.toObject());

@ -403,7 +481,7 @@ export const createSecrets = async (req: Request, res: Response) => {
        // trigger event - push secrets
        await EventService.handleEvent({
            event: eventPushSecrets({
-                workspaceId
+                workspaceId: new Types.ObjectId(workspaceId)
            })
        });
    }, 5000);
@ -417,24 +495,21 @@ export const createSecrets = async (req: Request, res: Response) => {
            type,
            user,
            environment,
+            secretBlindIndex,
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
            secretValueCiphertext,
            secretValueIV,
-            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
-        }) => ({
-            _id: new Types.ObjectId(),
+            secretValueTag
+        }) => new SecretVersion({
            secret: _id,
            version,
            workspace,
            type,
            user,
            environment,
+            secretBlindIndex,
            isDeleted: false,
            secretKeyCiphertext,
            secretKeyIV,
@ -442,10 +517,8 @@ export const createSecrets = async (req: Request, res: Response) => {
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
-            secretCommentCiphertext,
-            secretCommentIV,
-            secretCommentTag,
-            tags
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
        }))
    });

@ -471,24 +544,26 @@ export const createSecrets = async (req: Request, res: Response) => {

    // (EE) take a secret snapshot
    await EESecretService.takeSecretSnapshot({
-        workspaceId
+        workspaceId: new Types.ObjectId(workspaceId)
    });

-    const postHogClient = TelemetryService.getPostHogClient();
+    const postHogClient = await TelemetryService.getPostHogClient();
    if (postHogClient) {
        postHogClient.capture({
            event: 'secrets added',
-            distinctId: TelemetryService.getDistinctId({
-                user: req.user,
-                serviceAccount: req.serviceAccount,
-                serviceTokenData: req.serviceTokenData
+            distinctId: await TelemetryService.getDistinctId({
+                authData: req.authData
            }),
            properties: {
                numberOfSecrets: listOfSecretsToCreate.length,
                environment,
                workspaceId,
                channel: channel,
-                userAgent: req.headers?.['user-agent']
+                userAgent: req.headers?.['user-agent'],
+                isPaid,
+                email: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                })
            }
        });
    }
@ -546,9 +621,17 @@ export const getSecrets = async (req: Request, res: Response) => {
    }   
    */

-    const { tagSlugs } = req.query;
+    const { tagSlugs, secretsPath } = req.query;
    const workspaceId = req.query.workspaceId as string;
    const environment = req.query.environment as string;
+    const normalizedPath = normalizePath(secretsPath as string)
+    const folders = await getFoldersInDirectory(workspaceId as string, environment as string, normalizedPath)
+
+    const workspace = await Workspace.findById(workspaceId);
+    if (!workspace) throw WorkspaceNotFoundError();
+    
+    const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+    const isPaid = orgPlan.tier >= 1;

    // secrets to return 
    let secrets: ISecret[] = [];
@ -581,6 +664,12 @@ export const getSecrets = async (req: Request, res: Response) => {
            ]
        }

+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
        if (tagIds.length > 0) {
            secretQuery.tags = { $in: tagIds };
        }
@ -595,7 +684,7 @@ export const getSecrets = async (req: Request, res: Response) => {

    // case: client authorization is via service token
    if (req.serviceTokenData) {
-        const userId = req.serviceTokenData.user._id
+        const userId = req.serviceTokenData.user;

        const secretQuery: any = {
            workspace: workspaceId,
@ -606,6 +695,13 @@ export const getSecrets = async (req: Request, res: Response) => {
            ]
        }

+        // TODO: check if user can query for given path
+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
        if (tagIds.length > 0) {
            secretQuery.tags = { $in: tagIds };
        }
@ -623,6 +719,12 @@ export const getSecrets = async (req: Request, res: Response) => {
            user: { $exists: false } // shared secrets only from workspace
        }

+        if (normalizedPath == ROOT_FOLDER_PATH) {
+            secretQuery.path = { $in: [ROOT_FOLDER_PATH, null, undefined] }
+        } else if (normalizedPath) {
+            secretQuery.path = normalizedPath
+        }
+
        if (tagIds.length > 0) {
            secretQuery.tags = { $in: tagIds };
        }
@ -651,27 +753,30 @@ export const getSecrets = async (req: Request, res: Response) => {
        ipAddress: req.ip
    });

-    const postHogClient = TelemetryService.getPostHogClient();
+    const postHogClient = await TelemetryService.getPostHogClient();
    if (postHogClient) {
        postHogClient.capture({
            event: 'secrets pulled',
-            distinctId: TelemetryService.getDistinctId({
-                user: req.user,
-                serviceAccount: req.serviceAccount,
-                serviceTokenData: req.serviceTokenData
+            distinctId: await TelemetryService.getDistinctId({
+                authData: req.authData
            }),
            properties: {
                numberOfSecrets: secrets.length,
                environment,
                workspaceId,
                channel,
-                userAgent: req.headers?.['user-agent']
+                userAgent: req.headers?.['user-agent'],
+                isPaid,
+                email: await TelemetryService.getDistinctId({
+                    authData: req.authData
+                })
            }
        });
    }

    return res.status(200).send({
-        secrets
+        secrets,
+        folders
    });
 }

@ -768,6 +873,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
                    secretValueCiphertext,
                    secretValueIV,
                    secretValueTag,
+                    algorithm: ALGORITHM_AES_256_GCM,
+                    keyEncoding: ENCODING_SCHEME_UTF8,
                    tags,
                    ...((
                        secretCommentCiphertext !== undefined &&
@ -821,6 +928,8 @@ export const updateSecrets = async (req: Request, res: Response) => {
                secretCommentCiphertext: secretCommentCiphertext ? secretCommentCiphertext : secret.secretCommentCiphertext,
                secretCommentIV: secretCommentIV ? secretCommentIV : secret.secretCommentIV,
                secretCommentTag: secretCommentTag ? secretCommentTag : secret.secretCommentTag,
+                algorithm: ALGORITHM_AES_256_GCM,
+                keyEncoding: ENCODING_SCHEME_UTF8,
                tags: tags ? tags : secret.tags
            });
        })
@ -845,7 +954,7 @@ export const updateSecrets = async (req: Request, res: Response) => {
        setTimeout(async () => {
            await EventService.handleEvent({
                event: eventPushSecrets({
-                    workspaceId: key
+                    workspaceId: new Types.ObjectId(key)
                })
            });
        }, 10000);
@ -872,24 +981,32 @@ export const updateSecrets = async (req: Request, res: Response) => {

        // (EE) take a secret snapshot
        await EESecretService.takeSecretSnapshot({
-            workspaceId: key
+            workspaceId: new Types.ObjectId(key)
        })

-        const postHogClient = TelemetryService.getPostHogClient();
+        const workspace = await Workspace.findById(key);
+        if (!workspace) throw WorkspaceNotFoundError();
+        
+        const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+        const isPaid = orgPlan.tier >= 1;
+
+        const postHogClient = await TelemetryService.getPostHogClient();
        if (postHogClient) {
            postHogClient.capture({
                event: 'secrets modified',
-                distinctId: TelemetryService.getDistinctId({
-                    user: req.user,
-                    serviceAccount: req.serviceAccount,
-                    serviceTokenData: req.serviceTokenData
+                distinctId: await TelemetryService.getDistinctId({
+                    authData: req.authData
                }),
                properties: {
                    numberOfSecrets: workspaceSecretObj[key].length,
                    environment: workspaceSecretObj[key][0].environment,
                    workspaceId: key,
                    channel: channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: await TelemetryService.getDistinctId({
+                        authData: req.authData
+                    })
                }
            });
        }
@ -955,10 +1072,6 @@ export const deleteSecrets = async (req: Request, res: Response) => {
    }   
    */

-    return res.status(200).send({
-        message: 'delete secrets!!'
-    });
-
    const channel = getChannelFromUserAgent(req.headers['user-agent'])
    const toDelete = req.secrets.map((s: any) => s._id);

@ -987,7 +1100,7 @@ export const deleteSecrets = async (req: Request, res: Response) => {
        // trigger event - push secrets
        await EventService.handleEvent({
            event: eventPushSecrets({
-                workspaceId: key
+                workspaceId: new Types.ObjectId(key)
            })
        });
        const deleteAction = await EELogService.createAction({
@ -1012,24 +1125,32 @@ export const deleteSecrets = async (req: Request, res: Response) => {

        // (EE) take a secret snapshot
        await EESecretService.takeSecretSnapshot({
-            workspaceId: key
-        })
+            workspaceId: new Types.ObjectId(key)
+        });

-        const postHogClient = TelemetryService.getPostHogClient();
+        const workspace = await Workspace.findById(key);
+        if (!workspace) throw WorkspaceNotFoundError();
+        
+        const orgPlan = await EELicenseService.getOrganizationPlan(workspace.organization.toString());
+        const isPaid = orgPlan.tier >= 1;
+
+        const postHogClient = await TelemetryService.getPostHogClient();
        if (postHogClient) {
            postHogClient.capture({
                event: 'secrets deleted',
-                distinctId: TelemetryService.getDistinctId({
-                    user: req.user,
-                    serviceAccount: req.serviceAccount,
-                    serviceTokenData: req.serviceTokenData
+                distinctId: await TelemetryService.getDistinctId({
+                    authData: req.authData
                }),
                properties: {
                    numberOfSecrets: workspaceSecretObj[key].length,
                    environment: workspaceSecretObj[key][0].environment,
                    workspaceId: key,
                    channel: channel,
-                    userAgent: req.headers?.['user-agent']
+                    userAgent: req.headers?.['user-agent'],
+                    isPaid,
+                    email: await TelemetryService.getDistinctId({
+                        authData: req.authData
+                    })
                }
            });
        }
--- a/backend/src/controllers/v2/serviceAccountsController.ts
+++ b/backend/src/controllers/v2/serviceAccountsController.ts
@ -72,7 +72,7 @@ export const createServiceAccount = async (req: Request, res: Response) => {
    }

    const secret = crypto.randomBytes(16).toString('base64');
-    const secretHash = await bcrypt.hash(secret, getSaltRounds());
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());
    
    // create service account
    const serviceAccount = await new ServiceAccount({
--- a/backend/src/controllers/v2/serviceTokenDataController.ts
+++ b/backend/src/controllers/v2/serviceTokenDataController.ts
@ -11,9 +11,11 @@ import { userHasWorkspaceAccess } from '../../ee/helpers/checkMembershipPermissi
 import { 
    PERMISSION_READ_SECRETS,
    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT
+    AUTH_MODE_SERVICE_ACCOUNT,
+    AUTH_MODE_SERVICE_TOKEN
 } from '../../variables';
 import { getSaltRounds } from '../../config';
+import { BadRequestError } from '../../utils/errors';

 /**
 * Return service token data associated with service token on request
@ -48,7 +50,16 @@ export const getServiceTokenData = async (req: Request, res: Response) => {
    }   
    */

-    return res.status(200).json(req.serviceTokenData);
+    if (!(req.authData.authPayload instanceof ServiceTokenData)) throw BadRequestError({
+        message: 'Failed accepted client validation for service token data'
+    });
+
+    const serviceTokenData = await ServiceTokenData
+        .findById(req.authData.authPayload._id)
+        .select('+encryptedKey +iv +tag')
+        .populate('user');
+
+    return res.status(200).json(serviceTokenData);
 }

 /**
@ -73,10 +84,10 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
    } = req.body;

    const secret = crypto.randomBytes(16).toString('hex');
-    const secretHash = await bcrypt.hash(secret, getSaltRounds());
+    const secretHash = await bcrypt.hash(secret, await getSaltRounds());

    let expiresAt; 
-    if (!!expiresIn) {
+    if (expiresIn) {
        expiresAt = new Date()
        expiresAt.setSeconds(expiresAt.getSeconds() + expiresIn);
    }
--- a/backend/src/controllers/v2/signupController.ts
+++ b/backend/src/controllers/v2/signupController.ts
@ -7,8 +7,9 @@ import {
 } from '../../helpers/signup';
 import { issueAuthTokens } from '../../helpers/auth';
 import { INVITED, ACCEPTED } from '../../variables';
-import request from '../../config/request';
+import { standardRequest } from '../../config/request';
 import { getLoopsApiKey, getHttpsEnabled } from '../../config';
+import { updateSubscriptionOrgQuantity } from '../../helpers/organization';

 /**
 * Complete setting up user by adding their personal and auth information as part of the
@ -87,6 +88,19 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			user
 		});

+		// update organization membership statuses that are
+		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		// update organization membership statuses that are
 		// invited to completed with user attached
 		await MembershipOrg.updateMany(
@ -108,8 +122,8 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 		token = tokens.token;

 		// sending a welcome email to new users
-		if (getLoopsApiKey()) {
-			await request.post("https://app.loops.so/api/v1/events/send", {
+		if (await getLoopsApiKey()) {
+			await standardRequest.post("https://app.loops.so/api/v1/events/send", {
 				"email": email,
 				"eventName": "Sign Up",
 				"firstName": firstName,
@ -117,7 +131,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			}, {
 				headers: {
 					"Accept": "application/json",
-					"Authorization": "Bearer " + getLoopsApiKey()
+					"Authorization": "Bearer " + (await getLoopsApiKey())
 				},
 			});
 		}
@ -127,7 +141,7 @@ export const completeAccountSignup = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: getHttpsEnabled()
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
@ -206,9 +220,20 @@ export const completeAccountInvite = async (req: Request, res: Response) => {

 		if (!user)
 			throw new Error('Failed to complete account for non-existent user');
-
+		
 		// update organization membership statuses that are
 		// invited to completed with user attached
+		const membershipsToUpdate = await MembershipOrg.find({
+			inviteEmail: email,
+			status: INVITED
+		});
+		
+		membershipsToUpdate.forEach(async (membership) => {
+			await updateSubscriptionOrgQuantity({
+				organizationId: membership.organization.toString()
+			});
+		});
+
 		await MembershipOrg.updateMany(
 			{
 				inviteEmail: email,
@ -232,7 +257,7 @@ export const completeAccountInvite = async (req: Request, res: Response) => {
 			httpOnly: true,
 			path: '/',
 			sameSite: 'strict',
-			secure: getHttpsEnabled()
+			secure: await getHttpsEnabled()
 		});
 	} catch (err) {
 		Sentry.setUser(null);
--- a/backend/src/controllers/v2/workspaceController.ts
+++ b/backend/src/controllers/v2/workspaceController.ts
@ -48,7 +48,7 @@ interface V2PushSecret {
 export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 	// upload (encrypted) secrets to workspace with id [workspaceId]
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		let { secrets }: { secrets: V2PushSecret[] } = req.body;
 		const { keys, environment, channel } = req.body;
 		const { workspaceId } = req.params;
@ -95,7 +95,8 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 		// trigger event - push secrets
 		EventService.handleEvent({
 			event: eventPushSecrets({
-				workspaceId
+				workspaceId: new Types.ObjectId(workspaceId),
+				environment
 			})
 		});

@ -122,7 +123,7 @@ export const pushWorkspaceSecrets = async (req: Request, res: Response) => {
 export const pullSecrets = async (req: Request, res: Response) => {
 	let secrets;
 	try {
-		const postHogClient = TelemetryService.getPostHogClient();
+		const postHogClient = await TelemetryService.getPostHogClient();
 		const environment: string = req.query.environment as string;
 		const channel: string = req.query.channel as string;
 		const { workspaceId } = req.params;
@ -131,7 +132,7 @@ export const pullSecrets = async (req: Request, res: Response) => {
 		if (req.user) {
 			userId = req.user._id.toString();
 		} else if (req.serviceTokenData) {
-			userId = req.serviceTokenData.user._id
+			userId = req.serviceTokenData.user.toString();
 		}
 		// validate environment
 		const workspaceEnvs = req.membership.workspace.environments;
--- a/backend/src/controllers/v3/index.ts
+++ b/backend/src/controllers/v3/index.ts
@ -0,0 +1,7 @@
+import * as secretsController from './secretsController';
+import * as workspacesController from './workspacesController';
+
+export {
+    secretsController,
+    workspacesController
+}
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
@ -0,0 +1,183 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { 
+    SecretService, 
+    TelemetryService,
+    EventService
+} from '../../services';
+import { eventPushSecrets } from '../../events';
+import { getAuthDataPayloadIdObj } from '../../utils/auth';
+import { BadRequestError } from '../../utils/errors';
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment
+ * [environment]
+ * @param req 
+ * @param res 
+ */
+export const getSecrets = async (req: Request, res: Response) => {
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+
+    const secrets = await SecretService.getSecrets({
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        authData: req.authData
+    });
+
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Get secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const getSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const workspaceId = req.query.workspaceId as string;
+    const environment = req.query.environment as string;
+    const type = req.query.type as 'shared' | 'personal' | undefined;
+
+    const secret = await SecretService.getSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData
+    });
+    
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Create secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const createSecret = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const { 
+        workspaceId,
+        environment,
+        type,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag
+    } = req.body;
+    
+    const secret = await SecretService.createSecret({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        authData: req.authData,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        ...((secretCommentCiphertext && secretCommentIV && secretCommentTag) ? {
+            secretCommentCiphertext,
+            secretCommentIV,
+            secretCommentTag
+        } : {})
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    const secretWithoutBlindIndex = secret.toObject();
+    delete secretWithoutBlindIndex.secretBlindIndex;
+    
+    return res.status(200).send({
+        secret: secretWithoutBlindIndex
+    });
+}
+
+/**
+ * Update secret with name [secretName]
+ * @param req
+ * @param res 
+ */
+export const updateSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    } = req.body;
+
+    const secret = await SecretService.updateSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag
+    });
+    
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}
+
+/**
+ * Delete secret with name [secretName]
+ * @param req 
+ * @param res 
+ */
+export const deleteSecretByName = async (req: Request, res: Response) => {
+    const { secretName } = req.params;
+    const {
+        workspaceId,
+        environment,
+        type
+    } = req.body;
+    
+    const { secret, secrets } = await SecretService.deleteSecret({
+        secretName,
+        workspaceId,
+        environment,
+        type,
+        authData: req.authData
+    });
+
+    await EventService.handleEvent({
+        event: eventPushSecrets({
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        })
+    });
+
+    return res.status(200).send({
+        secret
+    });
+}
--- a/backend/src/controllers/v3/workspacesController.ts
+++ b/backend/src/controllers/v3/workspacesController.ts
@ -0,0 +1,90 @@
+import { Request, Response } from 'express';
+import { Types } from 'mongoose';
+import { Secret } from '../../models';
+import { SecretService } from'../../services';
+
+/**
+ * Return whether or not all secrets in workspace with id [workspaceId]
+ * are blind-indexed
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getWorkspaceBlindIndexStatus = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secretsWithoutBlindIndex = await Secret.countDocuments({
+        workspace: new Types.ObjectId(workspaceId),
+        secretBlindIndex: {
+            $exists: false
+        }
+    });
+
+    return res.status(200).send(secretsWithoutBlindIndex === 0);
+}
+
+/**
+ * Get all secrets for workspace with id [workspaceId]
+ */
+export const getWorkspaceSecrets = async (req: Request, res: Response) => {
+    const { workspaceId } = req.params;
+
+    const secrets = await Secret.find({
+        workspace: new Types.ObjectId (workspaceId)
+    });
+    
+    return res.status(200).send({
+        secrets
+    });
+}
+
+/**
+ * Update blind indices for secrets in workspace with id [workspaceId]
+ * @param req 
+ * @param res 
+ */
+export const nameWorkspaceSecrets = async (req: Request, res: Response) => {
+    interface SecretToUpdate {
+        secretName: string;
+        _id: string;
+    }
+
+    const { workspaceId } = req.params;
+    const { 
+        secretsToUpdate 
+    }: {
+        secretsToUpdate: SecretToUpdate[];
+    } = req.body;
+
+    // get secret blind index salt
+    const salt = await SecretService.getSecretBlindIndexSalt({
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    // update secret blind indices
+    const operations = await Promise.all(
+        secretsToUpdate.map(async (secretToUpdate: SecretToUpdate) => {
+            const secretBlindIndex = await SecretService.generateSecretBlindIndexWithSalt({
+                secretName: secretToUpdate.secretName,
+                salt
+            });
+    
+            return ({
+                updateOne: {
+                    filter: {
+                        _id: new Types.ObjectId(secretToUpdate._id)
+                    },
+                    update: {
+                        secretBlindIndex
+                    }
+                }
+            });
+        })
+    );
+
+    await Secret.bulkWrite(operations);
+
+    return res.status(200).send({
+        message: 'Successfully named workspace secrets'
+    });
+}
--- a/backend/src/ee/controllers/v1/cloudProductsController.ts
+++ b/backend/src/ee/controllers/v1/cloudProductsController.ts
@ -0,0 +1,34 @@
+import * as Sentry from '@sentry/node';
+import { Request, Response } from 'express';
+import { EELicenseService } from '../../services';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+
+/**
+ * Return available cloud product information.
+ * Note: Nicely formatted to easily construct a table from
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const getCloudProducts = async (req: Request, res: Response) => {
+    try {
+        const billingCycle = req.query['billing-cycle'] as string;
+
+        if (EELicenseService.instanceType === 'cloud') {
+            const { data } = await licenseServerKeyRequest.get(
+                `${await getLicenseServerUrl()}/api/license-server/v1/cloud-products?billing-cycle=${billingCycle}`
+            ); 
+
+            return res.status(200).send(data);
+        }
+    } catch (err) {
+        Sentry.setUser({ email: req.user.email });
+        Sentry.captureException(err);
+    }
+    
+    return res.status(200).send({
+        head: [],
+        rows: []
+    });
+}
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -1,15 +1,19 @@
 import * as stripeController from './stripeController';
 import * as secretController from './secretController';
 import * as secretSnapshotController from './secretSnapshotController';
+import * as organizationsController from './organizationsController';
 import * as workspaceController from './workspaceController';
 import * as actionController from './actionController';
 import * as membershipController from './membershipController';
+import * as cloudProductsController from './cloudProductsController';

 export {
    stripeController,
    secretController,
    secretSnapshotController,
+    organizationsController,
    workspaceController,
    actionController,
-    membershipController
+    membershipController,
+    cloudProductsController
 }
--- a/backend/src/ee/controllers/v1/organizationsController.ts
+++ b/backend/src/ee/controllers/v1/organizationsController.ts
@ -0,0 +1,83 @@
+import { Request, Response } from 'express';
+import { getLicenseServerUrl } from '../../../config';
+import { licenseServerKeyRequest } from '../../../config/request';
+import { EELicenseService } from '../../services';
+
+/**
+ * Return the organization's current plan and allowed feature set
+ */
+export const getOrganizationPlan = async (req: Request, res: Response) => {
+    const { organizationId } = req.params;
+
+    const plan = await EELicenseService.getOrganizationPlan(organizationId);
+
+    return res.status(200).send({
+        plan,
+    });
+}
+
+/**
+ * Update the organization plan to product with id [productId]
+ * @param req 
+ * @param res 
+ * @returns 
+ */
+export const updateOrganizationPlan = async (req: Request, res: Response) => {
+    const {
+        productId
+    } = req.body;
+
+    const { data  } = await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/cloud-plan`,
+        {
+            productId
+        }
+    ); 
+    
+    return res.status(200).send(data);
+}
+
+/**
+ * Return the organization's payment methods on file
+ */
+export const getOrganizationPmtMethods = async (req: Request, res: Response) => {
+    const { data: { pmtMethods } } = await licenseServerKeyRequest.get(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`
+    );
+
+    return res.status(200).send({
+        pmtMethods
+    }); 
+}
+
+/**
+ * Return a Stripe session URL to add payment method for organization
+ */
+export const addOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const {
+        success_url,
+        cancel_url
+    } = req.body;
+    
+    const { data: { url } } = await licenseServerKeyRequest.post(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods`,
+        {
+            success_url,
+            cancel_url
+        }
+    );
+    
+    return res.status(200).send({
+        url
+    }); 
+}
+
+export const deleteOrganizationPmtMethod = async (req: Request, res: Response) => {
+    const { pmtMethodId } = req.params;
+
+    const { data } = await licenseServerKeyRequest.delete(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${req.organization.customerId}/billing-details/payment-methods/${pmtMethodId}`,
+    );
+        
+    return res.status(200).send(data);
+}
--- a/backend/src/ee/controllers/v1/secretController.ts
+++ b/backend/src/ee/controllers/v1/secretController.ts
@ -146,7 +146,7 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 		const oldSecretVersion = await SecretVersion.findOne({
 			secret: secretId,
 			version
-		});
+		}).select('+secretBlindIndex')
 		
 		if (!oldSecretVersion) throw new Error('Failed to find secret version');
 		
@ -155,12 +155,15 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			type,
 			user,
 			environment,
+			secretBlindIndex,
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
 			secretValueCiphertext,
 			secretValueIV,
 			secretValueTag,
+			algorithm,
+			keyEncoding
 		} = oldSecretVersion;
 		
 		// update secret
@ -174,12 +177,15 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 				type,
 				user,
 				environment,
+				...(secretBlindIndex ? { secretBlindIndex } : {}),
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
 				secretValueCiphertext,
 				secretValueIV,
 				secretValueTag,
+				algorithm,
+				keyEncoding
 			},
 			{
 				new: true
@ -197,17 +203,20 @@ export const rollbackSecretVersion = async (req: Request, res: Response) => {
 			user,
 			environment,
 			isDeleted: false,
+			...(secretBlindIndex ? { secretBlindIndex } : {}),
 			secretKeyCiphertext,
 			secretKeyIV,
 			secretKeyTag,
 			secretValueCiphertext,
 			secretValueIV,
-			secretValueTag
+			secretValueTag,
+			algorithm,
+			keyEncoding
 		}).save();
 		
 		// take secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId: secret.workspace.toString()
+			workspaceId: secret.workspace
 		});
 		
 	} catch (err) {
--- a/backend/src/ee/controllers/v1/secretSnapshotController.ts
+++ b/backend/src/ee/controllers/v1/secretSnapshotController.ts
@ -15,16 +15,10 @@ export const getSecretSnapshot = async (req: Request, res: Response) => {

        secretSnapshot = await SecretSnapshot
            .findById(secretSnapshotId)
-            .populate({
-                path: 'secretVersions',
-                populate: {
-                    path: 'tags',
-                    model: 'Tag',
-                }
-            });
+            .populate('secretVersions');
        
        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');
-        
+
    } catch (err) {
        Sentry.setUser({ email: req.user.email });
 		Sentry.captureException(err);
--- a/backend/src/ee/controllers/v1/stripeController.ts
+++ b/backend/src/ee/controllers/v1/stripeController.ts
@ -12,7 +12,7 @@ import { getStripeSecretKey, getStripeWebhookSecret } from '../../../config';
 export const handleWebhook = async (req: Request, res: Response) => {
 	let event;
 	try {
-		const stripe = new Stripe(getStripeSecretKey(), {
+		const stripe = new Stripe(await getStripeSecretKey(), {
 			apiVersion: '2022-08-01'
 		});

@ -21,7 +21,7 @@ export const handleWebhook = async (req: Request, res: Response) => {
 		event = stripe.webhooks.constructEvent(
 			req.body,
 			sig,
-			getStripeWebhookSecret()
+			await getStripeWebhookSecret()
 		);
 	} catch (err) {
 		Sentry.setUser({ email: req.user.email });
--- a/backend/src/ee/controllers/v1/workspaceController.ts
+++ b/backend/src/ee/controllers/v1/workspaceController.ts
@ -173,6 +173,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
        }
    }   
    */
+	
 	let secrets;
    try {	
        const { workspaceId } = req.params;
@ -182,7 +183,10 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		const secretSnapshot = await SecretSnapshot.findOne({
 			workspace: workspaceId,
 			version
-		}).populate<{ secretVersions: ISecretVersion[]}>('secretVersions');
+		}).populate<{ secretVersions: ISecretVersion[]}>({
+			path: 'secretVersions',
+			select: '+secretBlindIndex'
+		});
        
        if (!secretSnapshot) throw new Error('Failed to find secret snapshot');

@ -222,6 +226,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 					type,
 					user,
 					environment,
+					secretBlindIndex,
 					secretKeyCiphertext,
 					secretKeyIV,
 					secretKeyTag,
@ -240,6 +245,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 					type,
 					user,
 					environment,
+					secretBlindIndex: secretBlindIndex ?? undefined,
 					secretKeyCiphertext,
 					secretKeyIV,
 					secretKeyTag,
@ -257,7 +263,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		);
 		
 		// add secret versions
-		await SecretVersion.insertMany(
+		const secretV = await SecretVersion.insertMany(
 			secrets.map(({
 				_id,
 				version,
@ -265,6 +271,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 				type,
 				user,
 				environment,
+				secretBlindIndex,
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
@ -282,6 +289,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 				user,
 				environment,
 				isDeleted: false,
+				secretBlindIndex: secretBlindIndex ?? undefined,
 				secretKeyCiphertext,
 				secretKeyIV,
 				secretKeyTag,
@ -304,7 +312,7 @@ export const rollbackWorkspaceSecretSnapshot = async (req: Request, res: Respons
 		
        // take secret snapshot
 		await EESecretService.takeSecretSnapshot({
-			workspaceId
+			workspaceId: new Types.ObjectId(workspaceId)
 		});
    } catch (err) {
        Sentry.setUser({ email: req.user.email });
--- a/backend/src/ee/helpers/action.ts
+++ b/backend/src/ee/helpers/action.ts
@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { Action } from '../models';
 import { 
@ -36,33 +35,25 @@ const createActionUpdateSecret = async ({
    workspaceId: Types.ObjectId;
    secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
-        const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
-                secretIds,
-                n: 2
-            }))
-            .map((s) => ({
-                oldSecretVersion: s.versions[0]._id,
-                newSecretVersion: s.versions[1]._id
-            }));
-        
-        action = await new Action({
-            name,
-            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save();
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create update secret action');
-    }
+    const latestSecretVersions = (await getLatestNSecretSecretVersionIds({
+            secretIds,
+            n: 2
+        }))
+        .map((s) => ({
+            oldSecretVersion: s.versions[0]._id,
+            newSecretVersion: s.versions[1]._id
+        }));
+    
+    const action = await new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId,
+        payload: {
+            secretVersions: latestSecretVersions
+        }
+    }).save();
    
    return action;
 }
@ -90,33 +81,25 @@ const createActionSecret = async ({
    workspaceId: Types.ObjectId;
    secretIds: Types.ObjectId[];
 }) => {
-    let action;
-    try {
-        // case: action is adding, deleting, or reading secrets
-        // -> add new secret versions
-        const latestSecretVersions = (await getLatestSecretVersionIds({
-            secretIds
-        }))
-        .map((s) => ({
-            newSecretVersion: s.versionId
-        }));
-        
-       action = await new Action({
-            name,
-            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId,
-            workspace: workspaceId,
-            payload: {
-                secretVersions: latestSecretVersions
-            }
-        }).save(); 
-
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action create/read/delete secret action');
-    }
+    // case: action is adding, deleting, or reading secrets
+    // -> add new secret versions
+    const latestSecretVersions = (await getLatestSecretVersionIds({
+        secretIds
+    }))
+    .map((s) => ({
+        newSecretVersion: s.versionId
+    }));
+    
+   const action = await new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId,
+        payload: {
+            secretVersions: latestSecretVersions
+        }
+    }).save(); 
    
    return action;
 }
@ -140,19 +123,12 @@ const createActionClient = ({
    serviceAccountId?: Types.ObjectId;
    serviceTokenDataId?: Types.ObjectId;
 }) => {
-    let action;
-    try {
-        action = new Action({
-            name,
-            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to create client action');
-    }
+    const action = new Action({
+        name,
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId
+    }).save();

    return action; 
 }
@ -181,40 +157,34 @@ const createActionHelper = async ({
    secretIds?: Types.ObjectId[];
 }) => {
    let action;
-    try {
-        switch (name) {
-            case ACTION_LOGIN:
-            case ACTION_LOGOUT:
-                action = await createActionClient({
-                    name,
-                    userId
-                });
-                break;
-            case ACTION_ADD_SECRETS:
-            case ACTION_READ_SECRETS:
-            case ACTION_DELETE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-            case ACTION_UPDATE_SECRETS:
-                if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
-                action = await createActionUpdateSecret({
-                    name,
-                    userId,
-                    workspaceId,
-                    secretIds
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to create action');
+    switch (name) {
+        case ACTION_LOGIN:
+        case ACTION_LOGOUT:
+            action = await createActionClient({
+                name,
+                userId
+            });
+            break;
+        case ACTION_ADD_SECRETS:
+        case ACTION_READ_SECRETS:
+        case ACTION_DELETE_SECRETS:
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            action = await createActionSecret({
+                name,
+                userId,
+                workspaceId,
+                secretIds
+            });
+            break;
+        case ACTION_UPDATE_SECRETS:
+            if (!workspaceId || !secretIds) throw new Error('Missing required params workspace id or secret ids to create action secret');
+            action = await createActionUpdateSecret({
+                name,
+                userId,
+                workspaceId,
+                secretIds
+            });
+            break;
    }
    
    return action;
@ -222,4 +192,4 @@ const createActionHelper = async ({

 export { 
    createActionHelper
-};
+};
--- a/backend/src/ee/helpers/log.ts
+++ b/backend/src/ee/helpers/log.ts
@ -1,9 +1,9 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { 
    Log,
    IAction
 } from '../models';
+
 /**
 * Create an (audit) log
 * @param {Object} obj
@ -31,27 +31,20 @@ const createLogHelper = async ({
    channel: string;
    ipAddress: string;
 }) => {
-    let log;
-    try {
-        log = await new Log({
-            user: userId,
-            serviceAccount: serviceAccountId,
-            serviceTokenData: serviceTokenDataId,
-            workspace: workspaceId ?? undefined,
-            actionNames: actions.map((a) => a.name),
-            actions,
-            channel,
-            ipAddress
-        }).save();
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create log');
-    }
+    const log = await new Log({
+        user: userId,
+        serviceAccount: serviceAccountId,
+        serviceTokenData: serviceTokenDataId,
+        workspace: workspaceId ?? undefined,
+        actionNames: actions.map((a) => a.name),
+        actions,
+        channel,
+        ipAddress
+    }).save();

    return log;
 }

 export {
    createLogHelper
-}
+}
--- a/backend/src/ee/helpers/secret.ts
+++ b/backend/src/ee/helpers/secret.ts
@ -1,14 +1,6 @@
-import { Types } from 'mongoose';
-import * as Sentry from '@sentry/node';
-import {
-	Secret,
-	ISecret
-} from '../../models';
-import {
-	SecretSnapshot,
-	SecretVersion,
-	ISecretVersion
-} from '../models';
+import { Types } from "mongoose";
+import { Secret, ISecret } from "../../models";
+import { SecretSnapshot, SecretVersion, ISecretVersion } from "../models";

 /**
 * Save a secret snapshot that is a copy of the current state of secrets in workspace with id
@ -19,56 +11,53 @@ import {
 * @returns {SecretSnapshot} secretSnapshot - new secret snapshot
 */
 const takeSecretSnapshotHelper = async ({
-	workspaceId
+  workspaceId,
 }: {
-	workspaceId: string;
+  workspaceId: Types.ObjectId;
 }) => {
+  const secretIds = (
+    await Secret.find(
+      {
+        workspace: workspaceId,
+      },
+      "_id"
+    )
+  ).map((s) => s._id);

-	let secretSnapshot;
-	try {
-		const secretIds = (await Secret.find({
-			workspace: workspaceId
-		}, '_id')).map((s) => s._id);
+  const latestSecretVersions = (
+    await SecretVersion.aggregate([
+      {
+        $match: {
+          secret: {
+            $in: secretIds,
+          },
+        },
+      },
+      {
+        $group: {
+          _id: "$secret",
+          version: { $max: "$version" },
+          versionId: { $max: "$_id" }, // secret version id
+        },
+      },
+      {
+        $sort: { version: -1 },
+      },
+    ]).exec()
+  ).map((s) => s.versionId);

-		const latestSecretVersions = (await SecretVersion.aggregate([
-			{
-				$match: {
-					secret: {
-						$in: secretIds
-					}
-				}
-			},
-			{
-				$group: {
-					_id: '$secret',
-					version: { $max: '$version' },
-					versionId: { $max: '$_id' } // secret version id
-				}
-			},
-			{
-				$sort: { version: -1 }
-			}
-		])
-			.exec())
-			.map((s) => s.versionId);
+  const latestSecretSnapshot = await SecretSnapshot.findOne({
+    workspace: workspaceId,
+  }).sort({ version: -1 });

-		const latestSecretSnapshot = await SecretSnapshot.findOne({
-			workspace: workspaceId
-		}).sort({ version: -1 });
+  const secretSnapshot = await new SecretSnapshot({
+    workspace: workspaceId,
+    version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
+    secretVersions: latestSecretVersions,
+  }).save();

-		secretSnapshot = await new SecretSnapshot({
-			workspace: workspaceId,
-			version: latestSecretSnapshot ? latestSecretSnapshot.version + 1 : 1,
-			secretVersions: latestSecretVersions
-		}).save();
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to take a secret snapshot');
-	}
-
-	return secretSnapshot;
-}
+  return secretSnapshot;
+};

 /**
 * Add secret versions [secretVersions] to the SecretVersion collection.
@ -77,93 +66,35 @@ const takeSecretSnapshotHelper = async ({
 * @returns {SecretVersion[]} newSecretVersions - new secret versions
 */
 const addSecretVersionsHelper = async ({
-	secretVersions
+  secretVersions,
 }: {
-	secretVersions: ISecretVersion[]
+  secretVersions: ISecretVersion[];
 }) => {
-	let newSecretVersions;
-	try {
-		newSecretVersions = await SecretVersion.insertMany(secretVersions);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error(`Failed to add secret versions [err=${err}]`);
-	}
+  const newSecretVersions = await SecretVersion.insertMany(secretVersions);

-	return newSecretVersions;
-}
+  return newSecretVersions;
+};

 const markDeletedSecretVersionsHelper = async ({
-	secretIds
+  secretIds,
 }: {
-	secretIds: Types.ObjectId[];
+  secretIds: Types.ObjectId[];
 }) => {
-	try {
-		await SecretVersion.updateMany({
-			secret: { $in: secretIds }
-		}, {
-			isDeleted: true
-		}, {
-			new: true
-		});
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to mark secret versions as deleted');
-	}
-}
-
-/**
- * Initialize secret versioning by setting previously unversioned
- * secrets to version 1 and begin populating secret versions.
- */
-const initSecretVersioningHelper = async () => {
-	try {
-
-		await Secret.updateMany(
-			{ version: { $exists: false } },
-			{ $set: { version: 1 } }
-		);
-
-		const unversionedSecrets: ISecret[] = await Secret.aggregate([
-			{
-				$lookup: {
-					from: 'secretversions',
-					localField: '_id',
-					foreignField: 'secret',
-					as: 'versions',
-				},
-			},
-			{
-				$match: {
-					versions: { $size: 0 },
-				},
-			},
-		]);
-
-		if (unversionedSecrets.length > 0) {
-			await addSecretVersionsHelper({
-				secretVersions: unversionedSecrets.map((s, idx) => ({
-					...s,
-					secret: s._id,
-					version: s.version ? s.version : 1,
-					isDeleted: false,
-					workspace: s.workspace,
-					environment: s.environment
-				}))
-			});
-		}
-
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to ensure that secrets are versioned');
-	}
-}
+  await SecretVersion.updateMany(
+    {
+      secret: { $in: secretIds },
+    },
+    {
+      isDeleted: true,
+    },
+    {
+      new: true,
+    }
+  );
+};

 export {
-	takeSecretSnapshotHelper,
-	addSecretVersionsHelper,
-	markDeletedSecretVersionsHelper,
-	initSecretVersioningHelper
-}
+  takeSecretSnapshotHelper,
+  addSecretVersionsHelper,
+  markDeletedSecretVersionsHelper
+};
--- a/backend/src/ee/helpers/secretVersion.ts
+++ b/backend/src/ee/helpers/secretVersion.ts
@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { SecretVersion } from '../models';

@ -13,41 +12,32 @@ const getLatestSecretVersionIds = async ({
 }: {
    secretIds: Types.ObjectId[];
 }) => {
-    
    interface LatestSecretVersionId {
        _id: Types.ObjectId;
        version: number;
        versionId: Types.ObjectId;
    }
    
-    let latestSecretVersionIds: LatestSecretVersionId[];
-    try {
-        latestSecretVersionIds = (await SecretVersion.aggregate([
-            {
-                $match: { 
-                    secret: { 
-                        $in: secretIds 
-                    } 
-                }
-            },
-            {
-                $group: {
-                    _id: '$secret',
-                    version: { $max: '$version' },
-                    versionId: { $max: '$_id' } // id of latest secret version
-                }
-            },
-            {
-                $sort: { version: -1 }
+    const latestSecretVersionIds = (await SecretVersion.aggregate([
+        {
+            $match: { 
+                secret: { 
+                    $in: secretIds 
+                } 
            }
-            ])
-            .exec());
-            
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest secret versions');
-    }
+        },
+        {
+            $group: {
+                _id: '$secret',
+                version: { $max: '$version' },
+                versionId: { $max: '$_id' } // id of latest secret version
+            }
+        },
+        {
+            $sort: { version: -1 }
+        }
+        ])
+        .exec());
    
    return latestSecretVersionIds;
 }
@ -66,40 +56,32 @@ const getLatestNSecretSecretVersionIds = async ({
    secretIds: Types.ObjectId[];
    n: number;
 }) => {
-    
    // TODO: optimize query
-    let latestNSecretVersions;
-    try {
-        latestNSecretVersions = (await SecretVersion.aggregate([
-            {
-                $match: {
-                secret: {
-                    $in: secretIds,
-                },
-                },
+    const latestNSecretVersions = (await SecretVersion.aggregate([
+        {
+            $match: {
+            secret: {
+                $in: secretIds,
            },
-            {
-                $sort: { version: -1 },
            },
-            {
-                $group: {
-                _id: "$secret",
-                versions: { $push: "$$ROOT" },
-                },
+        },
+        {
+            $sort: { version: -1 },
+        },
+        {
+            $group: {
+            _id: "$secret",
+            versions: { $push: "$$ROOT" },
            },
-            {
-                $project: {
-                _id: 0,
-                secret: "$_id",
-                versions: { $slice: ["$versions", n] },
-                },
-            }
-        ]));
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-        throw new Error('Failed to get latest n secret versions');
-    }
+        },
+        {
+            $project: {
+            _id: 0,
+            secret: "$_id",
+            versions: { $slice: ["$versions", n] },
+            },
+        }
+    ]));
    
    return latestNSecretVersions;
 }
--- a/backend/src/ee/models/secretVersion.ts
+++ b/backend/src/ee/models/secretVersion.ts
@ -2,9 +2,13 @@ import { Schema, model, Types } from 'mongoose';
 import {
 	SECRET_SHARED,
 	SECRET_PERSONAL,
+	ALGORITHM_AES_256_GCM,
+	ENCODING_SCHEME_UTF8,
+	ENCODING_SCHEME_BASE64
 } from '../../variables';

 export interface ISecretVersion {
+	_id: Types.ObjectId;
 	secret: Types.ObjectId;
 	version: number;
 	workspace: Types.ObjectId; // new
@ -12,13 +16,15 @@ export interface ISecretVersion {
 	user?: Types.ObjectId; // new
 	environment: string; // new
 	isDeleted: boolean;
+	secretBlindIndex?: string;
 	secretKeyCiphertext: string;
 	secretKeyIV: string;
 	secretKeyTag: string;
 	secretValueCiphertext: string;
 	secretValueIV: string;
 	secretValueTag: string;
-	tags?: string[];
+	algorithm: 'aes-256-gcm';
+	keyEncoding: 'utf8' | 'base64';
 }

 const secretVersionSchema = new Schema<ISecretVersion>(
@ -57,6 +63,10 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			default: false,
 			required: true
 		},
+		secretBlindIndex: {
+			type: String,
+			select: false
+		},
 		secretKeyCiphertext: {
 			type: String,
 			required: true
@ -81,10 +91,18 @@ const secretVersionSchema = new Schema<ISecretVersion>(
 			type: String, // symmetric
 			required: true
 		},
-		tags: {
-			ref: 'Tag',
-			type: [Schema.Types.ObjectId],
-			default: []
+		algorithm: { // the encryption algorithm used
+			type: String,
+			enum: [ALGORITHM_AES_256_GCM],
+			required: true
+		},
+		keyEncoding: {
+			type: String,
+			enum: [
+				ENCODING_SCHEME_UTF8,
+				ENCODING_SCHEME_BASE64
+			],
+			required: true
 		},
 	},
 	{
--- a/backend/src/ee/routes/v1/cloudProducts.ts
+++ b/backend/src/ee/routes/v1/cloudProducts.ts
@ -0,0 +1,20 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    validateRequest
+} from '../../../middleware';
+import { query } from 'express-validator';
+import { cloudProductsController } from '../../controllers/v1';
+
+router.get(
+    '/',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    query('billing-cycle').exists().isIn(['monthly', 'yearly']),
+    validateRequest,
+    cloudProductsController.getCloudProducts 
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -1,11 +1,15 @@
 import secret from './secret';
 import secretSnapshot from './secretSnapshot';
+import organizations from './organizations';
 import workspace from './workspace';
 import action from './action';
+import cloudProducts from './cloudProducts';

 export {
    secret,
    secretSnapshot,
+    organizations,
    workspace,
-    action
+    action,
+    cloudProducts
 }
--- a/backend/src/ee/routes/v1/organizations.ts
+++ b/backend/src/ee/routes/v1/organizations.ts
@ -0,0 +1,87 @@
+import express from 'express';
+const router = express.Router();
+import {
+    requireAuth,
+    requireOrganizationAuth,
+    validateRequest
+} from '../../../middleware';
+import { param, body } from 'express-validator';
+import { organizationsController } from '../../controllers/v1';
+import {
+    OWNER, ADMIN, MEMBER, ACCEPTED
+} from '../../../variables';
+
+router.get(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPlan
+);
+
+router.patch(
+    '/:organizationId/plan',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('productId').exists().isString(),
+    validateRequest,
+    organizationsController.updateOrganizationPlan
+);
+
+router.get(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.getOrganizationPmtMethods
+);
+
+router.post(
+    '/:organizationId/billing-details/payment-methods',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    body('success_url').exists().isString(),
+    body('cancel_url').exists().isString(),
+    validateRequest,
+    organizationsController.addOrganizationPmtMethod
+);
+
+router.delete(
+    '/:organizationId/billing-details/payment-methods/:pmtMethodId',
+    requireAuth({
+		acceptedAuthModes: ['jwt', 'apiKey']
+	}),
+    requireOrganizationAuth({
+        acceptedRoles: [OWNER, ADMIN, MEMBER],
+        acceptedStatuses: [ACCEPTED]
+    }),
+    param('organizationId').exists().trim(),
+    validateRequest,
+    organizationsController.deleteOrganizationPmtMethod
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/secretSnapshot.ts
+++ b/backend/src/ee/routes/v1/secretSnapshot.ts
@ -7,7 +7,7 @@ import {
    requireAuth,
    validateRequest
 } from '../../../middleware';
-import { param, body } from 'express-validator';
+import { param } from 'express-validator';
 import { ADMIN, MEMBER } from '../../../variables';
 import { secretSnapshotController } from '../../controllers/v1';

--- a/backend/src/ee/services/EELicenseService.ts
+++ b/backend/src/ee/services/EELicenseService.ts
@ -1,12 +1,133 @@
+import NodeCache from 'node-cache';
+import * as Sentry from '@sentry/node';
+import { 
+    getLicenseKey,
+    getLicenseServerKey,
+    getLicenseServerUrl
+} from '../../config';
+import { 
+    licenseKeyRequest,
+    licenseServerKeyRequest,
+    refreshLicenseServerKeyToken,
+    refreshLicenseKeyToken
+} from '../../config/request';
+import { Organization } from '../../models';
+import { OrganizationNotFoundError } from '../../utils/errors';
+
+interface FeatureSet {
+    _id: string | null;
+    slug: 'starter' | 'team' | 'pro' | 'enterprise' | null;
+    tier: number;
+    workspaceLimit: number | null;
+    workspacesUsed: number;
+    memberLimit: number | null;
+    membersUsed: number;
+    secretVersioning: boolean;
+    pitRecovery: boolean;
+    rbac: boolean;
+    customRateLimits: boolean;
+    customAlerts: boolean;
+    auditLogs: boolean;
+}
+
 /**
- * Class to handle Enterprise Edition license actions
+ * Class to handle license/plan configurations:
+ * - Infisical Cloud: Fetch and cache customer plans in [localFeatureSet]
+ * - Self-hosted regular: Use default global feature set
+ * - Self-hosted enterprise: Fetch and update global feature set
 */
 class EELicenseService {
    
-    private readonly _isLicenseValid: boolean;
+    private readonly _isLicenseValid: boolean; // TODO: deprecate
+
+    public instanceType: 'self-hosted' | 'enterprise-self-hosted' | 'cloud' = 'self-hosted';
+
+    public globalFeatureSet: FeatureSet = {
+        _id: null,
+        slug: null,
+        tier: -1,
+        workspaceLimit: null,
+        workspacesUsed: 0,
+        memberLimit: null,
+        membersUsed: 0,
+        secretVersioning: true,
+        pitRecovery: true,
+        rbac: true,
+        customRateLimits: true,
+        customAlerts: true,
+        auditLogs: false
+    }
+
+    public localFeatureSet: NodeCache;
    
-    constructor(licenseKey: string) {
+    constructor() {
        this._isLicenseValid = true;
+        this.localFeatureSet = new NodeCache({
+            stdTTL: 300
+        });
+    }
+    
+    public async getOrganizationPlan(organizationId: string): Promise<FeatureSet> {
+        try {
+            if (this.instanceType === 'cloud') {
+                const cachedPlan = this.localFeatureSet.get<FeatureSet>(organizationId);
+                if (cachedPlan) {
+                    return cachedPlan;
+                }
+
+                const organization = await Organization.findById(organizationId);
+                if (!organization) throw OrganizationNotFoundError();
+
+                const { data: { currentPlan } } = await licenseServerKeyRequest.get(
+                    `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`
+                );
+
+                // cache fetched plan for organization
+                this.localFeatureSet.set(organizationId, currentPlan);
+
+                return currentPlan;
+            }
+        } catch (err) {
+            return this.globalFeatureSet;
+        }
+
+        return this.globalFeatureSet;
+    }
+
+    public async initGlobalFeatureSet() {
+        const licenseServerKey = await getLicenseServerKey();
+        const licenseKey = await getLicenseKey();
+
+        try {
+            if (licenseServerKey) {
+                // license server key is present -> validate it
+                const token = await refreshLicenseServerKeyToken()
+                    
+                if (token) {
+                    this.instanceType = 'cloud';
+                }
+                
+                return;
+            }
+            
+            if (licenseKey) {
+                // license key is present -> validate it
+                const token = await refreshLicenseKeyToken();
+                    
+                if (token) {
+                    const { data: { currentPlan } } = await licenseKeyRequest.get(
+                        `${await getLicenseServerUrl()}/api/license/v1/plan`
+                    );
+                    
+                    this.globalFeatureSet = currentPlan;
+                    this.instanceType = 'enterprise-self-hosted';
+                }
+            }
+        } catch (err) {
+            // case: self-hosted free
+            Sentry.setUser(null);
+            Sentry.captureException(err);
+        }
    }

    public get isLicenseValid(): boolean {
@ -14,4 +135,4 @@ class EELicenseService {
    }
 }

-export default new EELicenseService('N/A');
+export default new EELicenseService();
--- a/backend/src/ee/services/EESecretService.ts
+++ b/backend/src/ee/services/EESecretService.ts
@ -3,8 +3,7 @@ import { ISecretVersion } from '../models';
 import { 
    takeSecretSnapshotHelper,
    addSecretVersionsHelper,
-    markDeletedSecretVersionsHelper,
-    initSecretVersioningHelper
+    markDeletedSecretVersionsHelper
 } from '../helpers/secret';
 import EELicenseService from './EELicenseService';

@ -25,7 +24,7 @@ class EESecretService {
    static async takeSecretSnapshot({
        workspaceId
    }: {
-        workspaceId: string;
+        workspaceId: Types.ObjectId;
    }) {
        if (!EELicenseService.isLicenseValid) return;
        return await takeSecretSnapshotHelper({ workspaceId });
@ -64,15 +63,6 @@ class EESecretService {
            secretIds
        });
    }
-    
-    /**
-     * Initialize secret versioning by setting previously unversioned
-     * secrets to version 1 and begin populating secret versions.
-     */
-    static async initSecretVersioning() {
-        if (!EELicenseService.isLicenseValid) return; 
-        await initSecretVersioningHelper();
-    }
 }

 export default EESecretService;
--- a/backend/src/events/secret.ts
+++ b/backend/src/events/secret.ts
@ -1,3 +1,4 @@
+import { Types } from 'mongoose';
 import { 
    EVENT_PUSH_SECRETS, 
    EVENT_PULL_SECRETS 
@ -22,13 +23,16 @@ interface PushSecret {
 * @returns 
 */
 const eventPushSecrets = ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
    return ({
        name: EVENT_PUSH_SECRETS,
        workspaceId,
+        environment,
        payload: {

        }
--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import jwt from 'jsonwebtoken';
 import bcrypt from 'bcrypt';
@ -42,10 +41,9 @@ const validateAuthMode = ({
 	headers: { [key: string]: string | string[] | undefined },
 	acceptedAuthModes: string[]
 }) => {
-	// TODO: refactor middleware
 	const apiKey = headers['x-api-key'];
 	const authHeader = headers['authorization'];
-
+	
 	let authMode, authTokenValue;
 	if (apiKey === undefined && authHeader === undefined) {
 		// case: no auth or X-API-KEY header present
@ -104,7 +102,7 @@ const getAuthUserPayload = async ({
 	authTokenValue: string;
 }) => {
 	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, getJwtAuthSecret())
+		jwt.verify(authTokenValue, await getJwtAuthSecret())
 	);

 	const user = await User.findOne({
@ -157,7 +155,7 @@ const getAuthSTDPayload = async ({
 		}, {
 			new: true
 		})
-		.select('+encryptedKey +iv +tag').populate('user serviceAccount');
+		.select('+encryptedKey +iv +tag');

 	if (!serviceTokenData) throw ServiceTokenDataNotFoundError({ message: 'Failed to find service token data' });

@ -263,16 +261,16 @@ const issueAuthTokens = async ({ userId }: { userId: string }) => {
 		payload: {
 			userId
 		},
-		expiresIn: getJwtAuthLifetime(),
-		secret: getJwtAuthSecret()
+		expiresIn: await getJwtAuthLifetime(),
+		secret: await getJwtAuthSecret()
 	});

 	const refreshToken = createToken({
 		payload: {
 			userId
 		},
-		expiresIn: getJwtRefreshLifetime(),
-		secret: getJwtRefreshSecret()
+		expiresIn: await getJwtRefreshLifetime(),
+		secret: await getJwtRefreshSecret()
 	});

 	return {
--- a/backend/src/helpers/bot.ts
+++ b/backend/src/helpers/bot.ts
@ -1,144 +1,90 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
+import { Types } from "mongoose";
 import {
-    Bot,
-    BotKey,
-    Secret,
-    ISecret,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData
-} from '../models';
-import { 
-    generateKeyPair, 
-    encryptSymmetric,
-    decryptSymmetric,
-    decryptAsymmetric
+  Bot,
+  BotKey,
+  Secret,
+  ISecret,
+  IUser
+} from "../models";
+import {
+  generateKeyPair,
+  encryptSymmetric128BitHexKeyUTF8,
+  decryptSymmetric128BitHexKeyUTF8,
+  decryptAsymmetric
 } from '../utils/crypto';
 import {
-    SECRET_SHARED,
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_API_KEY
-} from '../variables';
-import { getEncryptionKey } from '../config';
-import { BotNotFoundError, UnauthorizedRequestError } from '../utils/errors';
-import {
-    validateMembership
-} from '../helpers/membership';
-import {
-    validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-
-/**
- * Validate authenticated clients for bot with id [botId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.botId - id of bot to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- */
-const validateClientForBot = async ({
-    authData,
-    botId,
-    acceptedRoles
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    botId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    const bot = await Bot.findById(botId);
-    
-    if (!bot) throw BotNotFoundError();
-    
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: bot.workspace,
-            acceptedRoles
-        });
-        
-        return bot;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: bot.workspace
-        });
-
-        return bot;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for bot'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: bot.workspace,
-            acceptedRoles
-        });
-        
-        return bot;
-    }
-    
-    throw BotNotFoundError({
-        message: 'Failed client authorization for bot'
-    });
-}
+  SECRET_SHARED,
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_UTF8,
+  ENCODING_SCHEME_BASE64
+} from "../variables";
+import { 
+  getEncryptionKey, 
+  getRootEncryptionKey,
+  client
+} from "../config";
+import { InternalServerError } from "../utils/errors";

 /**
 * Create an inactive bot with name [name] for workspace with id [workspaceId]
- * @param {Object} obj 
+ * @param {Object} obj
 * @param {String} obj.name - name of bot
 * @param {String} obj.workspaceId - id of workspace that bot belongs to
 */
 const createBot = async ({
-    name,
-    workspaceId,
+  name,
+  workspaceId,
 }: {
-    name: string;
-    workspaceId: string;
+  name: string;
+  workspaceId: Types.ObjectId;
 }) => {
-    let bot;
-    try {
-        const { publicKey, privateKey } = generateKeyPair();
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext: privateKey,
-            key: getEncryptionKey()
-        });
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+  
+  const { publicKey, privateKey } = generateKeyPair();
+  
+  if (rootEncryptionKey) {
+    const { 
+      ciphertext, 
+      iv, 
+      tag 
+    } = client.encryptSymmetric(privateKey, rootEncryptionKey);

-        bot = await new Bot({
-            name,
-            workspace: workspaceId,
-            isActive: false,
-            publicKey,
-            encryptedPrivateKey: ciphertext,
-            iv,
-            tag
-        }).save();
-    } catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to create bot');
-    }
-    
-    return bot;
-}
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_BASE64
+    }).save();
+  
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: privateKey,
+      key: await getEncryptionKey(),
+    });
+
+    return await new Bot({
+      name,
+      workspace: workspaceId,
+      isActive: false,
+      publicKey,
+      encryptedPrivateKey: ciphertext,
+      iv,
+      tag,
+      algorithm: ALGORITHM_AES_256_GCM,
+      keyEncoding: ENCODING_SCHEME_UTF8
+    }).save();
+  }
+
+  throw InternalServerError({
+    message: 'Failed to create new bot due to missing encryption key'
+  });
+};

 /**
 * Return decrypted secrets for workspace with id [workspaceId]
@ -148,125 +94,125 @@ const createBot = async ({
 * @param {String} obj.environment - environment
 */
 const getSecretsHelper = async ({
-    workspaceId,
-    environment
+  workspaceId,
+  environment,
 }: {
-    workspaceId: string;
-    environment: string;
+  workspaceId: Types.ObjectId;
+  environment: string;
 }) => {
-    const content = {} as any;
-    try {
-        const key = await getKey({ workspaceId });
-        const secrets = await Secret.find({
-            workspace: workspaceId,
-            environment,
-            type: SECRET_SHARED
-        });
-        
-        secrets.forEach((secret: ISecret) => {
-            const secretKey = decryptSymmetric({
-                ciphertext: secret.secretKeyCiphertext,
-                iv: secret.secretKeyIV,
-                tag: secret.secretKeyTag,
-                key
-            });
+  const content = {} as any;
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const secrets = await Secret.find({
+    workspace: workspaceId,
+    environment,
+    type: SECRET_SHARED,
+  });

-            const secretValue = decryptSymmetric({
-                ciphertext: secret.secretValueCiphertext,
-                iv: secret.secretValueIV,
-                tag: secret.secretValueTag,
-                key
-            });
+  secrets.forEach((secret: ISecret) => {
+    const secretKey = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretKeyCiphertext,
+      iv: secret.secretKeyIV,
+      tag: secret.secretKeyTag,
+      key,
+    });

-            content[secretKey] = secretValue;
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to get secrets');
-    }
+    const secretValue = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: secret.secretValueCiphertext,
+      iv: secret.secretValueIV,
+      tag: secret.secretValueTag,
+      key,
+    });

-    return content;
-}
+    content[secretKey] = secretValue;
+  });
+
+  return content;
+};

 /**
- * Return bot's copy of the workspace key for workspace 
+ * Return bot's copy of the workspace key for workspace
 * with id [workspaceId]
 * @param {Object} obj
 * @param {String} obj.workspaceId - id of workspace
 * @returns {String} key - decrypted workspace key
 */
 const getKey = async ({ workspaceId }: { workspaceId: string }) => {
-    let key;
-    try {
-        const botKey = await BotKey.findOne({
-            workspace: workspaceId
-        }).populate<{ sender: IUser }>('sender', 'publicKey');
-        
-        if (!botKey) throw new Error('Failed to find bot key');
-        
-        const bot = await Bot.findOne({
-            workspace: workspaceId
-        }).select('+encryptedPrivateKey +iv +tag');
-        
-        if (!bot) throw new Error('Failed to find bot');
-        if (!bot.isActive) throw new Error('Bot is not active');
-        
-        const privateKeyBot = decryptSymmetric({
-            ciphertext: bot.encryptedPrivateKey,
-            iv: bot.iv,
-            tag: bot.tag,
-            key: getEncryptionKey()
-        });
-        
-        key = decryptAsymmetric({
-            ciphertext: botKey.encryptedKey,
-            nonce: botKey.nonce,
-            publicKey: botKey.sender.publicKey as string,
-            privateKey: privateKeyBot
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to get workspace key');
-    }
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  const botKey = await BotKey.findOne({
+    workspace: workspaceId,
+  })
+  .populate<{ sender: IUser }>("sender", "publicKey");
+
+  if (!botKey) throw new Error("Failed to find bot key");
+
+  const bot = await Bot.findOne({
+    workspace: workspaceId,
+  }).select("+encryptedPrivateKey +iv +tag +algorithm +keyEncoding");
+
+  if (!bot) throw new Error("Failed to find bot");
+  if (!bot.isActive) throw new Error("Bot is not active");
+
+  if (rootEncryptionKey && bot.keyEncoding === ENCODING_SCHEME_BASE64) {
+    // case: encoding scheme is base64
+    const privateKeyBot = client.decryptSymmetric(bot.encryptedPrivateKey, rootEncryptionKey, bot.iv, bot.tag);
+
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  } else if (encryptionKey && bot.keyEncoding === ENCODING_SCHEME_UTF8) {
    
-    return key;
-}
+    // case: encoding scheme is utf8
+    const privateKeyBot = decryptSymmetric128BitHexKeyUTF8({
+      ciphertext: bot.encryptedPrivateKey,
+      iv: bot.iv,
+      tag: bot.tag,
+      key: encryptionKey
+    });
+    
+    return decryptAsymmetric({
+      ciphertext: botKey.encryptedKey,
+      nonce: botKey.nonce,
+      publicKey: botKey.sender.publicKey as string,
+      privateKey: privateKeyBot,
+    });
+  }
+
+  throw InternalServerError({
+    message: "Failed to obtain bot's copy of workspace key needed for bot operations"
+  });
+};

 /**
 * Return symmetrically encrypted [plaintext] using the
- * key for workspace with id [workspaceId] 
+ * key for workspace with id [workspaceId]
 * @param {Object} obj1
 * @param {String} obj1.workspaceId - id of workspace
 * @param {String} obj1.plaintext - plaintext to encrypt
 */
 const encryptSymmetricHelper = async ({
-    workspaceId,
-    plaintext
+  workspaceId,
+  plaintext,
 }: {
-    workspaceId: string;
-    plaintext: string;
+  workspaceId: Types.ObjectId;
+  plaintext: string;
 }) => {
-    
-    try {
-        const key = await getKey({ workspaceId });
-        const { ciphertext, iv, tag } = encryptSymmetric({
-            plaintext,
-            key
-        });
-        
-        return ({
-            ciphertext,
-            iv,
-            tag
-        });
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric encryption with bot');
-    }
-}
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+    plaintext,
+    key,
+  });
+
+  return {
+    ciphertext,
+    iv,
+    tag,
+  };
+};
 /**
 * Return symmetrically decrypted [ciphertext] using the
 * key for workspace with id [workspaceId]
@ -277,40 +223,30 @@ const encryptSymmetricHelper = async ({
 * @param {String} obj.tag - tag
 */
 const decryptSymmetricHelper = async ({
-    workspaceId,
+  workspaceId,
+  ciphertext,
+  iv,
+  tag,
+}: {
+  workspaceId: Types.ObjectId;
+  ciphertext: string;
+  iv: string;
+  tag: string;
+}) => {
+  const key = await getKey({ workspaceId: workspaceId.toString() });
+  const plaintext = decryptSymmetric128BitHexKeyUTF8({
    ciphertext,
    iv,
-    tag
-}: {
-    workspaceId: string;
-    ciphertext: string;
-    iv: string;
-    tag: string;
-}) => {
-    let plaintext;
-    try {
-        const key = await getKey({ workspaceId });
-        const plaintext = decryptSymmetric({
-            ciphertext,
-            iv,
-            tag,
-            key
-        });
-        
-        return plaintext;
-    } catch (err) {
-        Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to perform symmetric decryption with bot');
-    }
-    
-    return plaintext;
-}
+    tag,
+    key,
+  });
+
+  return plaintext;
+};

 export {
-    validateClientForBot,
-    createBot,
-    getSecretsHelper,
-    encryptSymmetricHelper,
-    decryptSymmetricHelper
-}
+  createBot,
+  getSecretsHelper,
+  encryptSymmetricHelper,
+  decryptSymmetricHelper
+};
--- a/backend/src/helpers/database.ts
+++ b/backend/src/helpers/database.ts
@ -1,5 +1,4 @@
 import mongoose from 'mongoose';
-import { EESecretService } from '../ee/services';
 import { getLogger } from '../utils/logger';

 /**
@ -19,11 +18,10 @@ const initDatabaseHelper = async ({
        // allow empty strings to pass the required validator
        mongoose.Schema.Types.String.checkRequired(v => typeof v === 'string');

-        getLogger("database").info("Database connection established");
-        
-        await EESecretService.initSecretVersioning();
+        (await getLogger("database")).info("Database connection established");
+
    } catch (err) {
-        getLogger("database").error(`Unable to establish Database connection due to the error.\n${err}`);
+        (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
    }

    return mongoose.connection;
--- a/backend/src/helpers/event.ts
+++ b/backend/src/helpers/event.ts
@ -1,12 +1,13 @@
-import { Bot, IBot } from '../models';
-import * as Sentry from '@sentry/node';
-import { EVENT_PUSH_SECRETS } from '../variables';
-import { IntegrationService } from '../services';
+import { Types } from "mongoose";
+import { Bot, IBot } from "../models";
+import { EVENT_PUSH_SECRETS } from "../variables";
+import { IntegrationService } from "../services";

 interface Event {
-    name: string;
-    workspaceId: string;
-    payload: any;
+  name: string;
+  workspaceId: Types.ObjectId;
+  environment?: string;
+  payload: any;
 }

 /**
@ -17,35 +18,25 @@ interface Event {
 * @param {String} obj.event.workspaceId - id of workspace that event is part of
 * @param {Object} obj.event.payload - payload of event (depends on event)
 */
-const handleEventHelper = async ({
-    event
-}: {
-    event: Event;
-}) => {
-    const { workspaceId } = event;
-    
-    // TODO: moduralize bot check into separate function
-    const bot = await Bot.findOne({
-        workspace: workspaceId,
-        isActive: true
-    });
-    
-    if (!bot) return;
-    
-    try {
-        switch (event.name) {
-            case EVENT_PUSH_SECRETS:
-                IntegrationService.syncIntegrations({
-                    workspaceId
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-    }
-}
+const handleEventHelper = async ({ event }: { event: Event }) => {
+  const { workspaceId, environment } = event;

-export {
-    handleEventHelper
-}
+  // TODO: moduralize bot check into separate function
+  const bot = await Bot.findOne({
+    workspace: workspaceId,
+    isActive: true,
+  });
+
+  if (!bot) return;
+
+  switch (event.name) {
+    case EVENT_PUSH_SECRETS:
+      IntegrationService.syncIntegrations({
+        workspaceId,
+        environment,
+      });
+      break;
+  }
+};
+
+export { handleEventHelper };
--- a/backend/src/helpers/integration.ts
+++ b/backend/src/helpers/integration.ts
@ -3,40 +3,20 @@ import { Types } from 'mongoose';
 import {
    Bot,
    Integration,
-    IntegrationAuth,
-    IUser,
-    User,
-    IServiceAccount,
-    ServiceAccount,
-    IServiceTokenData,
-    ServiceTokenData
+    IntegrationAuth
 } from '../models';
 import { exchangeCode, exchangeRefresh, syncSecrets } from '../integrations';
 import { BotService } from '../services';
 import {
-    AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY,
    INTEGRATION_VERCEL,
-    INTEGRATION_NETLIFY
+    INTEGRATION_NETLIFY,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8
 } from '../variables';
 import { 
    UnauthorizedRequestError,
-    IntegrationAuthNotFoundError,
-    IntegrationNotFoundError
 } from '../utils/errors';
 import RequestError from '../utils/requestError';
-import {
-    validateClientForIntegrationAuth 
-} from '../helpers/integrationAuth';
-import {
-    validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import { IntegrationService } from '../services';

 interface Update {
    workspace: string;
@ -45,84 +25,6 @@ interface Update {
    accountId?: string;
 }

-/**
- * Validate authenticated clients for integration with id [integrationId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.integrationId - id of integration to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
- const validateClientForIntegration = async ({
-    authData,
-    integrationId,
-    acceptedRoles
-}: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-    integrationId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-    
-    const integration = await Integration.findById(integrationId);
-    if (!integration) throw IntegrationNotFoundError();
-
-    const integrationAuth = await IntegrationAuth
-        .findById(integration.integrationAuth)
-        .select(
-			'+refreshCiphertext +refreshIV +refreshTag +accessCiphertext +accessIV +accessTag +accessExpiresAt'
-        );
-    
-    if (!integrationAuth) throw IntegrationAuthNotFoundError();
-
-    const accessToken = (await IntegrationService.getIntegrationAuthAccess({
-        integrationAuthId: integrationAuth._id
-    })).accessToken;
-
-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: integration.workspace
-        });
-        
-        return ({ integration, accessToken });
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        throw UnauthorizedRequestError({
-            message: 'Failed service token authorization for integration'
-        });
-    }
-
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForWorkspace({
-            user: authData.authPayload,
-            workspaceId: integration.workspace,
-            acceptedRoles
-        });
-        
-        return ({ integration, accessToken });
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for integration'
-    });
-}
-
 /**
 * Perform OAuth2 code-token exchange for workspace with id [workspaceId] and integration
 * named [integration]
@ -217,14 +119,19 @@ const handleOAuthExchangeHelper = async ({
 * @param {Object} obj.workspaceId - id of workspace
 */
 const syncIntegrationsHelper = async ({
-    workspaceId
+    workspaceId,
+    environment
 }: {
-    workspaceId: string;
+    workspaceId: Types.ObjectId;
+    environment?: string;
 }) => {
    let integrations;
    try {
        integrations = await Integration.find({
            workspace: workspaceId,
+            ...(environment ? {
+                environment
+            } : {}),
            isActive: true,
            app: { $ne: null }
        });
@ -234,7 +141,7 @@ const syncIntegrationsHelper = async ({
        for await (const integration of integrations) {
            // get workspace, environment (shared) secrets
            const secrets = await BotService.getSecrets({ // issue here?
-                workspaceId: integration.workspace.toString(),
+                workspaceId: integration.workspace,
                environment: integration.environment
            });

@ -251,7 +158,7 @@ const syncIntegrationsHelper = async ({
                integration,
                integrationAuth,
                secrets,
-                accessId: access.accessId,
+                accessId: access.accessId === undefined ? null : access.accessId,
                accessToken: access.accessToken
            });
        }
@ -281,7 +188,7 @@ const syncIntegrationsHelper = async ({
        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});

        refreshToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
            ciphertext: integrationAuth.refreshCiphertext as string,
            iv: integrationAuth.refreshIV as string,
            tag: integrationAuth.refreshTag as string
@ -318,7 +225,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
        if (!integrationAuth) throw UnauthorizedRequestError({message: 'Failed to locate Integration Authentication credentials'});

        accessToken = await BotService.decryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
            ciphertext: integrationAuth.accessCiphertext as string,
            iv: integrationAuth.accessIV as string,
            tag: integrationAuth.accessTag as string
@ -340,7 +247,7 @@ const getIntegrationAuthAccessHelper = async ({ integrationAuthId }: { integrati
        
        if (integrationAuth?.accessIdCiphertext && integrationAuth?.accessIdIV && integrationAuth?.accessIdTag) {
            accessId = await BotService.decryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                ciphertext: integrationAuth.accessIdCiphertext as string,
                iv: integrationAuth.accessIdIV as string,
                tag: integrationAuth.accessIdTag as string
@ -386,7 +293,7 @@ const setIntegrationAuthRefreshHelper = async ({
        if (!integrationAuth) throw new Error('Failed to find integration auth');
        
        const obj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
            plaintext: refreshToken
        });
        
@ -395,7 +302,9 @@ const setIntegrationAuthRefreshHelper = async ({
        }, {
            refreshCiphertext: obj.ciphertext,
            refreshIV: obj.iv,
-            refreshTag: obj.tag
+            refreshTag: obj.tag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
        }, {
            new: true
        });
@ -435,14 +344,14 @@ const setIntegrationAuthAccessHelper = async ({
        if (!integrationAuth) throw new Error('Failed to find integration auth');
        
        const encryptedAccessTokenObj = await BotService.encryptSymmetric({
-            workspaceId: integrationAuth.workspace.toString(),
+            workspaceId: integrationAuth.workspace,
            plaintext: accessToken
        });
        
        let encryptedAccessIdObj;
        if (accessId) {
            encryptedAccessIdObj = await BotService.encryptSymmetric({
-                workspaceId: integrationAuth.workspace.toString(),
+                workspaceId: integrationAuth.workspace,
                plaintext: accessId
            }); 
        }
@ -456,7 +365,9 @@ const setIntegrationAuthAccessHelper = async ({
            accessCiphertext: encryptedAccessTokenObj.ciphertext,
            accessIV: encryptedAccessTokenObj.iv,
            accessTag: encryptedAccessTokenObj.tag,
-            accessExpiresAt
+            accessExpiresAt,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
        }, {
            new: true
        });
@ -470,11 +381,10 @@ const setIntegrationAuthAccessHelper = async ({
 }

 export {
-    validateClientForIntegration,
    handleOAuthExchangeHelper,
    syncIntegrationsHelper,
    getIntegrationAuthRefreshHelper,
    getIntegrationAuthAccessHelper,
    setIntegrationAuthRefreshHelper,
    setIntegrationAuthAccessHelper
-}
+}
--- a/backend/src/helpers/key.ts
+++ b/backend/src/helpers/key.ts
@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { Key, IKey } from '../models';

 interface Key {
@ -27,36 +26,30 @@ const pushKeys = async ({
 	workspaceId: string;
 	keys: Key[];
 }): Promise<void> => {
-	try {
-		// filter out already-inserted keys
-		const keysSet = new Set(
-			(
-				await Key.find(
-					{
-						workspace: workspaceId
-					},
-					'receiver'
-				)
-			).map((k: IKey) => k.receiver.toString())
-		);
+  // filter out already-inserted keys
+  const keysSet = new Set(
+    (
+      await Key.find(
+        {
+          workspace: workspaceId
+        },
+        'receiver'
+      )
+    ).map((k: IKey) => k.receiver.toString())
+  );

-		keys = keys.filter((key) => !keysSet.has(key.userId));
+  keys = keys.filter((key) => !keysSet.has(key.userId));

-		// add new shared keys only
-		await Key.insertMany(
-			keys.map((k) => ({
-				encryptedKey: k.encryptedKey,
-				nonce: k.nonce,
-				sender: userId,
-				receiver: k.userId,
-				workspace: workspaceId
-			}))
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to push access keys');
-	}
+  // add new shared keys only
+  await Key.insertMany(
+    keys.map((k) => ({
+      encryptedKey: k.encryptedKey,
+      nonce: k.nonce,
+      sender: userId,
+      receiver: k.userId,
+      workspace: workspaceId
+    }))
+  );
 };

 export { pushKeys };
--- a/backend/src/helpers/membership.ts
+++ b/backend/src/helpers/membership.ts
@ -2,105 +2,12 @@ import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { 
 	Membership, 
-	Key,
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
+	Key
 } from '../models';
 import {
 	MembershipNotFoundError,
-	BadRequestError,
-	UnauthorizedRequestError
+	BadRequestError
 } from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-import {
-	validateUserClientForWorkspace
-} from '../helpers/user';
-import {
-	validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
-import {
-	validateServiceTokenDataClientForWorkspace
-} from '../helpers/serviceTokenData';
-
-/**
- * Validate authenticated clients for membership with id [membershipId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.membershipId - id of membership to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspaceRoles
- * @returns {Membership} - validated membership
- */
-const validateClientForMembership = async ({
-	authData,
-	membershipId,
-	acceptedRoles
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	membershipId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-}) => {
-	
-	const membership = await Membership.findById(membershipId);
-	
-	if (!membership) throw MembershipNotFoundError({
-		message: 'Failed to find membership'
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId: membership.workspace,
-			acceptedRoles
-		});
-		
-		return membership;
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForWorkspace({
-			serviceAccount: authData.authPayload,
-			workspaceId: membership.workspace
-		});
-
-		return membership;
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		await validateServiceTokenDataClientForWorkspace({
-			serviceTokenData: authData.authPayload,
-			workspaceId: new Types.ObjectId(membership.workspace)
-		});
-		
-		return membership;
-	}
-
-	if (authData.authMode == AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId: membership.workspace,
-			acceptedRoles 
-		});
-		
-		return membership;
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for membership'
-	});
-}

 /**
 * Validate that user with id [userId] is a member of workspace with id [workspaceId]
@ -230,7 +137,6 @@ const deleteMembership = async ({ membershipId }: { membershipId: string }) => {
 };

 export { 
-	validateClientForMembership,
 	validateMembership,
 	addMemberships, 
 	findMembership, 
--- a/backend/src/helpers/membershipOrg.ts
+++ b/backend/src/helpers/membershipOrg.ts
@ -1,98 +1,14 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { 
 	MembershipOrg, 
 	Workspace, 
 	Membership, 
-	Key,
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
+	Key
 } from '../models';
 import {
 	MembershipOrgNotFoundError,
-	BadRequestError,
 	UnauthorizedRequestError
 } from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-
-/**
- * Validate authenticated clients for organization membership with id [membershipOrgId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.membershipOrgId - id of organization membership to validate against
- * @param {Array<'owner' | 'admin' | 'member'>} obj.acceptedRoles - accepted organization roles
- * @param {MembershipOrg} - validated organization membership
- */
-const validateClientForMembershipOrg = async ({
-	authData,
-	membershipOrgId,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	membershipOrgId: Types.ObjectId;
-    acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-    acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	const membershipOrg = await MembershipOrg.findById(membershipOrgId);
-
-	if (!membershipOrg) throw MembershipOrgNotFoundError({
-		message: 'Failed to find organization membership '
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		await validateMembershipOrg({
-			userId: authData.authPayload._id,
-			organizationId: membershipOrg.organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return membershipOrg;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		if (!authData.authPayload.organization.equals(membershipOrg.organization)) throw UnauthorizedRequestError({
-			message: 'Failed service account client authorization for organization membership'
-		});
-		
-		return membershipOrg;
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service account client authorization for organization membership'
-		});
-	}
-	
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		await validateMembershipOrg({
-			userId: authData.authPayload._id,
-			organizationId: membershipOrg.organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return membershipOrg;
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for organization membership'
-	});
-}

 /**
 * Validate that user with id [userId] is a member of organization with id [organizationId]
@ -144,15 +60,7 @@ const validateMembershipOrg = async ({
 * @return {Object} membershipOrg - membership
 */
 const findMembershipOrg = (queryObj: any) => {
-	let membershipOrg;
-	try {
-		membershipOrg = MembershipOrg.findOne(queryObj);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to find organization membership');
-	}
-
+	const membershipOrg = MembershipOrg.findOne(queryObj);
 	return membershipOrg;
 };

@ -175,33 +83,27 @@ const addMembershipsOrg = async ({
 	roles: string[];
 	statuses: string[];
 }) => {
-	try {
-		const operations = userIds.map((userId, idx) => {
-			return {
-				updateOne: {
-					filter: {
-						user: userId,
-						organization: organizationId,
-						role: roles[idx],
-						status: statuses[idx]
-					},
-					update: {
-						user: userId,
-						organization: organizationId,
-						role: roles[idx],
-						status: statuses[idx]
-					},
-					upsert: true
-				}
-			};
-		});
+  const operations = userIds.map((userId, idx) => {
+    return {
+      updateOne: {
+        filter: {
+          user: userId,
+          organization: organizationId,
+          role: roles[idx],
+          status: statuses[idx]
+        },
+        update: {
+          user: userId,
+          organization: organizationId,
+          role: roles[idx],
+          status: statuses[idx]
+        },
+        upsert: true
+      }
+    };
+  });

-		await MembershipOrg.bulkWrite(operations as any);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to add users to organization');
-	}
+  await MembershipOrg.bulkWrite(operations as any);
 };

 /**
@ -214,49 +116,41 @@ const deleteMembershipOrg = async ({
 }: {
 	membershipOrgId: string;
 }) => {
-	let deletedMembershipOrg;
-	try {
-		deletedMembershipOrg = await MembershipOrg.findOneAndDelete({
-			_id: membershipOrgId
-		});
+  const deletedMembershipOrg = await MembershipOrg.findOneAndDelete({
+    _id: membershipOrgId
+  });

-		if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');
+  if (!deletedMembershipOrg) throw new Error('Failed to delete organization membership');

-		// delete keys associated with organization membership
-		if (deletedMembershipOrg?.user) {
-			// case: organization membership had a registered user
+  // delete keys associated with organization membership
+  if (deletedMembershipOrg?.user) {
+    // case: organization membership had a registered user

-			const workspaces = (
-				await Workspace.find({
-					organization: deletedMembershipOrg.organization
-				})
-			).map((w) => w._id.toString());
+    const workspaces = (
+      await Workspace.find({
+        organization: deletedMembershipOrg.organization
+      })
+    ).map((w) => w._id.toString());

-			await Membership.deleteMany({
-				user: deletedMembershipOrg.user,
-				workspace: {
-					$in: workspaces
-				}
-			});
+    await Membership.deleteMany({
+      user: deletedMembershipOrg.user,
+      workspace: {
+        $in: workspaces
+      }
+    });

-			await Key.deleteMany({
-				receiver: deletedMembershipOrg.user,
-				workspace: {
-					$in: workspaces
-				}
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to delete organization membership');
-	}
+    await Key.deleteMany({
+      receiver: deletedMembershipOrg.user,
+      workspace: {
+        $in: workspaces
+      }
+    });
+  }

 	return deletedMembershipOrg;
 };

 export {
-	validateClientForMembershipOrg,
 	validateMembershipOrg,
 	findMembershipOrg,
 	addMembershipsOrg, 
--- a/backend/src/helpers/nodemailer.ts
+++ b/backend/src/helpers/nodemailer.ts
@ -25,7 +25,7 @@ const sendMail = async ({
  recipients: string[];
  substitutions: any;
 }) => {
-  if (getSmtpConfigured()) {
+  if (await getSmtpConfigured()) {
    try {
      const html = fs.readFileSync(
        path.resolve(__dirname, '../templates/' + template),
@ -35,7 +35,7 @@ const sendMail = async ({
      const htmlToSend = temp(substitutions);

      await smtpTransporter.sendMail({
-        from: `"${getSmtpFromName()}" <${getSmtpFromAddress()}>`,
+        from: `"${await getSmtpFromName()}" <${await getSmtpFromAddress()}>`,
        to: recipients.join(', '),
        subject: subjectLine,
        html: htmlToSend
--- a/backend/src/helpers/organization.ts
+++ b/backend/src/helpers/organization.ts
@ -1,110 +1,25 @@
-import * as Sentry from '@sentry/node';
-import Stripe from 'stripe';
-import { Types } from 'mongoose';
+import Stripe from "stripe";
+import { Types } from "mongoose";
+import { Organization, MembershipOrg } from "../models";
 import {
-	IUser,
-	User,
-	IServiceAccount,
-	ServiceAccount,
-	IServiceTokenData,
-	ServiceTokenData
-} from '../models';
-import { Organization, MembershipOrg } from '../models';
-import { 
-	ACCEPTED,
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY,
-	OWNER
-} from '../variables';
-import { 
-	getStripeSecretKey,
-	getStripeProductPro,
-	getStripeProductTeam,
-	getStripeProductStarter
+  ACCEPTED
+} from "../variables";
+import {
+  getStripeSecretKey,
+  getStripeProductPro,
+  getStripeProductTeam,
+  getStripeProductStarter,
+} from "../config";
+import {
+  EELicenseService
+} from '../ee/services';
+import {
+  getLicenseServerUrl
 } from '../config';
 import {
-	UnauthorizedRequestError,
-	OrganizationNotFoundError
-} from '../utils/errors';
-import {
-	validateUserClientForOrganization
-} from '../helpers/user';
-import {
-	validateServiceAccountClientForOrganization
-} from '../helpers/serviceAccount';
-
-/**
- * Validate accepted clients for organization with id [organizationId]
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.organizationId - id of organization to validate against
- */
-const validateClientForOrganization = async ({
-	authData,
-	organizationId,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	},
-	organizationId: Types.ObjectId;
-	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	
-	const organization = await Organization.findById(organizationId);
-	
-	if (!organization) {
-		throw OrganizationNotFoundError({
-			message: 'Failed to find organization'
-		});
-	}
-	
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		const membershipOrg = await validateUserClientForOrganization({
-			user: authData.authPayload,
-			organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return ({ organization, membershipOrg });
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForOrganization({
-			serviceAccount: authData.authPayload,
-			organization
-		});
-		
-		return ({ organization });
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		throw UnauthorizedRequestError({
-			message: 'Failed service token authorization for organization'
-		});
-	}
-
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		const membershipOrg = await validateUserClientForOrganization({
-			user: authData.authPayload,
-			organization,
-			acceptedRoles,
-			acceptedStatuses
-		});
-		
-		return ({ organization, membershipOrg });
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for organization'
-	});
-}
+  licenseServerKeyRequest,
+  licenseKeyRequest
+} from '../config/request';

 /**
 * Create an organization with name [name]
@ -114,43 +29,37 @@ const validateClientForOrganization = async ({
 * @param {Object} organization - new organization
 */
 const createOrganization = async ({
-	name,
-	email
+  name,
+  email,
 }: {
-	name: string;
-	email: string;
+  name: string;
+  email: string;
 }) => {
-	let organization;
-	try {
-		// register stripe account
-		const stripe = new Stripe(getStripeSecretKey(), {
-			apiVersion: '2022-08-01'
-		});
+  let organization;
+  // register stripe account
+  const stripe = new Stripe(await getStripeSecretKey(), {
+    apiVersion: "2022-08-01",
+  });

-		if (getStripeSecretKey()) {
-			const customer = await stripe.customers.create({
-				email,
-				description: name
-			});
+  if (await getStripeSecretKey()) {
+    const customer = await stripe.customers.create({
+      email,
+      description: name,
+    });

-			organization = await new Organization({
-				name,
-				customerId: customer.id
-			}).save();
-		} else {
-			organization = await new Organization({
-				name
-			}).save();
-		}
+    organization = await new Organization({
+      name,
+      customerId: customer.id,
+    }).save();
+  } else {
+    organization = await new Organization({
+      name,
+    }).save();
+  }

-		await initSubscriptionOrg({ organizationId: organization._id });
-	} catch (err) {
-		Sentry.setUser({ email });
-		Sentry.captureException(err);
-		throw new Error(`Failed to create organization [err=${err}]`);
-	}
+  await initSubscriptionOrg({ organizationId: organization._id });

-	return organization;
+  return organization;
 };

 /**
@ -162,57 +71,52 @@ const createOrganization = async ({
 * @return {Subscription} obj.subscription - new subscription
 */
 const initSubscriptionOrg = async ({
-	organizationId
+  organizationId,
 }: {
-	organizationId: Types.ObjectId;
+  organizationId: Types.ObjectId;
 }) => {
-	let stripeSubscription;
-	let subscription;
-	try {
-		// find organization
-		const organization = await Organization.findOne({
-			_id: organizationId
-		});
+  let stripeSubscription;
+  let subscription;

-		if (organization) {
-			if (organization.customerId) {
-				// initialize starter subscription with quantity of 0
-				const stripe = new Stripe(getStripeSecretKey(), {
-					apiVersion: '2022-08-01'
-				});
+  // find organization
+  const organization = await Organization.findOne({
+    _id: organizationId,
+  });

-				const productToPriceMap = {
-					starter: getStripeProductStarter(),
-					team: getStripeProductTeam(),
-					pro: getStripeProductPro()
-				};
+  if (organization) {
+    if (organization.customerId) {
+      // initialize starter subscription with quantity of 0
+      const stripe = new Stripe(await getStripeSecretKey(), {
+        apiVersion: "2022-08-01",
+      });

-				stripeSubscription = await stripe.subscriptions.create({
-					customer: organization.customerId,
-					items: [
-						{
-							price: productToPriceMap['starter'],
-							quantity: 1
-						}
-					],
-					payment_behavior: 'default_incomplete',
-					proration_behavior: 'none',
-					expand: ['latest_invoice.payment_intent']
-				});
-			}
-		} else {
-			throw new Error('Failed to initialize free organization subscription');
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to initialize free organization subscription');
-	}
+      const productToPriceMap = {
+        starter: await getStripeProductStarter(),
+        team: await getStripeProductTeam(),
+        pro: await getStripeProductPro(),
+      };

-	return {
-		stripeSubscription,
-		subscription
-	};
+      stripeSubscription = await stripe.subscriptions.create({
+        customer: organization.customerId,
+        items: [
+          {
+            price: productToPriceMap["starter"],
+            quantity: 1,
+          },
+        ],
+        payment_behavior: "default_incomplete",
+        proration_behavior: "none",
+        expand: ["latest_invoice.payment_intent"],
+      });
+    }
+  } else {
+    throw new Error("Failed to initialize free organization subscription");
+  }
+
+  return {
+    stripeSubscription,
+    subscription,
+  };
 };

 /**
@ -222,54 +126,55 @@ const initSubscriptionOrg = async ({
 * @param {Number} obj.organizationId - id of subscription's organization
 */
 const updateSubscriptionOrgQuantity = async ({
-	organizationId
+  organizationId,
 }: {
-	organizationId: string;
+  organizationId: string;
 }) => {
-	let stripeSubscription;
-	try {
-		// find organization
-		const organization = await Organization.findOne({
-			_id: organizationId
-		});
+  let stripeSubscription;
+  // find organization
+  const organization = await Organization.findOne({
+    _id: organizationId,
+  });

-		if (organization && organization.customerId) {
-			const quantity = await MembershipOrg.countDocuments({
-				organization: organizationId,
-				status: ACCEPTED
-			});
+  if (organization && organization.customerId) {
+    if (EELicenseService.instanceType === 'cloud') {
+      // instance of Infisical is a cloud instance
+      const quantity = await MembershipOrg.countDocuments({
+        organization: new Types.ObjectId(organizationId),
+        status: ACCEPTED,
+      });
+      
+      await licenseServerKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}/cloud-plan`,
+        {
+          quantity
+        }
+      );

-			const stripe = new Stripe(getStripeSecretKey(), {
-				apiVersion: '2022-08-01'
-			});
+      EELicenseService.localFeatureSet.del(organizationId);
+    }
+    
+    if (EELicenseService.instanceType === 'enterprise-self-hosted') {
+      // instance of Infisical is an enterprise self-hosted instance
+      
+      const usedSeats = await MembershipOrg.countDocuments({
+        status: ACCEPTED
+      });

-			const subscription = (
-				await stripe.subscriptions.list({
-					customer: organization.customerId
-				})
-			).data[0];
+      await licenseKeyRequest.patch(
+        `${await getLicenseServerUrl()}/api/license/v1/license`,
+        {
+          usedSeats
+        }
+      );
+    }
+  }

-			stripeSubscription = await stripe.subscriptions.update(subscription.id, {
-				items: [
-					{
-						id: subscription.items.data[0].id,
-						price: subscription.items.data[0].price.id,
-						quantity
-					}
-				]
-			});
-		}
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-	}
-
-	return stripeSubscription;
+  return stripeSubscription;
 };

 export {
-	validateClientForOrganization,
-	createOrganization,
-	initSubscriptionOrg,
-	updateSubscriptionOrgQuantity
-};
+  createOrganization,
+  initSubscriptionOrg,
+  updateSubscriptionOrgQuantity
+};
--- a/backend/src/helpers/secret.ts
+++ b/backend/src/helpers/secret.ts
--- a/backend/src/helpers/secrets.ts
+++ b/backend/src/helpers/secrets.ts
@ -1,198 +1,769 @@
 import { Types } from 'mongoose';
 import {
-    User,
-    IUser,
-    ServiceAccount,
-    IServiceAccount,
-    ServiceTokenData,
-    IServiceTokenData,
+    CreateSecretParams,
+    GetSecretsParams,
+    GetSecretParams,
+    UpdateSecretParams,
+    DeleteSecretParams
+} from '../interfaces/services/SecretService';
+import {
    Secret,
-    ISecret
+    ISecret,
+    SecretBlindIndexData,
 } from '../models';
-import {
-    validateMembership
-} from '../helpers/membership';
-import {
-    validateUserClientForSecret,
-    validateUserClientForSecrets
-} from '../helpers/user';
-import {
-    validateServiceTokenDataClientForSecrets, validateServiceTokenDataClientForWorkspace
-} from '../helpers/serviceTokenData';
-import {
-    validateServiceAccountClientForSecrets,
-    validateServiceAccountClientForWorkspace
-} from '../helpers/serviceAccount';
+import { SecretVersion } from '../ee/models';
 import { 
    BadRequestError, 
-    UnauthorizedRequestError,
-    SecretNotFoundError
+    SecretNotFoundError,
+    SecretBlindIndexDataNotFoundError,
+    InternalServerError
 } from '../utils/errors';
 import {
-    AUTH_MODE_JWT,
-    AUTH_MODE_SERVICE_ACCOUNT,
-    AUTH_MODE_SERVICE_TOKEN,
-    AUTH_MODE_API_KEY
+    SECRET_PERSONAL,
+    SECRET_SHARED,
+    ACTION_ADD_SECRETS,
+    ACTION_READ_SECRETS,
+    ACTION_UPDATE_SECRETS,
+    ACTION_DELETE_SECRETS,
+    ALGORITHM_AES_256_GCM,
+    ENCODING_SCHEME_UTF8,
+    ENCODING_SCHEME_BASE64
 } from '../variables';
+import crypto from 'crypto';
+import * as argon2 from 'argon2';
+import {
+    encryptSymmetric128BitHexKeyUTF8,
+    decryptSymmetric128BitHexKeyUTF8
+} from '../utils/crypto';
+import { getEncryptionKey, client, getRootEncryptionKey } from '../config';
+import { TelemetryService } from '../services';
+import {
+    EESecretService,
+    EELogService
+} from '../ee/services';
+import {
+    getAuthDataPayloadIdObj,
+    getAuthDataPayloadUserObj
+} from '../utils/auth';

 /**
- * Validate authenticated clients for secrets with id [secretId] based
- * on any known permissions.
+ * Create secret blind index data containing encrypted blind index [salt]
+ * for workspace with id [workspaceId]
 * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.secretId - id of secret to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
+ * @param {Types.ObjectId} obj.workspaceId
 */
-const validateClientForSecret = async ({
-    authData,
-    secretId,
-    acceptedRoles,
-    requiredPermissions
+const createSecretBlindIndexDataHelper = async ({
+    workspaceId
 }: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	},
-    secretId: Types.ObjectId;
-    acceptedRoles: Array<'admin' | 'member'>;
-    requiredPermissions: string[];
+    workspaceId: Types.ObjectId;
 }) => {
-    const secret = await Secret.findById(secretId);

-    if (!secret) throw SecretNotFoundError({
-        message: 'Failed to find secret'
-    });
+    // initialize random blind index salt for workspace
+    const salt = crypto.randomBytes(16).toString('base64');

-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForSecret({
-            user: authData.authPayload,
-            secret,
-            acceptedRoles,
-            requiredPermissions
-        });
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();

-        return secret;
-    }
-
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForWorkspace({
-            serviceAccount: authData.authPayload,
-            workspaceId: secret.workspace,
-            environment: secret.environment,
-            requiredPermissions
+    if (rootEncryptionKey) {
+        const { 
+            ciphertext: encryptedSaltCiphertext,
+            iv: saltIV,
+            tag: saltTag
+        } = client.encryptSymmetric(salt, rootEncryptionKey);
+        
+        return await new SecretBlindIndexData({
+            workspace: workspaceId,
+            encryptedSaltCiphertext,
+            saltIV,
+            saltTag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_BASE64
+        }).save();
+    } else {
+        const { 
+            ciphertext: encryptedSaltCiphertext,
+            iv: saltIV,
+            tag: saltTag
+        } = encryptSymmetric128BitHexKeyUTF8({
+            plaintext: salt,
+            key: encryptionKey
        });
        
-        return secret;
+        return await new SecretBlindIndexData({
+            workspace: workspaceId,
+            encryptedSaltCiphertext,
+            saltIV,
+            saltTag,
+            algorithm: ALGORITHM_AES_256_GCM,
+            keyEncoding: ENCODING_SCHEME_UTF8
+        }).save();
+    }
+}
+
+/**
+ * Get secret blind index salt for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to get salt for
+ * @returns 
+ */
+const getSecretBlindIndexSaltHelper = async ({
+    workspaceId
+}: {
+    workspaceId: Types.ObjectId;
+}) => {
+    
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+
+    const secretBlindIndexData = await SecretBlindIndexData.findOne({
+        workspace: workspaceId
+    }).select('+algorithm +keyEncoding');
+    
+    if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
+
+    if (rootEncryptionKey && secretBlindIndexData.keyEncoding === ENCODING_SCHEME_BASE64) {
+        return client.decryptSymmetric(
+            secretBlindIndexData.encryptedSaltCiphertext, 
+            rootEncryptionKey, 
+            secretBlindIndexData.saltIV, 
+            secretBlindIndexData.saltTag
+        );
+    } else if (encryptionKey && secretBlindIndexData.keyEncoding === ENCODING_SCHEME_UTF8) {
+        // decrypt workspace salt
+        return decryptSymmetric128BitHexKeyUTF8({
+            ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
+            iv: secretBlindIndexData.saltIV,
+            tag: secretBlindIndexData.saltTag,
+            key: encryptionKey
+        });
    }

-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        await validateServiceTokenDataClientForWorkspace({
-            serviceTokenData: authData.authPayload,
-            workspaceId: secret.workspace,
-            environment: secret.environment
-        });
-    
-        return secret;
-    }
-    
-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForSecret({
-            user: authData.authPayload,
-            secret,
-            acceptedRoles,
-            requiredPermissions
-        });
-
-        return secret;
-    }
-    
-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for secret'
+    throw InternalServerError({
+        message: 'Failed to obtain workspace salt needed for secret blind indexing'
    });
 }

 /**
- * Validate authenticated clients for secrets with ids [secretIds] based
- * on any known permissions.
+ * Generate blind index for secret with name [secretName]
+ * and salt [salt]
 * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId[]} obj.secretIds - id of workspace to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
+ * @param {String} obj.secretName - name of secret to generate blind index for
+ * @param {String} obj.salt - base64-salt
 */
-const validateClientForSecrets = async ({
-    authData,
-    secretIds,
-    requiredPermissions
+ const generateSecretBlindIndexWithSaltHelper = async ({
+    secretName,
+    salt
 }: {
-    authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	},
-    secretIds: Types.ObjectId[];
-    requiredPermissions: string[];
+    secretName: string;
+    salt: string;
 }) => {

-    let secrets: ISecret[] = [];
+    // generate secret blind index
+    const secretBlindIndex = (await argon2.hash(secretName, {
+        type: argon2.argon2id,
+        salt: Buffer.from(salt, 'base64'),
+        saltLength: 16, // default 16 bytes
+        memoryCost: 65536, // default pool of 64 MiB per thread.
+        hashLength: 32,
+        parallelism: 1,
+        raw: true
+    })).toString('base64');
+
+    return secretBlindIndex;
+}
+
+/**
+ * Generate blind index for secret with name [secretName] 
+ * for workspace with id [workspaceId]
+ * @param {Object} obj
+ * @param {Stringj} obj.secretName - name of secret to generate blind index for
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ */
+const generateSecretBlindIndexHelper = async ({
+    secretName,
+    workspaceId
+}: {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+}) => {
+
+    // check if workspace blind index data exists
+    const secretBlindIndexData = await SecretBlindIndexData.findOne({
+        workspace: workspaceId
+    });
    
-    secrets = await Secret.find({
-        _id: {
-            $in: secretIds
-        }
+    if (!secretBlindIndexData) throw SecretBlindIndexDataNotFoundError();
+    
+    // decrypt workspace salt
+    const salt = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secretBlindIndexData.encryptedSaltCiphertext,
+        iv: secretBlindIndexData.saltIV,
+        tag: secretBlindIndexData.saltTag,
+        key: await getEncryptionKey()
    });

-    if (secrets.length != secretIds.length) {
-        throw BadRequestError({ message: 'Failed to validate non-existent secrets' })
-    }
+    const secretBlindIndex = await generateSecretBlindIndexWithSaltHelper({
+        secretName,
+        salt
+    });

-    if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-        await validateUserClientForSecrets({
-            user: authData.authPayload,
-            secrets,
-            requiredPermissions
+    return secretBlindIndex;
+}
+
+/**
+ * Create secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to create
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace to create secret for
+ * @param {String} obj.environment - environment in workspace to create secret for
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const createSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData,
+    secretKeyCiphertext,
+    secretKeyIV,
+    secretKeyTag,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag,
+    secretCommentCiphertext,
+    secretCommentIV,
+    secretCommentTag
+}: CreateSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    const exists = await Secret.exists({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
+    });
+    
+    if (exists) throw BadRequestError({
+        message: 'Failed to create secret that already exists'
+    });
+    
+    if (type === SECRET_PERSONAL) {
+        // case: secret type is personal -> check if a corresponding shared secret 
+        // with the same blind index [secretBlindIndex] exists
+
+        const exists = await Secret.exists({
+            secretBlindIndex,
+            workspace: new Types.ObjectId(workspaceId),
+            type: SECRET_SHARED
        });
        
-        return secrets;
+        if (!exists) throw BadRequestError({
+            message: 'Failed to create personal secret override for no corresponding shared secret'
+        });
    }
    
-    if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-        await validateServiceAccountClientForSecrets({
-            serviceAccount: authData.authPayload,
-            secrets,
-            requiredPermissions
+    // create secret
+    const secret = await new Secret({
+        version: 1,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        secretCommentCiphertext,
+        secretCommentIV,
+        secretCommentTag,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    }).save();
+    
+    const secretVersion = new SecretVersion({
+        secret: secret._id,
+        version: secret.version,
+        workspace: secret.workspace,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        environment: secret.environment,
+        isDeleted: false,
+        secretBlindIndex,
+        secretKeyCiphertext,
+        secretKeyIV,
+        secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    });
+
+    // // (EE) add version for new secret
+    await EESecretService.addSecretVersions({
+        secretVersions: [secretVersion]
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_ADD_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+    
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets added',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
        });
-        
-        return secrets;
    }
-        
-    if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-        await validateServiceTokenDataClientForSecrets({
-            serviceTokenData: authData.authPayload,
-            secrets,
-            requiredPermissions
+    
+    return secret;
+}
+
+/**
+ * Get secrets for workspace with id [workspaceId] and environment [environment]
+ * @param {Object} obj
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace
+ * @param {String} obj.environment - environment in workspace
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const getSecretsHelper = async ({
+    workspaceId,
+    environment,
+    authData
+}: GetSecretsParams) => {
+    let secrets: ISecret[] = [];
+
+    // get personal secrets first
+    secrets = await Secret.find({
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: SECRET_PERSONAL,
+        ...getAuthDataPayloadUserObj(authData)
+    });
+
+    // concat with shared secrets
+    secrets = secrets.concat(await Secret.find({
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: SECRET_SHARED,
+        secretBlindIndex: {
+            $nin: secrets.map((secret) => secret.secretBlindIndex)
+        }
+    }));
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: secrets.map((secret) => secret._id)
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pulled',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
        });
-        
-        return secrets;
    }

-    if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-        await validateUserClientForSecrets({
-            user: authData.authPayload,
-            secrets,
-            requiredPermissions
+    return secrets;
+}
+
+/**
+ * Get secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to get
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const getSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData
+}: GetSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+    let secret: ISecret | null = null;
+    
+    // try getting personal secret first (if exists)
+    secret = await Secret.findOne({
+        secretBlindIndex,
+        workspace: new Types.ObjectId(workspaceId),
+        environment,
+        type: type ?? SECRET_PERSONAL,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {})
+    });
+
+    if (!secret) {
+        // case: failed to find personal secret matching criteria
+        // -> find shared secret matching criteria
+        secret = await Secret.findOne({
+            secretBlindIndex,
+            workspace: new Types.ObjectId(workspaceId),
+            environment,
+            type: SECRET_SHARED
+        });
+    }
+    
+    if (!secret) throw SecretNotFoundError();
+    
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_READ_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets pull',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
        });
-        
-        return secrets;
    }

-    throw UnauthorizedRequestError({
-        message: 'Failed client authorization for secrets resource'
+    return secret;
+}
+
+/**
+ * Update secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to update
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {String} obj.secretValueCiphertext - ciphertext of secret value
+ * @param {String} obj.secretValueIV - IV of secret value
+ * @param {String} obj.secretValueTag - tag of secret value
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const updateSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData,
+    secretValueCiphertext,
+    secretValueIV,
+    secretValueTag
+}: UpdateSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    let secret: ISecret | null = null;
+    
+    if (type === SECRET_SHARED) {
+        // case: update shared secret
+        secret = await Secret.findOneAndUpdate(
+            {
+                secretBlindIndex,
+                workspace: new Types.ObjectId(workspaceId),
+                environment,
+                type
+            },
+            {
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                $inc: { version: 1 }
+            },
+            {
+                new: true
+            }
+        );
+    } else {
+        // case: update personal secret
+        
+        secret = await Secret.findOneAndUpdate(
+            {
+                secretBlindIndex,
+                workspace: new Types.ObjectId(workspaceId),
+                environment,
+                type,
+                ...getAuthDataPayloadUserObj(authData)
+            },
+            {
+                secretValueCiphertext,
+                secretValueIV,
+                secretValueTag,
+                $inc: { version: 1 }
+            },
+            {
+                new: true
+            }
+        );
+    }
+
+    if (!secret) throw SecretNotFoundError();
+
+    const secretVersion = new SecretVersion({
+        secret: secret._id,
+        version: secret.version,
+        workspace: secret.workspace,
+        type,
+        ...(type === SECRET_PERSONAL ? getAuthDataPayloadUserObj(authData) : {}),
+        environment: secret.environment,
+        isDeleted: false,
+        secretBlindIndex,
+        secretKeyCiphertext: secret.secretKeyCiphertext,
+        secretKeyIV: secret.secretKeyIV,
+        secretKeyTag: secret.secretKeyTag,
+        secretValueCiphertext,
+        secretValueIV,
+        secretValueTag,
+        algorithm: ALGORITHM_AES_256_GCM,
+        keyEncoding: ENCODING_SCHEME_UTF8
+    });
+
+    // (EE) add version for new secret
+    await EESecretService.addSecretVersions({
+        secretVersions: [secretVersion]
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_UPDATE_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: [secret._id]
+    });
+    
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+    
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets modified',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: 1,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+
+    return secret;
+}
+
+/**
+ * Delete secret with name [secretName]
+ * @param {Object} obj
+ * @param {String} obj.secretName - name of secret to delete
+ * @param {Types.ObjectId} obj.workspaceId - id of workspace that secret belongs to
+ * @param {String} obj.environment - environment in workspace that secret belongs to
+ * @param {'shared' | 'personal'} obj.type - type of secret
+ * @param {AuthData} obj.authData - authentication data on request
+ * @returns 
+ */
+const deleteSecretHelper = async ({
+    secretName,
+    workspaceId,
+    environment,
+    type,
+    authData
+}: DeleteSecretParams) => {
+    const secretBlindIndex = await generateSecretBlindIndexHelper({
+        secretName,
+        workspaceId: new Types.ObjectId(workspaceId)
+    });
+
+    let secrets: ISecret[] = [];
+    let secret: ISecret | null = null;
+    
+    if (type === SECRET_SHARED) {
+        secrets = await Secret.find({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        });
+        
+        secret = await Secret.findOneAndDelete({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment,
+            type
+        });
+        
+        await Secret.deleteMany({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment
+        });
+    } else {
+        secret = await Secret.findOneAndDelete({
+            secretBlindIndex,
+            workspaceId: new Types.ObjectId(workspaceId),
+            environment,
+            type,
+            ...getAuthDataPayloadUserObj(authData)
+        });
+        
+        if (secret) {
+            secrets = [secret];
+        }
+    }
+    
+    if (!secret) throw SecretNotFoundError();
+    
+    await EESecretService.markDeletedSecretVersions({
+        secretIds: secrets.map((secret) => secret._id)
+    });
+
+    // (EE) create (audit) log
+    const action = await EELogService.createAction({
+        name: ACTION_DELETE_SECRETS,
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        secretIds: secrets.map((secret) => secret._id)
+    });
+
+    // (EE) take a secret snapshot
+    action && await EELogService.createLog({
+        ...getAuthDataPayloadIdObj(authData),
+        workspaceId,
+        actions: [action],
+        channel: authData.authChannel,
+        ipAddress: authData.authIP
+    });
+
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+        workspaceId
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+
+    if (postHogClient) {
+        postHogClient.capture({
+            event: 'secrets deleted',
+            distinctId: await TelemetryService.getDistinctId({
+                authData
+            }),
+            properties: {
+                numberOfSecrets: secrets.length,
+                environment,
+                workspaceId,
+                channel: authData.authChannel,
+                userAgent: authData.authUserAgent
+            }
+        });
+    }
+    
+    return ({
+        secrets,
+        secret
    });
 }

 export {
-    validateClientForSecret,
-    validateClientForSecrets
+    createSecretBlindIndexDataHelper,
+    getSecretBlindIndexSaltHelper,
+    generateSecretBlindIndexWithSaltHelper,
+    generateSecretBlindIndexHelper,
+    createSecretHelper,
+    getSecretsHelper,
+    getSecretHelper,
+    updateSecretHelper,
+    deleteSecretHelper
 }
--- a/backend/src/helpers/token.ts
+++ b/backend/src/helpers/token.ts
@ -1,16 +1,15 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
-import { TokenData } from '../models';
-import crypto from 'crypto';
-import bcrypt from 'bcrypt';
+import { Types } from "mongoose";
+import { TokenData } from "../models";
+import crypto from "crypto";
+import bcrypt from "bcrypt";
 import {
-    TOKEN_EMAIL_CONFIRMATION,
-    TOKEN_EMAIL_MFA,
-    TOKEN_EMAIL_ORG_INVITATION,
-    TOKEN_EMAIL_PASSWORD_RESET
-} from '../variables';
-import { UnauthorizedRequestError } from '../utils/errors';
-import { getSaltRounds } from '../config';
+  TOKEN_EMAIL_CONFIRMATION,
+  TOKEN_EMAIL_MFA,
+  TOKEN_EMAIL_ORG_INVITATION,
+  TOKEN_EMAIL_PASSWORD_RESET,
+} from "../variables";
+import { UnauthorizedRequestError } from "../utils/errors";
+import { getSaltRounds } from "../config";

 /**
 * Create and store a token in the database for purpose [type]
@ -22,194 +21,197 @@ import { getSaltRounds } from '../config';
 * @returns {String} token - the created token
 */
 const createTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId
+  type,
+  email,
+  phoneNumber,
+  organizationId,
 }: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+  type:
+    | "emailConfirmation"
+    | "emailMfa"
+    | "organizationInvitation"
+    | "passwordReset";
+  email?: string;
+  phoneNumber?: string;
+  organizationId?: Types.ObjectId;
+}) => {
+  let token, expiresAt, triesLeft;
+  // generate random token based on specified token use-case
+  // type [type]
+  switch (type) {
+    case TOKEN_EMAIL_CONFIRMATION:
+      // generate random 6-digit code
+      token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+      expiresAt = new Date(new Date().getTime() + 86400000);
+      break;
+    case TOKEN_EMAIL_MFA:
+      // generate random 6-digit code
+      token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
+      triesLeft = 5;
+      expiresAt = new Date(new Date().getTime() + 300000);
+      break;
+    case TOKEN_EMAIL_ORG_INVITATION:
+      // generate random hex
+      token = crypto.randomBytes(16).toString("hex");
+      expiresAt = new Date(new Date().getTime() + 259200000);
+      break;
+    case TOKEN_EMAIL_PASSWORD_RESET:
+      // generate random hex
+      token = crypto.randomBytes(16).toString("hex");
+      expiresAt = new Date(new Date().getTime() + 86400000);
+      break;
+    default:
+      token = crypto.randomBytes(16).toString("hex");
+      expiresAt = new Date();
+      break;
+  }
+
+  interface TokenDataQuery {
+    type: string;
    email?: string;
    phoneNumber?: string;
-    organizationId?: Types.ObjectId
-}) => {
-    let token, expiresAt, triesLeft;
-    try {
-        // generate random token based on specified token use-case
-        // type [type]
-        switch (type) {
-            case TOKEN_EMAIL_CONFIRMATION:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                expiresAt = new Date((new Date()).getTime() + 86400000);
-                break;
-            case TOKEN_EMAIL_MFA:
-                // generate random 6-digit code
-                token = String(crypto.randomInt(Math.pow(10, 5), Math.pow(10, 6) - 1));
-                triesLeft = 5;
-                expiresAt = new Date((new Date()).getTime() + 300000);
-                break;
-            case TOKEN_EMAIL_ORG_INVITATION:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 259200000);
-                break;
-            case TOKEN_EMAIL_PASSWORD_RESET:
-                // generate random hex
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date((new Date()).getTime() + 86400000); 
-                break;
-            default:
-                token = crypto.randomBytes(16).toString('hex');
-                expiresAt = new Date();
-                break;
-        }
-        
-       interface TokenDataQuery {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-        }
-        
-        interface TokenDataUpdate {
-            type: string;
-            email?: string;
-            phoneNumber?: string;
-            organization?: Types.ObjectId;
-            tokenHash: string;
-            triesLeft?: number;
-            expiresAt: Date;
-        }
+    organization?: Types.ObjectId;
+  }

-        const query: TokenDataQuery = { type };
-        const update: TokenDataUpdate = {
-            type,
-            tokenHash: await bcrypt.hash(token, getSaltRounds()),
-            expiresAt
-        }
+  interface TokenDataUpdate {
+    type: string;
+    email?: string;
+    phoneNumber?: string;
+    organization?: Types.ObjectId;
+    tokenHash: string;
+    triesLeft?: number;
+    expiresAt: Date;
+  }

-        if (email) {
-            query.email = email; 
-            update.email = email; 
-        }
-        if (phoneNumber) { 
-            query.phoneNumber = phoneNumber; 
-            update.phoneNumber = phoneNumber; 
-        }
-        if (organizationId) { 
-            query.organization = organizationId 
-            update.organization = organizationId 
-        } 
-        
-        if (triesLeft) {
-            update.triesLeft = triesLeft;
-        }
-       
-        await TokenData.findOneAndUpdate(
-            query,
-            update,
-            {
-                new: true,
-                upsert: true
-            }
-        );
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error(
-            "Failed to create token"
-        ); 
-    }
-    
-    return token;
-}
+  const query: TokenDataQuery = { type };
+  const update: TokenDataUpdate = {
+    type,
+    tokenHash: await bcrypt.hash(token, await getSaltRounds()),
+    expiresAt,
+  };
+
+  if (email) {
+    query.email = email;
+    update.email = email;
+  }
+  if (phoneNumber) {
+    query.phoneNumber = phoneNumber;
+    update.phoneNumber = phoneNumber;
+  }
+  if (organizationId) {
+    query.organization = organizationId;
+    update.organization = organizationId;
+  }
+
+  if (triesLeft) {
+    update.triesLeft = triesLeft;
+  }
+
+  await TokenData.findOneAndUpdate(query, update, {
+    new: true,
+    upsert: true,
+  });
+
+  return token;
+};

 /**
- * 
+ *
 * @param {Object} obj
 * @param {String} obj.email - email associated with the token
 * @param {String} obj.token - value of the token
 */
 const validateTokenHelper = async ({
-    type,
-    email,
-    phoneNumber,
-    organizationId,
-    token
+  type,
+  email,
+  phoneNumber,
+  organizationId,
+  token,
 }: {
-    type: 'emailConfirmation' | 'emailMfa' | 'organizationInvitation' | 'passwordReset';
+  type:
+    | "emailConfirmation"
+    | "emailMfa"
+    | "organizationInvitation"
+    | "passwordReset";
+  email?: string;
+  phoneNumber?: string;
+  organizationId?: Types.ObjectId;
+  token: string;
+}) => {
+  interface Query {
+    type: string;
    email?: string;
    phoneNumber?: string;
-    organizationId?: Types.ObjectId;
-    token: string;
-}) => {
-    interface Query {
-        type: string;
-        email?: string;
-        phoneNumber?: string;
-        organization?: Types.ObjectId;
-    }
+    organization?: Types.ObjectId;
+  }

-    const query: Query = { type };
+  const query: Query = { type };

-    if (email) { query.email = email; }
-    if (phoneNumber) { query.phoneNumber = phoneNumber; }
-    if (organizationId) { query.organization = organizationId; }
+  if (email) {
+    query.email = email;
+  }
+  if (phoneNumber) {
+    query.phoneNumber = phoneNumber;
+  }
+  if (organizationId) {
+    query.organization = organizationId;
+  }

-    const tokenData = await TokenData.findOne(query).select('+tokenHash');
-    
-    if (!tokenData) throw new Error('Failed to find token to validate');
-    
-    if (tokenData.expiresAt < new Date()) {
-        // case: token expired
-        await TokenData.findByIdAndDelete(tokenData._id);
-        throw UnauthorizedRequestError({
-            message: 'MFA session expired. Please log in again',
-            context: {
-                code: 'mfa_expired'
-            }
-        });
-    }
+  const tokenData = await TokenData.findOne(query).select("+tokenHash");

-    const isValid = await bcrypt.compare(token, tokenData.tokenHash);
-    if (!isValid) {
-        // case: token is not valid
-        if (tokenData?.triesLeft !== undefined) {
-            // case: token has a try-limit
-            if (tokenData.triesLeft === 1) {
-                // case: token is out of tries
-                await TokenData.findByIdAndDelete(tokenData._id);
-            } else {
-                // case: token has more than 1 try left
-                await TokenData.findByIdAndUpdate(tokenData._id, {
-                    triesLeft: tokenData.triesLeft - 1
-                }, {
-                    new: true
-                });
-            }
+  if (!tokenData) throw new Error("Failed to find token to validate");

-            throw UnauthorizedRequestError({
-                message: 'MFA code is invalid',
-                context: {
-                    code: 'mfa_invalid',
-                    triesLeft: tokenData.triesLeft - 1
-                }
-            });
-        }
-
-        throw UnauthorizedRequestError({
-            message: 'MFA code is invalid',
-            context: {
-                code: 'mfa_invalid'
-            }
-        });
-    }
-
-    // case: token is valid
+  if (tokenData.expiresAt < new Date()) {
+    // case: token expired
    await TokenData.findByIdAndDelete(tokenData._id);
-}
+    throw UnauthorizedRequestError({
+      message: "MFA session expired. Please log in again",
+      context: {
+        code: "mfa_expired",
+      },
+    });
+  }

-export {
-    createTokenHelper,
-    validateTokenHelper
-}
+  const isValid = await bcrypt.compare(token, tokenData.tokenHash);
+  if (!isValid) {
+    // case: token is not valid
+    if (tokenData?.triesLeft !== undefined) {
+      // case: token has a try-limit
+      if (tokenData.triesLeft === 1) {
+        // case: token is out of tries
+        await TokenData.findByIdAndDelete(tokenData._id);
+      } else {
+        // case: token has more than 1 try left
+        await TokenData.findByIdAndUpdate(
+          tokenData._id,
+          {
+            triesLeft: tokenData.triesLeft - 1,
+          },
+          {
+            new: true,
+          }
+        );
+      }
+
+      throw UnauthorizedRequestError({
+        message: "MFA code is invalid",
+        context: {
+          code: "mfa_invalid",
+          triesLeft: tokenData.triesLeft - 1,
+        },
+      });
+    }
+
+    throw UnauthorizedRequestError({
+      message: "MFA code is invalid",
+      context: {
+        code: "mfa_invalid",
+      },
+    });
+  }
+
+  // case: token is valid
+  await TokenData.findByIdAndDelete(tokenData._id);
+};
+
+export { createTokenHelper, validateTokenHelper };
--- a/backend/src/helpers/user.ts
+++ b/backend/src/helpers/user.ts
@ -1,25 +1,8 @@
-import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import {
 	IUser, 
-	ISecret,
-	IServiceAccount,
 	User,
-	Membership,
-	IOrganization,
-	Organization,
 } from '../models';
 import { sendMail } from './nodemailer';
-import { validateMembership } from './membership';
-import _ from 'lodash';
-import { BadRequestError, UnauthorizedRequestError } from '../utils/errors';
-import {
-	validateMembershipOrg
-} from '../helpers/membershipOrg';
-import {
-	PERMISSION_READ_SECRETS,
-	PERMISSION_WRITE_SECRETS
-} from '../variables';

 /**
 * Initialize a user under email [email]
@ -27,17 +10,10 @@ import {
 * @param {String} obj.email - email of user to initialize
 * @returns {Object} user - the initialized user
 */
-const setupAccount = async ({ email }: { email: string }) => {
-	let user;
-	try {
-		user = await new User({
-			email
-		}).save();
-	} catch (err) {
-		Sentry.setUser({ email });
-		Sentry.captureException(err);
-		throw new Error('Failed to set up account');
-	}
+export const setupAccount = async ({ email }: { email: string }) => {
+  const user = await new User({
+    email
+  }).save();

 	return user;
 };
@ -60,7 +36,7 @@ const setupAccount = async ({ email }: { email: string }) => {
 * @param {String} obj.verifier - verifier for auth SRP
 * @returns {Object} user - the completed user
 */
-const completeAccount = async ({
+export const completeAccount = async ({
 	userId,
 	firstName,
 	lastName,
@ -89,34 +65,27 @@ const completeAccount = async ({
 	salt: string;
 	verifier: string;
 }) => {
-	let user;
-	try {
-		const options = {
-			new: true
-		};
-		user = await User.findByIdAndUpdate(
-			userId,
-			{
-				firstName,
-				lastName,
-				encryptionVersion,
-				protectedKey,
-				protectedKeyIV,
-				protectedKeyTag,
-				publicKey,
-				encryptedPrivateKey,
-				iv: encryptedPrivateKeyIV,
-				tag: encryptedPrivateKeyTag,
-				salt,
-				verifier
-			},
-			options
-		);
-	} catch (err) {
-		Sentry.setUser(null);
-		Sentry.captureException(err);
-		throw new Error('Failed to complete account set up');
-	}
+  const options = {
+    new: true
+  };
+  const user = await User.findByIdAndUpdate(
+    userId,
+    {
+      firstName,
+      lastName,
+      encryptionVersion,
+      protectedKey,
+      protectedKeyIV,
+      protectedKeyTag,
+      publicKey,
+      encryptedPrivateKey,
+      iv: encryptedPrivateKeyIV,
+      tag: encryptedPrivateKeyTag,
+      salt,
+      verifier
+    },
+    options
+  );

 	return user;
 };
@ -128,7 +97,7 @@ const completeAccount = async ({
 * @param {String} obj.ip - login ip address
 * @param {String} obj.userAgent - login user-agent
 */
-const checkUserDevice = async ({
+export const checkUserDevice = async ({
 	user,
 	ip,
 	userAgent
@ -163,206 +132,4 @@ const checkUserDevice = async ({
 			}
 		}); 
 	}
-}
-
-/**
- * Validate that user (client) can access workspace
- * with id [workspaceId] and its environment [environment] with required permissions
- * [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} environment - (optional) environment in workspace to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForWorkspace = async ({
-	user,
-	workspaceId,
-	environment,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	user: IUser;
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	acceptedRoles: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	
-	// validate user membership in workspace
-	const membership = await validateMembership({
-        userId: user._id,
-        workspaceId,
-		acceptedRoles
-    });
-	
-	let runningIsDisallowed = false;
-	requiredPermissions?.forEach((requiredPermission: string) => {
-		switch (requiredPermission) {
-			case PERMISSION_READ_SECRETS:
-				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_READ_SECRETS });
-				break;
-			case PERMISSION_WRITE_SECRETS:
-				runningIsDisallowed = _.some(membership.deniedPermissions, { environmentSlug: environment, ability: PERMISSION_WRITE_SECRETS });
-				break;
-			default:
-				break;
-		}
-		
-		if (runningIsDisallowed) {
-			throw UnauthorizedRequestError({
-				message: `Failed permissions authorization for workspace environment action : ${requiredPermission}`
-			});	
-		}
-	});
-	
-	return membership;
-}
-
-/**
- * Validate that user (client) can access secret [secret]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Secret[]} obj.secrets - secrets to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForSecret = async ({
-	user,
-	secret,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	user: IUser;
-	secret: ISecret;
-	acceptedRoles?: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	const membership = await validateMembership({
-		userId: user._id,
-		workspaceId: secret.workspace,
-		acceptedRoles
-	});
-	
-	if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
-		const isDisallowed = _.some(membership.deniedPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
-
-		if (isDisallowed) {
-			throw UnauthorizedRequestError({
-				message: 'You do not have the required permissions to perform this action' 
-			});
-		}
-	}
-}
-
-/**
- * Validate that user (client) can access secrets [secrets]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Secret[]} obj.secrets - secrets to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
- const validateUserClientForSecrets = async ({
-	user,
-	secrets,
-	requiredPermissions
-}: {
-	user: IUser;
-	secrets: ISecret[];
-	requiredPermissions?: string[];
-}) => {
-	
-	// TODO: add acceptedRoles?
-
-	const userMemberships = await Membership.find({ user: user._id })
-	const userMembershipById = _.keyBy(userMemberships, 'workspace');
-	const workspaceIdsSet = new Set(userMemberships.map((m) => m.workspace.toString()));
-
-	// for each secret check if the secret belongs to a workspace the user is a member of
-	secrets.forEach((secret: ISecret) => {
-		if (!workspaceIdsSet.has(secret.workspace.toString())) {
-			throw BadRequestError({
-				message: 'Failed authorization for the secret'
-			});
-		}
-
-		if (requiredPermissions?.includes(PERMISSION_WRITE_SECRETS)) {
-			const deniedMembershipPermissions = userMembershipById[secret.workspace.toString()].deniedPermissions;
-			const isDisallowed = _.some(deniedMembershipPermissions, { environmentSlug: secret.environment, ability: PERMISSION_WRITE_SECRETS });
-
-			if (isDisallowed) {
-				throw UnauthorizedRequestError({
-					message: 'You do not have the required permissions to perform this action' 
-				});
-			}
-		}
-	});
-}
-
-/**
- * Validate that user (client) can access service account [serviceAccount]
- * with required permissions [requiredPermissions]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {ServiceAccount} obj.serviceAccount - service account to validate against
- * @param {String[]} requiredPermissions - required permissions as part of the endpoint
- */
-const validateUserClientForServiceAccount = async ({
-	user,
-	serviceAccount,
-	requiredPermissions
-}: {
-	user: IUser;
-	serviceAccount: IServiceAccount;
-	requiredPermissions?: string[];
-}) => {
-	if (!serviceAccount.user.equals(user._id)) {
-		// case: user who created service account is not the
-		// same user that is on the request
-		await validateMembershipOrg({
-			userId: user._id,
-			organizationId: serviceAccount.organization,
-			acceptedRoles: [],
-			acceptedStatuses: []
-		});
-	}
-}
-
-/**
- * Validate that user (client) can access organization [organization]
- * @param {Object} obj
- * @param {User} obj.user - user client
- * @param {Organization} obj.organization - organization to validate against
- */
- const validateUserClientForOrganization = async ({
-	user,
-	organization,
-	acceptedRoles,
-	acceptedStatuses
-}: {
-	user: IUser;
-	organization: IOrganization;
-	acceptedRoles: Array<'owner' | 'admin' | 'member'>;
-	acceptedStatuses: Array<'invited' | 'accepted'>;
-}) => {
-	const membershipOrg = await validateMembershipOrg({
-		userId: user._id,
-		organizationId: organization._id,
-		acceptedRoles,
-		acceptedStatuses
-	});
-	
-	return membershipOrg;
-}
-
-export { 
-	setupAccount, 
-	completeAccount, 
-	checkUserDevice,
-	validateUserClientForWorkspace,
-	validateUserClientForSecrets,
-	validateUserClientForServiceAccount,
-	validateUserClientForOrganization,
-	validateUserClientForSecret
-};
+}
--- a/backend/src/helpers/workspace.ts
+++ b/backend/src/helpers/workspace.ts
@ -1,115 +1,13 @@
 import * as Sentry from '@sentry/node';
-import { Types } from 'mongoose';
 import {
 	Workspace,
 	Bot,
 	Membership,
 	Key,
-	Secret,
-	User,
-	IUser,
-	ServiceAccountWorkspacePermission,
-	ServiceAccount,
-	IServiceAccount,
-	ServiceTokenData,
-	IServiceTokenData,
+	Secret
 } from '../models';
 import { createBot } from '../helpers/bot';
-import { validateUserClientForWorkspace } from '../helpers/user';
-import { validateServiceAccountClientForWorkspace } from '../helpers/serviceAccount';
-import { validateServiceTokenDataClientForWorkspace } from '../helpers/serviceTokenData';
-import { validateMembership } from '../helpers/membership';
-import { UnauthorizedRequestError, WorkspaceNotFoundError } from '../utils/errors';
-import {
-	AUTH_MODE_JWT,
-	AUTH_MODE_SERVICE_ACCOUNT,
-	AUTH_MODE_SERVICE_TOKEN,
-	AUTH_MODE_API_KEY
-} from '../variables';
-
-/**
- * Validate authenticated clients for workspace with id [workspaceId] based
- * on any known permissions.
- * @param {Object} obj
- * @param {Object} obj.authData - authenticated client details
- * @param {Types.ObjectId} obj.workspaceId - id of workspace to validate against
- * @param {String} obj.environment - (optional) environment in workspace to validate against
- * @param {Array<'admin' | 'member'>} obj.acceptedRoles - accepted workspace roles
- * @param {String[]} obj.requiredPermissions - required permissions as part of the endpoint
- */
-const validateClientForWorkspace = async ({
-	authData,
-	workspaceId,
-	environment,
-	acceptedRoles,
-	requiredPermissions
-}: {
-	authData: {
-		authMode: string;
-		authPayload: IUser | IServiceAccount | IServiceTokenData;
-	};
-	workspaceId: Types.ObjectId;
-	environment?: string;
-	acceptedRoles: Array<'admin' | 'member'>;
-	requiredPermissions?: string[];
-}) => {
-	
-	const workspace = await Workspace.findById(workspaceId);
-
-	if (!workspace) throw WorkspaceNotFoundError({
-		message: 'Failed to find workspace'
-	});
-
-	if (authData.authMode === AUTH_MODE_JWT && authData.authPayload instanceof User) {
-		const membership = await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId,
-			environment,
-			acceptedRoles,
-			requiredPermissions
-		});
-		
-		return ({ membership });
-	}
-
-	if (authData.authMode === AUTH_MODE_SERVICE_ACCOUNT && authData.authPayload instanceof ServiceAccount) {
-		await validateServiceAccountClientForWorkspace({
-			serviceAccount: authData.authPayload,
-			workspaceId,
-			environment,
-			requiredPermissions
-		});
-		
-		return {};
-	}
-	
-	if (authData.authMode === AUTH_MODE_SERVICE_TOKEN && authData.authPayload instanceof ServiceTokenData) {
-		await validateServiceTokenDataClientForWorkspace({
-			serviceTokenData: authData.authPayload,
-			workspaceId,
-			environment,
-			requiredPermissions
-		});
-
-		return {};
-	}
-
-	if (authData.authMode === AUTH_MODE_API_KEY && authData.authPayload instanceof User) {
-		const membership = await validateUserClientForWorkspace({
-			user: authData.authPayload,
-			workspaceId,
-			environment,
-			acceptedRoles,
-			requiredPermissions
-		});
-		
-		return ({ membership });
-	}
-	
-	throw UnauthorizedRequestError({
-		message: 'Failed client authorization for workspace'
-	});
-}
+import { SecretService } from '../services';

 /**
 * Create a workspace with name [name] in organization with id [organizationId]
@ -130,13 +28,21 @@ const createWorkspace = async ({
 		// create workspace
 		workspace = await new Workspace({
 			name,
-			organization: organizationId
+			organization: organizationId,
+			autoCapitalization: true
 		}).save();
 		
-		const bot = await createBot({
+		// initialize bot for workspace
+		await createBot({
 			name: 'Infisical Bot',
-			workspaceId: workspace._id.toString()
+			workspaceId: workspace._id
 		});
+		
+		// initialize blind index salt for workspace
+		await SecretService.createSecretBlindIndexData({
+			workspaceId: workspace._id
+		});
+
 	} catch (err) {
 		Sentry.setUser(null);
 		Sentry.captureException(err);
@ -175,7 +81,6 @@ const deleteWorkspace = async ({ id }: { id: string }) => {
 };

 export {
-	validateClientForWorkspace,
 	createWorkspace, 
 	deleteWorkspace 
 };
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -1,20 +1,13 @@
-import mongoose from 'mongoose';
 import dotenv from 'dotenv';
 dotenv.config();
-import infisical from 'infisical-node';
 import express from 'express';
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+require('express-async-errors');
 import helmet from 'helmet';
 import cors from 'cors';
-import * as Sentry from '@sentry/node';
 import { DatabaseService } from './services';
+import { EELicenseService } from './ee/services';
 import { setUpHealthEndpoint } from './services/health';
-import { initSmtp } from './services/smtp';
-import { TelemetryService } from './services';
-import { setTransporter } from './helpers/nodemailer';
-import { createTestUserForDevelopment } from './utils/addDevelopmentUser';
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { patchRouterParam } = require('./utils/patchAsyncRoutes');
-
 import cookieParser from 'cookie-parser';
 import swaggerUi = require('swagger-ui-express');
 // eslint-disable-next-line @typescript-eslint/no-var-requires
@ -26,7 +19,9 @@ import {
    workspace as eeWorkspaceRouter,
    secret as eeSecretRouter,
    secretSnapshot as eeSecretSnapshotRouter,
-    action as eeActionRouter
+    action as eeActionRouter,
+    organizations as eeOrganizationsRouter,
+    cloudProducts as eeCloudProductsRouter
 } from './ee/routes/v1';
 import {
    signup as v1SignupRouter,
@ -45,7 +40,8 @@ import {
    password as v1PasswordRouter,
    stripe as v1StripeRouter,
    integration as v1IntegrationRouter,
-    integrationAuth as v1IntegrationAuthRouter
+    integrationAuth as v1IntegrationAuthRouter,
+    secretsFolder as v1SecretsFolder
 } from './routes/v1';
 import {
    signup as v2SignupRouter,
@ -61,40 +57,26 @@ import {
    environment as v2EnvironmentRouter,
    tags as v2TagsRouter,
 } from './routes/v2';
+import {
+    secrets as v3SecretsRouter,
+    workspaces as v3WorkspacesRouter
+} from './routes/v3';
 import { healthCheck } from './routes/status';
 import { getLogger } from './utils/logger';
 import { RouteNotFoundError } from './utils/errors';
 import { requestErrorHandler } from './middleware/requestErrorHandler';
 import {
-    getMongoURL,
    getNodeEnv,
    getPort,
-    getSentryDSN,
-    getSiteURL,
-    getSmtpHost
+    getSiteURL
 } from './config';
+import { setup } from './utils/setup';

 const main = async () => {
-    if (process.env.INFISICAL_TOKEN != "" || process.env.INFISICAL_TOKEN != undefined) {
-        await infisical.connect({
-            token: process.env.INFISICAL_TOKEN!
-        });
-    }
+    await setup();

-    TelemetryService.logTelemetryMessage();
-    setTransporter(initSmtp());
+    await EELicenseService.initGlobalFeatureSet();

-    await DatabaseService.initDatabase(getMongoURL());
-    if (getNodeEnv() !== 'test') {
-        Sentry.init({
-            dsn: getSentryDSN(),
-            tracesSampleRate: 1.0,
-            debug: getNodeEnv() === 'production' ? false : true,
-            environment: getNodeEnv()
-        });
-    }
-
-    patchRouterParam();
    const app = express();
    app.enable('trust proxy');
    app.use(express.json());
@ -102,13 +84,13 @@ const main = async () => {
    app.use(
        cors({
            credentials: true,
-            origin: getSiteURL()
+            origin: await getSiteURL()
        })
    );

    app.use(requestIp.mw());

-    if (getNodeEnv() === 'production') {
+    if ((await getNodeEnv()) === 'production') {
        // enable app-wide rate-limiting + helmet security
        // in production
        app.disable('x-powered-by');
@ -121,8 +103,10 @@ const main = async () => {
    app.use('/api/v1/secret-snapshot', eeSecretSnapshotRouter);
    app.use('/api/v1/workspace', eeWorkspaceRouter);
    app.use('/api/v1/action', eeActionRouter);
+    app.use('/api/v1/organizations', eeOrganizationsRouter);
+    app.use('/api/v1/cloud-products', eeCloudProductsRouter);

-    // v1 routes
+    // v1 routes (default)
    app.use('/api/v1/signup', v1SignupRouter);
    app.use('/api/v1/auth', v1AuthRouter);
    app.use('/api/v1/bot', v1BotRouter);
@ -134,14 +118,15 @@ const main = async () => {
    app.use('/api/v1/membership', v1MembershipRouter);
    app.use('/api/v1/key', v1KeyRouter);
    app.use('/api/v1/invite-org', v1InviteOrgRouter);
-    app.use('/api/v1/secret', v1SecretRouter);
-    app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecated
+    app.use('/api/v1/secret', v1SecretRouter); // deprecate
+    app.use('/api/v1/service-token', v1ServiceTokenRouter); // deprecate
    app.use('/api/v1/password', v1PasswordRouter);
    app.use('/api/v1/stripe', v1StripeRouter);
    app.use('/api/v1/integration', v1IntegrationRouter);
    app.use('/api/v1/integration-auth', v1IntegrationAuthRouter);
+    app.use('/api/v1/folder', v1SecretsFolder)

-    // v2 routes
+    // v2 routes (improvements)
    app.use('/api/v2/signup', v2SignupRouter);
    app.use('/api/v2/auth', v2AuthRouter);
    app.use('/api/v2/users', v2UsersRouter);
@ -149,16 +134,20 @@ const main = async () => {
    app.use('/api/v2/workspace', v2EnvironmentRouter);
    app.use('/api/v2/workspace', v2TagsRouter);
    app.use('/api/v2/workspace', v2WorkspaceRouter);
-    app.use('/api/v2/secret', v2SecretRouter); // deprecated
-    app.use('/api/v2/secrets', v2SecretsRouter);
-    app.use('/api/v2/service-token', v2ServiceTokenDataRouter); // TODO: turn into plural route
+    app.use('/api/v2/secret', v2SecretRouter); // deprecate
+    app.use('/api/v2/secrets', v2SecretsRouter); // note: in the process of moving to v3/secrets
+    app.use('/api/v2/service-token', v2ServiceTokenDataRouter);
    app.use('/api/v2/service-accounts', v2ServiceAccountsRouter); // new
    app.use('/api/v2/api-key', v2APIKeyDataRouter);

+    // v3 routes (experimental)
+    app.use('/api/v3/secrets', v3SecretsRouter);
+    app.use('/api/v3/workspaces', v3WorkspacesRouter);
+
    // api docs 
    app.use('/api-docs', swaggerUi.serve, swaggerUi.setup(swaggerFile))

-    // Server status
+    // server status
    app.use('/api', healthCheck)

    //* Handle unrouted requests and respond with proper error message as well as status code
@ -169,11 +158,11 @@ const main = async () => {

    app.use(requestErrorHandler)

-    const server = app.listen(getPort(), () => {
-        getLogger("backend-main").info(`Server started listening at port ${getPort()}`)
+    const server = app.listen(await getPort(), async () => {
+        (await getLogger("backend-main")).info(`Server started listening at port ${await getPort()}`)
    });

-    await createTestUserForDevelopment();
+    // await createTestUserForDevelopment();
    setUpHealthEndpoint(server);

    server.on('close', async () => {
--- a/backend/src/integrations/apps.ts
+++ b/backend/src/integrations/apps.ts
@ -1,7 +1,6 @@
-import * as Sentry from "@sentry/node";
 import { Octokit } from "@octokit/rest";
 import { IIntegrationAuth } from "../models";
-import request from '../config/request';
+import { standardRequest } from "../config/request";
 import {
  INTEGRATION_AZURE_KEY_VAULT,
  INTEGRATION_AWS_PARAMETER_STORE,
@ -26,7 +25,7 @@ import {
  INTEGRATION_FLYIO_API_URL,
  INTEGRATION_CIRCLECI_API_URL,
  INTEGRATION_TRAVISCI_API_URL,
-  INTEGRATION_SUPABASE_API_URL
+  INTEGRATION_SUPABASE_API_URL,
 } from "../variables";

 interface App {
@ -47,87 +46,80 @@ interface App {
 const getApps = async ({
  integrationAuth,
  accessToken,
-  teamId
+  teamId,
 }: {
  integrationAuth: IIntegrationAuth;
  accessToken: string;
  teamId?: string;
 }) => {
-
  let apps: App[] = [];
-  try {
-    switch (integrationAuth.integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_PARAMETER_STORE:
-        apps = [];
-        break;
-      case INTEGRATION_AWS_SECRET_MANAGER:
-        apps = [];
-        break;
-      case INTEGRATION_HEROKU:
-        apps = await getAppsHeroku({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_VERCEL:
-        apps = await getAppsVercel({
-          integrationAuth,
-          accessToken,
-        });
-        break;
-      case INTEGRATION_NETLIFY:
-        apps = await getAppsNetlify({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_GITHUB:
-        apps = await getAppsGithub({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_GITLAB:
-        apps = await getAppsGitlab({
-          accessToken,
-          teamId
-        });
-        break;
-      case INTEGRATION_RENDER:
-        apps = await getAppsRender({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_RAILWAY:
-        apps = await getAppsRailway({
-          accessToken 
-        });
-        break;
-      case INTEGRATION_FLYIO:
-        apps = await getAppsFlyio({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_CIRCLECI:
-        apps = await getAppsCircleCI({
-          accessToken,
-        });
-        break;
-      case INTEGRATION_TRAVISCI:
-        apps = await getAppsTravisCI({
-          accessToken,
-        })
-        break;
-      case INTEGRATION_SUPABASE:
-        apps = await getAppsSupabase({
-            accessToken
-        });
-        break;
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get integration apps");
+  switch (integrationAuth.integration) {
+    case INTEGRATION_AZURE_KEY_VAULT:
+      apps = [];
+      break;
+    case INTEGRATION_AWS_PARAMETER_STORE:
+      apps = [];
+      break;
+    case INTEGRATION_AWS_SECRET_MANAGER:
+      apps = [];
+      break;
+    case INTEGRATION_HEROKU:
+      apps = await getAppsHeroku({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_VERCEL:
+      apps = await getAppsVercel({
+        integrationAuth,
+        accessToken,
+      });
+      break;
+    case INTEGRATION_NETLIFY:
+      apps = await getAppsNetlify({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_GITHUB:
+      apps = await getAppsGithub({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_GITLAB:
+      apps = await getAppsGitlab({
+        accessToken,
+        teamId,
+      });
+      break;
+    case INTEGRATION_RENDER:
+      apps = await getAppsRender({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_RAILWAY:
+      apps = await getAppsRailway({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_FLYIO:
+      apps = await getAppsFlyio({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_CIRCLECI:
+      apps = await getAppsCircleCI({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_TRAVISCI:
+      apps = await getAppsTravisCI({
+        accessToken,
+      });
+      break;
+    case INTEGRATION_SUPABASE:
+      apps = await getAppsSupabase({
+        accessToken,
+      });
+      break;
  }

  return apps;
@ -141,25 +133,18 @@ const getApps = async ({
 * @returns {String} apps.name - name of Heroku app
 */
 const getAppsHeroku = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
-  try {
-    const res = (
-      await request.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
-        headers: {
-          Accept: "application/vnd.heroku+json; version=3",
-          Authorization: `Bearer ${accessToken}`,
-        },
-      })
-    ).data;
+  const res = (
+    await standardRequest.get(`${INTEGRATION_HEROKU_API_URL}/apps`, {
+      headers: {
+        Accept: "application/vnd.heroku+json; version=3",
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+  ).data;

-    apps = res.map((a: any) => ({
-      name: a.name,
-    }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Heroku integration apps");
-  }
+  const apps = res.map((a: any) => ({
+    name: a.name,
+  }));

  return apps;
 };
@ -178,33 +163,26 @@ const getAppsVercel = async ({
  integrationAuth: IIntegrationAuth;
  accessToken: string;
 }) => {
-  let apps;
-  try {
-    const res = (
-      await request.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
-        },
-        ...(integrationAuth?.teamId
-          ? {
-              params: {
-                teamId: integrationAuth.teamId,
-              },
-            }
-          : {}),
-      })
-    ).data;
+  const res = (
+    await standardRequest.get(`${INTEGRATION_VERCEL_API_URL}/v9/projects`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+      ...(integrationAuth?.teamId
+        ? {
+            params: {
+              teamId: integrationAuth.teamId,
+            },
+          }
+        : {}),
+    })
+  ).data;

-    apps = res.projects.map((a: any) => ({
-      name: a.name,
-      appId: a.id
-    }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Vercel integration apps");
-  }
+  const apps = res.projects.map((a: any) => ({
+    name: a.name,
+    appId: a.id,
+  }));

  return apps;
 };
@ -218,43 +196,41 @@ const getAppsVercel = async ({
 */
 const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
  const apps: any = [];
-  try {
-    let page = 1;
-    const perPage = 10;
-    let hasMorePages = true;
-    
-    // paginate through all sites
-    while (hasMorePages) {
-      const params = new URLSearchParams({
-        page: String(page),
-        per_page: String(perPage)
-      });
+  let page = 1;
+  const perPage = 10;
+  let hasMorePages = true;

-      const { data } = await request.get(`${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`, {
+  // paginate through all sites
+  while (hasMorePages) {
+    const params = new URLSearchParams({
+      page: String(page),
+      per_page: String(perPage),
+      filter: 'all'
+    });
+
+    const { data } = await standardRequest.get(
+      `${INTEGRATION_NETLIFY_API_URL}/api/v1/sites`,
+      {
        params,
        headers: {
          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
-        }
-      });
-      
-      data.map((a: any) => {
-        apps.push({
-          name: a.name,
-          appId: a.site_id
-        });
-      });
-      
-      if (data.length < perPage) {
-        hasMorePages = false;
+          "Accept-Encoding": "application/json",
+        },
      }
+    );

-      page++;
+    data.map((a: any) => {
+      apps.push({
+        name: a.name,
+        appId: a.site_id,
+      });
+    });
+
+    if (data.length < perPage) {
+      hasMorePages = false;
    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Netlify integration apps");
+
+    page++;
  }

  return apps;
@ -268,35 +244,58 @@ const getAppsNetlify = async ({ accessToken }: { accessToken: string }) => {
 * @returns {String} apps.name - name of Github site
 */
 const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
-  try {
-    const octokit = new Octokit({
-      auth: accessToken,
-    });
+  interface GitHubApp {
+    id: string;
+    name: string;
+    permissions: {
+      admin: boolean;
+    };
+    owner: {
+      login: string;
+    };
+  }

-    const repos = (
-      await octokit.request(
+  const octokit = new Octokit({
+    auth: accessToken,
+  });
+
+  const getAllRepos = async () => {
+    let repos: GitHubApp[] = [];
+    let page = 1;
+    const per_page = 100;
+    let hasMore = true;
+
+    while (hasMore) {
+      const response = await octokit.request(
        "GET /user/repos{?visibility,affiliation,type,sort,direction,per_page,page,since,before}",
        {
-          per_page: 100,
+          per_page,
+          page,
        }
-      )
-    ).data;
+      );

-    apps = repos
-      .filter((a: any) => a.permissions.admin === true)
-      .map((a: any) => {
-        return ({
-          appId: a.id,
-          name: a.name,
-          owner: a.owner.login,
-        });
-      });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Github repos");
-  }
+      if (response.data.length > 0) {
+        repos = repos.concat(response.data);
+        page++;
+      } else {
+        hasMore = false;
+      }
+    }
+
+    return repos;
+  };
+
+  const repos = await getAllRepos();
+
+  const apps = repos
+    .filter((a: GitHubApp) => a.permissions.admin === true)
+    .map((a: GitHubApp) => {
+      return {
+        appId: a.id,
+        name: a.name,
+        owner: a.owner.login,
+      };
+    });

  return apps;
 };
@ -310,29 +309,20 @@ const getAppsGithub = async ({ accessToken }: { accessToken: string }) => {
 * @returns {String} apps.appId - id of Render service
 */
 const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {
-    const res = (
-      await request.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: 'application/json',
-          'Accept-Encoding': 'application/json',
-        },
-      })
-    ).data;
-    
-    apps = res
-      .map((a: any) => ({
-        name: a.service.name,
-        appId: a.service.id
-      })); 
-    
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Render services");
-  }
+  const res = (
+    await standardRequest.get(`${INTEGRATION_RENDER_API_URL}/v1/services`, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        Accept: "application/json",
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res.map((a: any) => ({
+    name: a.service.name,
+    appId: a.service.id,
+  }));

  return apps;
 };
@ -345,49 +335,51 @@ const getAppsRender = async ({ accessToken }: { accessToken: string }) => {
 * @returns {String} apps.name - name of Railway project
 * @returns {String} apps.appId - id of Railway project
 *
-*/
+ */
 const getAppsRailway = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any[] = [];
-  try {
-    const query = `
-      query GetProjects($userId: String, $teamId: String) {
-        projects(userId: $userId, teamId: $teamId) {
-          edges {
-            node {
-              id
-              name
-            }
+  const query = `
+    query GetProjects($userId: String, $teamId: String) {
+      projects(userId: $userId, teamId: $teamId) {
+        edges {
+          node {
+            id
+            name
          }
        }
      }
-    `;
+    }
+  `;

-    const variables = {};
+  const variables = {};

-    const { data: { data: { projects: { edges }}} } = await request.post(INTEGRATION_RAILWAY_API_URL, {
+  const {
+    data: {
+      data: {
+        projects: { edges },
+      },
+    },
+  } = await standardRequest.post(
+    INTEGRATION_RAILWAY_API_URL,
+    {
      query,
      variables,
-    }, {
+    },
+    {
      headers: {
-        'Authorization': `Bearer ${accessToken}`,
-        'Content-Type': 'application/json',
-        'Accept-Encoding': 'application/json'
+        Authorization: `Bearer ${accessToken}`,
+        "Content-Type": "application/json",
+        "Accept-Encoding": "application/json",
      },
-    });
-    
-    apps = edges.map((e: any) => ({
-      name: e.node.name,
-      appId: e.node.id
-    }));
+    }
+  );
+
+  const apps = edges.map((e: any) => ({
+    name: e.node.name,
+    appId: e.node.id,
+  }));

-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Railway services");
-  }
-  
  return apps;
-}
+};

 /**
 * Return list of apps for Fly.io integration
@ -397,41 +389,40 @@ const getAppsRailway = async ({ accessToken }: { accessToken: string }) => {
 * @returns {String} apps.name - name of Fly.io apps
 */
 const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
-  let apps;
-  try {
-    const query = `
-      query($role: String) {
-        apps(type: "container", first: 400, role: $role) {
-          nodes {
-            id
-            name
-            hostname
-          }
+  const query = `
+    query($role: String) {
+      apps(type: "container", first: 400, role: $role) {
+        nodes {
+          id
+          name
+          hostname
        }
      }
-    `;
+    }
+  `;

-    const res = (await request.post(INTEGRATION_FLYIO_API_URL, {
-      query,
-      variables: {
-        role: null,
+  const res = (
+    await standardRequest.post(
+      INTEGRATION_FLYIO_API_URL,
+      {
+        query,
+        variables: {
+          role: null,
+        },
      },
-    }, {
-      headers: {
-        Authorization: "Bearer " + accessToken,
-        'Accept': 'application/json',
-        'Accept-Encoding': 'application/json',
-      },
-    })).data.data.apps.nodes;
+      {
+        headers: {
+          Authorization: "Bearer " + accessToken,
+          Accept: "application/json",
+          "Accept-Encoding": "application/json",
+        },
+      }
+    )
+  ).data.data.apps.nodes;

-    apps = res.map((a: any) => ({
-      name: a.name,
-    }));
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get Fly.io apps");
-  }
+  const apps = res.map((a: any) => ({
+    name: a.name,
+  }));

  return apps;
 };
@ -444,63 +435,43 @@ const getAppsFlyio = async ({ accessToken }: { accessToken: string }) => {
 * @returns {String} apps.name - name of CircleCI apps
 */
 const getAppsCircleCI = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {    
-    const res = (
-      await request.get(
-        `${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`,
-        {
-          headers: {
-            "Circle-Token": accessToken,
-            "Accept-Encoding": "application/json",
-          },
-        }
-      )
-    ).data
+  const res = (
+    await standardRequest.get(`${INTEGRATION_CIRCLECI_API_URL}/v1.1/projects`, {
+      headers: {
+        "Circle-Token": accessToken,
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res?.map((a: any) => {
+    return {
+      name: a?.reponame,
+    };
+  });

-    apps = res?.map((a: any) => {
-      return {
-        name: a?.reponame
-      }
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get CircleCI projects");
-  }
-  
  return apps;
 };

 const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {
-    const res = (
-      await request.get(
-        `${INTEGRATION_TRAVISCI_API_URL}/repos`,
-        {
-          headers: {
-            "Authorization": `token ${accessToken}`,
-            "Accept-Encoding": "application/json",
-          },
-        }
-      )
-    ).data;
+  const res = (
+    await standardRequest.get(`${INTEGRATION_TRAVISCI_API_URL}/repos`, {
+      headers: {
+        Authorization: `token ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;
+
+  const apps = res?.map((a: any) => {
+    return {
+      name: a?.slug?.split("/")[1],
+      appId: a?.id,
+    };
+  });

-    apps = res?.map((a: any) => {
-      return {
-        name: a?.slug?.split("/")[1],
-        appId: a?.id,
-      }
-    });
-  }catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get TravisCI projects");
-  }
-  
  return apps;
-}
+};

 /**
 * Return list of repositories for GitLab integration
@ -509,112 +480,98 @@ const getAppsTravisCI = async ({ accessToken }: { accessToken: string }) => {
 * @returns {Object[]} apps - names of GitLab sites
 * @returns {String} apps.name - name of GitLab site
 */
-const getAppsGitlab = async ({ 
+const getAppsGitlab = async ({
  accessToken,
-  teamId
+  teamId,
 }: {
  accessToken: string;
  teamId?: string;
 }) => {
  const apps: App[] = [];
-  
+
  let page = 1;
  const perPage = 10;
  let hasMorePages = true;
-  try {

-    if (teamId) {
-      // case: fetch projects for group with id [teamId] in GitLab
-      
-      while (hasMorePages) {
-        const params = new URLSearchParams({
-          page: String(page),
-          per_page: String(perPage)
-        });
+  if (teamId) {
+    // case: fetch projects for group with id [teamId] in GitLab

-        const { data } = (
-          await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
-            {
-              params,
-              headers: {
-                "Authorization": `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json",
-              },
-            }
-          )
-        );
+    while (hasMorePages) {
+      const params = new URLSearchParams({
+        page: String(page),
+        per_page: String(perPage),
+      });

-        data.map((a: any) => {
-          apps.push({
-            name: a.name,
-            appId: a.id
-          });
-        });
-        
-        if (data.length < perPage) {
-          hasMorePages = false;
+      const { data } = await standardRequest.get(
+        `${INTEGRATION_GITLAB_API_URL}/v4/groups/${teamId}/projects`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
        }
-        
-        page++;
-      }
-    } else {
-      // case: fetch projects for individual in GitLab
-      
-      const { id } = (
-        await request.get(
-          `${INTEGRATION_GITLAB_API_URL}/v4/user`,
-          {
-            headers: {
-              "Authorization": `Bearer ${accessToken}`,
-              "Accept-Encoding": "application/json",
-            },
-          }
-        )
-      ).data;
-      
-      while (hasMorePages) {
-        const params = new URLSearchParams({
-          page: String(page),
-          per_page: String(perPage)
+      );
+
+      data.map((a: any) => {
+        apps.push({
+          name: a.name,
+          appId: a.id,
        });
+      });

-        const { data } = (
-          await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
-            {
-              params,
-              headers: {
-                "Authorization": `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json",
-              },
-            }
-          )
-        );
-
-        data.map((a: any) => {
-          apps.push({
-            name: a.name,
-            appId: a.id
-          });
-        });
-
-        if (data.length < perPage) {
-          hasMorePages = false;
-        }
-        
-        page++;
+      if (data.length < perPage) {
+        hasMorePages = false;
      }
+
+      page++;
    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error("Failed to get GitLab projects");
-  }
-  
-  return apps;
-}
+  } else {
+    // case: fetch projects for individual in GitLab

+    const { id } = (
+      await standardRequest.get(`${INTEGRATION_GITLAB_API_URL}/v4/user`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json",
+        },
+      })
+    ).data;
+
+    while (hasMorePages) {
+      const params = new URLSearchParams({
+        page: String(page),
+        per_page: String(perPage),
+      });
+
+      const { data } = await standardRequest.get(
+        `${INTEGRATION_GITLAB_API_URL}/v4/users/${id}/projects`,
+        {
+          params,
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json",
+          },
+        }
+      );
+
+      data.map((a: any) => {
+        apps.push({
+          name: a.name,
+          appId: a.id,
+        });
+      });
+
+      if (data.length < perPage) {
+        hasMorePages = false;
+      }
+
+      page++;
+    }
+  }
+
+  return apps;
+};

 /**
 * Return list of projects for Supabase integration
@ -624,30 +581,23 @@ const getAppsGitlab = async ({
 * @returns {String} apps.name - name of Supabase app
 */
 const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
-  let apps: any;
-  try {
-      const { data } = await request.get(
-        `${INTEGRATION_SUPABASE_API_URL}/v1/projects`,
-        {
-          headers: {
-          Authorization: `Bearer ${accessToken}`,
-          'Accept-Encoding': 'application/json'
-          }
-        }
-      );
+  const { data } = await standardRequest.get(
+    `${INTEGRATION_SUPABASE_API_URL}/v1/projects`,
+    {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );
+
+  const apps = data.map((a: any) => {
+    return {
+      name: a.name,
+      appId: a.id,
+    };
+  });

-      apps = data.map((a: any) => {
-        return {
-            name: a.name,
-            appId: a.id
-        };
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get Supabase projects');
-  }
-  
  return apps;
 };

--- a/backend/src/integrations/exchange.ts
+++ b/backend/src/integrations/exchange.ts
@ -1,5 +1,4 @@
-import * as Sentry from '@sentry/node';
-import request from '../config/request';
+import { standardRequest } from "../config/request";
 import {
  INTEGRATION_AZURE_KEY_VAULT,
  INTEGRATION_HEROKU,
@ -12,8 +11,8 @@ import {
  INTEGRATION_VERCEL_TOKEN_URL,
  INTEGRATION_NETLIFY_TOKEN_URL,
  INTEGRATION_GITHUB_TOKEN_URL,
-  INTEGRATION_GITLAB_TOKEN_URL
-} from '../variables';
+  INTEGRATION_GITLAB_TOKEN_URL,
+} from "../variables";
 import {
  getSiteURL,
  getClientIdAzure,
@ -26,8 +25,8 @@ import {
  getClientIdGitHub,
  getClientSecretGitHub,
  getClientIdGitLab,
-  getClientSecretGitLab
-} from '../config';
+  getClientSecretGitLab,
+} from "../config";

 interface ExchangeCodeAzureResponse {
  token_type: string;
@ -93,49 +92,43 @@ interface ExchangeCodeGitlabResponse {
 */
 const exchangeCode = async ({
  integration,
-  code
+  code,
 }: {
  integration: string;
  code: string;
 }) => {
  let obj = {} as any;

-  try {
-    switch (integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        obj = await exchangeCodeAzure({
-          code
-        });
-        break;
-      case INTEGRATION_HEROKU:
-        obj = await exchangeCodeHeroku({
-          code
-        });
-        break;
-      case INTEGRATION_VERCEL:
-        obj = await exchangeCodeVercel({
-          code
-        });
-        break;
-      case INTEGRATION_NETLIFY:
-        obj = await exchangeCodeNetlify({
-          code
-        });
-        break;
-      case INTEGRATION_GITHUB:
-        obj = await exchangeCodeGithub({
-          code
-        });
-        break;
-      case INTEGRATION_GITLAB:
-        obj = await exchangeCodeGitlab({
-          code
-        });
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange');
+  switch (integration) {
+    case INTEGRATION_AZURE_KEY_VAULT:
+      obj = await exchangeCodeAzure({
+        code,
+      });
+      break;
+    case INTEGRATION_HEROKU:
+      obj = await exchangeCodeHeroku({
+        code,
+      });
+      break;
+    case INTEGRATION_VERCEL:
+      obj = await exchangeCodeVercel({
+        code,
+      });
+      break;
+    case INTEGRATION_NETLIFY:
+      obj = await exchangeCodeNetlify({
+        code,
+      });
+      break;
+    case INTEGRATION_GITHUB:
+      obj = await exchangeCodeGithub({
+        code,
+      });
+      break;
+    case INTEGRATION_GITLAB:
+      obj = await exchangeCodeGitlab({
+        code,
+      });
  }

  return obj;
@ -143,43 +136,33 @@ const exchangeCode = async ({

 /**
 * Return [accessToken] for Azure OAuth2 code-token exchange
- * @param param0 
+ * @param param0
 */
-const exchangeCodeAzure = async ({
-  code
-}: {
-  code: string;
-}) => {
+const exchangeCodeAzure = async ({ code }: { code: string }) => {
  const accessExpiresAt = new Date();
-  let res: ExchangeCodeAzureResponse;
-  try {
-    res = (await request.post(
+
+  const res: ExchangeCodeAzureResponse = (
+    await standardRequest.post(
      INTEGRATION_AZURE_TOKEN_URL,
      new URLSearchParams({
-        grant_type: 'authorization_code',
+        grant_type: "authorization_code",
        code: code,
-        scope: 'https://vault.azure.net/.default openid offline_access',
-        client_id: getClientIdAzure(),
-        client_secret: getClientSecretAzure(),
-        redirect_uri: `${getSiteURL()}/integrations/azure-key-vault/oauth2/callback`
+        scope: "https://vault.azure.net/.default openid offline_access",
+        client_id: await getClientIdAzure(),
+        client_secret: await getClientSecretAzure(),
+        redirect_uri: `${await getSiteURL()}/integrations/azure-key-vault/oauth2/callback`,
      } as any)
-    )).data;
+    )
+  ).data;

-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Azure');
-  }
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);

-  return ({
+  return {
    accessToken: res.access_token,
    refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
-}
+    accessExpiresAt,
+  };
+};

 /**
 * Return [accessToken], [accessExpiresAt], and [refreshToken] for Heroku
@ -191,38 +174,28 @@ const exchangeCodeAzure = async ({
 * @returns {String} obj2.refreshToken - refresh token for Heroku API
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
-const exchangeCodeHeroku = async ({
-  code
-}: {
-  code: string;
-}) => {
-  let res: ExchangeCodeHerokuResponse;
+const exchangeCodeHeroku = async ({ code }: { code: string }) => {
  const accessExpiresAt = new Date();
-  try {
-    res = (await request.post(
+
+  const res: ExchangeCodeHerokuResponse = (
+    await standardRequest.post(
      INTEGRATION_HEROKU_TOKEN_URL,
      new URLSearchParams({
-        grant_type: 'authorization_code',
+        grant_type: "authorization_code",
        code: code,
-        client_secret: getClientSecretHeroku()
+        client_secret: await getClientSecretHeroku(),
      } as any)
-    )).data;
+    )
+  ).data;

-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Heroku');
-  }
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);

-  return ({
+  return {
    accessToken: res.access_token,
    refreshToken: res.refresh_token,
-    accessExpiresAt
-  });
-}
+    accessExpiresAt,
+  };
+};

 /**
 * Return [accessToken], [accessExpiresAt], and [refreshToken] for Vercel
@ -235,30 +208,23 @@ const exchangeCodeHeroku = async ({
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
 const exchangeCodeVercel = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeVercelResponse;
-  try {
-    res = (
-      await request.post(
-        INTEGRATION_VERCEL_TOKEN_URL,
-        new URLSearchParams({
-          code: code,
-          client_id: getClientIdVercel(),
-          client_secret: getClientSecretVercel(),
-          redirect_uri: `${getSiteURL()}/integrations/vercel/oauth2/callback`
-        } as any)
-      )
-    ).data;
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error(`Failed OAuth2 code-token exchange with Vercel [err=${err}]`);
-  }
+  const res: ExchangeCodeVercelResponse = (
+    await standardRequest.post(
+      INTEGRATION_VERCEL_TOKEN_URL,
+      new URLSearchParams({
+        code: code,
+        client_id: await getClientIdVercel(),
+        client_secret: await getClientSecretVercel(),
+        redirect_uri: `${await getSiteURL()}/integrations/vercel/oauth2/callback`,
+      } as any)
+    )
+  ).data;

  return {
    accessToken: res.access_token,
    refreshToken: null,
    accessExpiresAt: null,
-    teamId: res.team_id
+    teamId: res.team_id,
  };
 };

@ -273,47 +239,39 @@ const exchangeCodeVercel = async ({ code }: { code: string }) => {
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
 const exchangeCodeNetlify = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeNetlifyResponse;
-  let accountId;
-  try {
-    res = (
-      await request.post(
-        INTEGRATION_NETLIFY_TOKEN_URL,
-        new URLSearchParams({
-          grant_type: 'authorization_code',
-          code: code,
-          client_id: getClientIdNetlify(),
-          client_secret: getClientSecretNetlify(),
-          redirect_uri: `${getSiteURL()}/integrations/netlify/oauth2/callback`
-        } as any)
-      )
-    ).data;
+  const res: ExchangeCodeNetlifyResponse = (
+    await standardRequest.post(
+      INTEGRATION_NETLIFY_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: code,
+        client_id: await getClientIdNetlify(),
+        client_secret: await getClientSecretNetlify(),
+        redirect_uri: `${await getSiteURL()}/integrations/netlify/oauth2/callback`,
+      } as any)
+    )
+  ).data;

-    const res2 = await request.get('https://api.netlify.com/api/v1/sites', {
+  const res2 = await standardRequest.get("https://api.netlify.com/api/v1/sites", {
+    headers: {
+      Authorization: `Bearer ${res.access_token}`,
+    },
+  });
+
+  const res3 = (
+    await standardRequest.get("https://api.netlify.com/api/v1/accounts", {
      headers: {
-        Authorization: `Bearer ${res.access_token}`
-      }
-    });
+        Authorization: `Bearer ${res.access_token}`,
+      },
+    })
+  ).data;

-    const res3 = (
-      await request.get('https://api.netlify.com/api/v1/accounts', {
-        headers: {
-          Authorization: `Bearer ${res.access_token}`
-        }
-      })
-    ).data;
-
-    accountId = res3[0].id;
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Netlify');
-  }
+  const accountId = res3[0].id;

  return {
    accessToken: res.access_token,
    refreshToken: res.refresh_token,
-    accountId
+    accountId,
  };
 };

@ -328,33 +286,25 @@ const exchangeCodeNetlify = async ({ code }: { code: string }) => {
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
 const exchangeCodeGithub = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeGithubResponse;
-  try {
-    res = (
-      await request.get(INTEGRATION_GITHUB_TOKEN_URL, {
-        params: {
-          client_id: getClientIdGitHub(),
-          client_secret: getClientSecretGitHub(),
-          code: code,
-          redirect_uri: `${getSiteURL()}/integrations/github/oauth2/callback`
-        },
-        headers: {
-          'Accept': 'application/json',
-          'Accept-Encoding': 'application/json'
-        }
-      })
-    ).data;
-
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Github');
-  }
+  const res: ExchangeCodeGithubResponse = (
+    await standardRequest.get(INTEGRATION_GITHUB_TOKEN_URL, {
+      params: {
+        client_id: await getClientIdGitHub(),
+        client_secret: await getClientSecretGitHub(),
+        code: code,
+        redirect_uri: `${await getSiteURL()}/integrations/github/oauth2/callback`,
+      },
+      headers: {
+        Accept: "application/json",
+        "Accept-Encoding": "application/json",
+      },
+    })
+  ).data;

  return {
    accessToken: res.access_token,
    refreshToken: null,
-    accessExpiresAt: null
+    accessExpiresAt: null,
  };
 };

@ -369,42 +319,32 @@ const exchangeCodeGithub = async ({ code }: { code: string }) => {
 * @returns {Date} obj2.accessExpiresAt - date of expiration for access token
 */
 const exchangeCodeGitlab = async ({ code }: { code: string }) => {
-  let res: ExchangeCodeGitlabResponse; 
  const accessExpiresAt = new Date();
-  
-  try {
-    res = (
-      await request.post(
-        INTEGRATION_GITLAB_TOKEN_URL,
-        new URLSearchParams({
-          grant_type: 'authorization_code',
-          code: code,
-          client_id: getClientIdGitLab(),
-          client_secret: getClientSecretGitLab(),
-          redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
-        } as any),
-        {
-          headers: {
-            "Accept-Encoding": "application/json",
-          }
-        }
-      )
-    ).data;
-    
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + res.expires_in
-    );
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed OAuth2 code-token exchange with Gitlab');
-  }
+  const res: ExchangeCodeGitlabResponse = (
+    await standardRequest.post(
+      INTEGRATION_GITLAB_TOKEN_URL,
+      new URLSearchParams({
+        grant_type: "authorization_code",
+        code: code,
+        client_id: await getClientIdGitLab(),
+        client_secret: await getClientSecretGitLab(),
+        redirect_uri: `${await getSiteURL()}/integrations/gitlab/oauth2/callback`,
+      } as any),
+      {
+        headers: {
+          "Accept-Encoding": "application/json",
+        },
+      }
+    )
+  ).data;
+
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + res.expires_in);

  return {
    accessToken: res.access_token,
    refreshToken: res.refresh_token,
-    accessExpiresAt
+    accessExpiresAt,
  };
-}
+};

 export { exchangeCode };
--- a/backend/src/integrations/refresh.ts
+++ b/backend/src/integrations/refresh.ts
@ -1,29 +1,24 @@
-import * as Sentry from '@sentry/node';
-import request from '../config/request';
+import { standardRequest } from "../config/request";
+import { IIntegrationAuth } from "../models";
 import {
-  IIntegrationAuth
-} from '../models';
-import {
-  INTEGRATION_AZURE_KEY_VAULT, 
+  INTEGRATION_AZURE_KEY_VAULT,
  INTEGRATION_HEROKU,
  INTEGRATION_GITLAB,
-} from '../variables';
+} from "../variables";
 import {
  INTEGRATION_AZURE_TOKEN_URL,
  INTEGRATION_HEROKU_TOKEN_URL,
-  INTEGRATION_GITLAB_TOKEN_URL
-} from '../variables';
-import {
-  IntegrationService
-} from '../services';
+  INTEGRATION_GITLAB_TOKEN_URL,
+} from "../variables";
+import { IntegrationService } from "../services";
 import {
  getSiteURL,
  getClientIdAzure,
  getClientSecretAzure,
  getClientSecretHeroku,
  getClientIdGitLab,
-  getClientSecretGitLab
-} from '../config';
+  getClientSecretGitLab,
+} from "../config";

 interface RefreshTokenAzureResponse {
  token_type: string;
@ -60,60 +55,57 @@ interface RefreshTokenGitLabResponse {
 */
 const exchangeRefresh = async ({
  integrationAuth,
-  refreshToken
+  refreshToken,
 }: {
  integrationAuth: IIntegrationAuth;
  refreshToken: string;
 }) => {
-  
  interface TokenDetails {
    accessToken: string;
    refreshToken: string;
    accessExpiresAt: Date;
  }
-  
+
  let tokenDetails: TokenDetails;
-  try {
-    switch (integrationAuth.integration) {
-      case INTEGRATION_AZURE_KEY_VAULT:
-        tokenDetails = await exchangeRefreshAzure({
-          refreshToken
-        });
-        break;
-      case INTEGRATION_HEROKU:
-        tokenDetails = await exchangeRefreshHeroku({
-          refreshToken
-        });
-        break;
-      case INTEGRATION_GITLAB:
-        tokenDetails = await exchangeRefreshGitLab({
-          refreshToken
-        });
-        break;
-      default:
-        throw new Error('Failed to exchange token for incompatible integration');
-    }
-
-    if (tokenDetails?.accessToken && tokenDetails?.refreshToken && tokenDetails?.accessExpiresAt) {
-      await IntegrationService.setIntegrationAuthAccess({
-        integrationAuthId: integrationAuth._id.toString(),
-        accessId: null,
-        accessToken: tokenDetails.accessToken,
-        accessExpiresAt: tokenDetails.accessExpiresAt
+  switch (integrationAuth.integration) {
+    case INTEGRATION_AZURE_KEY_VAULT:
+      tokenDetails = await exchangeRefreshAzure({
+        refreshToken,
      });
-
-      await IntegrationService.setIntegrationAuthRefresh({
-        integrationAuthId: integrationAuth._id.toString(),
-        refreshToken: tokenDetails.refreshToken
+      break;
+    case INTEGRATION_HEROKU:
+      tokenDetails = await exchangeRefreshHeroku({
+        refreshToken,
      });
-    }
-
-    return tokenDetails.accessToken;
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get new OAuth2 access token');
+      break;
+    case INTEGRATION_GITLAB:
+      tokenDetails = await exchangeRefreshGitLab({
+        refreshToken,
+      });
+      break;
+    default:
+      throw new Error("Failed to exchange token for incompatible integration");
  }
+
+  if (
+    tokenDetails?.accessToken &&
+    tokenDetails?.refreshToken &&
+    tokenDetails?.accessExpiresAt
+  ) {
+    await IntegrationService.setIntegrationAuthAccess({
+      integrationAuthId: integrationAuth._id.toString(),
+      accessId: null,
+      accessToken: tokenDetails.accessToken,
+      accessExpiresAt: tokenDetails.accessExpiresAt,
+    });
+
+    await IntegrationService.setIntegrationAuthRefresh({
+      integrationAuthId: integrationAuth._id.toString(),
+      refreshToken: tokenDetails.refreshToken,
+    });
+  }
+
+  return tokenDetails.accessToken;
 };

 /**
@ -124,38 +116,30 @@ const exchangeRefresh = async ({
 * @returns
 */
 const exchangeRefreshAzure = async ({
-  refreshToken
+  refreshToken,
 }: {
  refreshToken: string;
 }) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { data }: { data: RefreshTokenAzureResponse } = await request.post(
-      INTEGRATION_AZURE_TOKEN_URL,
-       new URLSearchParams({
-        client_id: getClientIdAzure(),
-        scope: 'openid offline_access',
-        refresh_token: refreshToken,
-        grant_type: 'refresh_token',
-        client_secret: getClientSecretAzure()
-      } as any)
-    );
-    
-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
+  const accessExpiresAt = new Date();
+  const { data }: { data: RefreshTokenAzureResponse } = await standardRequest.post(
+    INTEGRATION_AZURE_TOKEN_URL,
+    new URLSearchParams({
+      client_id: await getClientIdAzure(),
+      scope: "openid offline_access",
+      refresh_token: refreshToken,
+      grant_type: "refresh_token",
+      client_secret: await getClientSecretAzure(),
+    } as any)
+  );

-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to get refresh OAuth2 access token for Azure'); 
-  }
-}
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);
+
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
+};

 /**
 * Return new access token by exchanging refresh token [refreshToken] for the
@ -165,39 +149,31 @@ const exchangeRefreshAzure = async ({
 * @returns
 */
 const exchangeRefreshHeroku = async ({
-  refreshToken
+  refreshToken,
 }: {
  refreshToken: string;
 }) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { 
-      data 
-    }: { 
-      data: RefreshTokenHerokuResponse 
-    } = await request.post(
-        INTEGRATION_HEROKU_TOKEN_URL,
-        new URLSearchParams({
-            grant_type: 'refresh_token',
-            refresh_token: refreshToken,
-            client_secret: getClientSecretHeroku()
-        } as any)
-    );
+  const accessExpiresAt = new Date();
+  const {
+    data,
+  }: {
+    data: RefreshTokenHerokuResponse;
+  } = await standardRequest.post(
+    INTEGRATION_HEROKU_TOKEN_URL,
+    new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_secret: await getClientSecretHeroku(),
+    } as any)
+  );

-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);

-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to refresh OAuth2 access token for Heroku');
-  }
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
 };

 /**
@ -208,45 +184,38 @@ const exchangeRefreshHeroku = async ({
 * @returns
 */
 const exchangeRefreshGitLab = async ({
-  refreshToken
+  refreshToken,
 }: {
  refreshToken: string;
 }) => {
-  try {
-    const accessExpiresAt = new Date();
-    const { 
-      data
-    }: { 
-      data: RefreshTokenGitLabResponse 
-    } = await request.post(
-      INTEGRATION_GITLAB_TOKEN_URL,
-      new URLSearchParams({
-        grant_type: 'refresh_token',
-        refresh_token: refreshToken,
-        client_id: getClientIdGitLab,
-        client_secret: getClientSecretGitLab(),
-        redirect_uri: `${getSiteURL()}/integrations/gitlab/oauth2/callback`
-      } as any),
-      {
-        headers: {
-          "Accept-Encoding": "application/json",
-        }
-      });
+  const accessExpiresAt = new Date();
+  const {
+    data,
+  }: {
+    data: RefreshTokenGitLabResponse;
+  } = await standardRequest.post(
+    INTEGRATION_GITLAB_TOKEN_URL,
+    new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      client_id: await getClientIdGitLab(),
+      client_secret: await getClientSecretGitLab(),
+      redirect_uri: `${await getSiteURL()}/integrations/gitlab/oauth2/callback`,
+    } as any),
+    {
+      headers: {
+        "Accept-Encoding": "application/json",
+      },
+    }
+  );

-    accessExpiresAt.setSeconds(
-      accessExpiresAt.getSeconds() + data.expires_in
-    );
+  accessExpiresAt.setSeconds(accessExpiresAt.getSeconds() + data.expires_in);

-    return ({
-      accessToken: data.access_token,
-      refreshToken: data.refresh_token,
-      accessExpiresAt
-    });
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to refresh OAuth2 access token for GitLab');
-  }
+  return {
+    accessToken: data.access_token,
+    refreshToken: data.refresh_token,
+    accessExpiresAt,
+  };
 };

 export { exchangeRefresh };
--- a/backend/src/integrations/revoke.ts
+++ b/backend/src/integrations/revoke.ts
@ -1,4 +1,3 @@
-import * as Sentry from '@sentry/node';
 import { 
  IIntegrationAuth, 
  IntegrationAuth, 
@ -22,34 +21,28 @@ const revokeAccess = async ({
  accessToken: string;
 }) => {
  let deletedIntegrationAuth;
-  try {
-    // add any integration-specific revocation logic
-    switch (integrationAuth.integration) {
-      case INTEGRATION_HEROKU:
-        break;
-      case INTEGRATION_VERCEL:
-        break;
-      case INTEGRATION_NETLIFY:
-        break;
-      case INTEGRATION_GITHUB:
-        break;
-      case INTEGRATION_GITLAB:
-        break;
-    }
+  // add any integration-specific revocation logic
+  switch (integrationAuth.integration) {
+    case INTEGRATION_HEROKU:
+      break;
+    case INTEGRATION_VERCEL:
+      break;
+    case INTEGRATION_NETLIFY:
+      break;
+    case INTEGRATION_GITHUB:
+      break;
+    case INTEGRATION_GITLAB:
+      break;
+  }

-    deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
-      _id: integrationAuth._id
+  deletedIntegrationAuth = await IntegrationAuth.findOneAndDelete({
+    _id: integrationAuth._id
+  });
+
+  if (deletedIntegrationAuth) {
+    await Integration.deleteMany({
+      integrationAuth: deletedIntegrationAuth._id
    });
-
-    if (deletedIntegrationAuth) {
-      await Integration.deleteMany({
-        integrationAuth: deletedIntegrationAuth._id
-      });
-    }
-  } catch (err) {
-    Sentry.setUser(null);
-    Sentry.captureException(err);
-    throw new Error('Failed to delete integration authorization');
  }
  
  return deletedIntegrationAuth;
--- a/backend/src/integrations/sync.ts
+++ b/backend/src/integrations/sync.ts
@ -37,8 +37,7 @@ import {
  INTEGRATION_TRAVISCI_API_URL,
  INTEGRATION_SUPABASE_API_URL
 } from "../variables";
-import request from '../config/request';
-import axios from "axios";
+import { standardRequest} from '../config/request';

 /**
 * Sync/push [secrets] to [app] in integration named [integration]
@ -215,7 +214,7 @@ const syncSecretsAzureKeyVault = async ({
      let result: GetAzureKeyVaultSecret[] = [];
      try {
        while (url) {
-          const res = await request.get(url, {
+          const res = await standardRequest.get(url, {
            headers: {
              Authorization: `Bearer ${accessToken}`
            }
@ -242,7 +241,7 @@ const syncSecretsAzureKeyVault = async ({
        lastSlashIndex = getAzureKeyVaultSecret.id.lastIndexOf('/');
      }
      
-      const azureKeyVaultSecret = await request.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
+      const azureKeyVaultSecret = await standardRequest.get(`${getAzureKeyVaultSecret.id}?api-version=7.3`, {
        headers: {
          'Authorization': `Bearer ${accessToken}`
        }
@ -308,7 +307,7 @@ const syncSecretsAzureKeyVault = async ({
      while (!isSecretSet && maxTries > 0) {
        // try to set secret
        try {
-          await request.put(
+          await standardRequest.put(
            `${integration.app}/secrets/${key}?api-version=7.3`,
            {
              value
@ -325,7 +324,7 @@ const syncSecretsAzureKeyVault = async ({
        } catch (err) {
          const error: any = err;
          if (error?.response?.data?.error?.innererror?.code === 'ObjectIsDeletedButRecoverable') {
-            await request.post(
+            await standardRequest.post(
              `${integration.app}/deletedsecrets/${key}/recover?api-version=7.3`, {},
              {
                headers: {
@ -355,7 +354,7 @@ const syncSecretsAzureKeyVault = async ({
    
    for await (const deleteSecret of deleteSecrets) {
      const { key } = deleteSecret;
-      await request.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
+      await standardRequest.delete(`${integration.app}/secrets/${key}?api-version=7.3`, {
        headers: {
          'Authorization': `Bearer ${accessToken}`
        }
@ -568,7 +567,7 @@ const syncSecretsHeroku = async ({
 }) => {
  try {
    const herokuSecrets = (
-      await request.get(
+      await standardRequest.get(
        `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
        {
          headers: {
@ -586,7 +585,7 @@ const syncSecretsHeroku = async ({
      }
    });

-    await request.patch(
+    await standardRequest.patch(
      `${INTEGRATION_HEROKU_API_URL}/apps/${integration.app}/config-vars`,
      secrets,
      {
@ -642,7 +641,7 @@ const syncSecretsVercel = async ({
        : {}),
    };
      
-    const vercelSecrets: VercelSecret[] = (await request.get(
+    const vercelSecrets: VercelSecret[] = (await standardRequest.get(
      `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env`,
      {
        params,
@ -675,7 +674,7 @@ const syncSecretsVercel = async ({
    for await (const vercelSecret of vercelSecrets) {
      if (vercelSecret.type === 'encrypted') {
        // case: secret is encrypted -> need to decrypt
-        const decryptedSecret = (await request.get(
+        const decryptedSecret = (await standardRequest.get(
            `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${vercelSecret.id}`,
            {
              params,
@ -747,7 +746,7 @@ const syncSecretsVercel = async ({

    // Sync/push new secrets
    if (newSecrets.length > 0) {
-      await request.post(
+      await standardRequest.post(
        `${INTEGRATION_VERCEL_API_URL}/v10/projects/${integration.app}/env`,
        newSecrets,
        {
@ -763,7 +762,7 @@ const syncSecretsVercel = async ({
    for await (const secret of updateSecrets) {
      if (secret.type !== 'sensitive') {
        const { id, ...updatedSecret } = secret;
-        await request.patch(
+        await standardRequest.patch(
          `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
          updatedSecret,
          {
@ -778,7 +777,7 @@ const syncSecretsVercel = async ({
    }

    for await (const secret of deleteSecrets) {
-      await request.delete(
+      await standardRequest.delete(
        `${INTEGRATION_VERCEL_API_URL}/v9/projects/${integration.app}/env/${secret.id}`,
        {
          params,
@ -837,7 +836,7 @@ const syncSecretsNetlify = async ({
    });

    const res = (
-      await request.get(
+      await standardRequest.get(
        `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
        {
          params: getParams,
@ -951,7 +950,7 @@ const syncSecretsNetlify = async ({
    });

    if (newSecrets.length > 0) {
-      await request.post(
+      await standardRequest.post(
        `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env`,
        newSecrets,
        {
@ -966,7 +965,7 @@ const syncSecretsNetlify = async ({

    if (updateSecrets.length > 0) {
      updateSecrets.forEach(async (secret: NetlifySecret) => {
-        await request.patch(
+        await standardRequest.patch(
          `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}`,
          {
            context: secret.values[0].context,
@ -985,7 +984,7 @@ const syncSecretsNetlify = async ({

    if (deleteSecrets.length > 0) {
      deleteSecrets.forEach(async (key: string) => {
-        await request.delete(
+        await standardRequest.delete(
          `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${key}`,
          {
            params: syncParams,
@ -1000,7 +999,7 @@ const syncSecretsNetlify = async ({

    if (deleteSecretValues.length > 0) {
      deleteSecretValues.forEach(async (secret: NetlifySecret) => {
-        await request.delete(
+        await standardRequest.delete(
          `${INTEGRATION_NETLIFY_API_URL}/api/v1/accounts/${integrationAuth.accountId}/env/${secret.key}/value/${secret.values[0].id}`,
          {
            params: syncParams,
@ -1151,7 +1150,7 @@ const syncSecretsRender = async ({
  accessToken: string;
 }) => {
  try {
-    await request.put(
+    await standardRequest.put(
      `${INTEGRATION_RENDER_API_URL}/v1/services/${integration.appId}/env-vars`,
      Object.keys(secrets).map((key) => ({
        key,
@ -1203,7 +1202,7 @@ const syncSecretsRailway = async ({
      variables: secrets
    };

-    await request.post(INTEGRATION_RAILWAY_API_URL, {
+    await standardRequest.post(INTEGRATION_RAILWAY_API_URL, {
      query,
      variables: {
        input,
@ -1261,7 +1260,7 @@ const syncSecretsFlyio = async ({
      }
    `;

-    await request.post(INTEGRATION_FLYIO_API_URL, {
+    await standardRequest.post(INTEGRATION_FLYIO_API_URL, {
      query: SetSecrets,
      variables: {
        input: {
@ -1296,7 +1295,7 @@ const syncSecretsFlyio = async ({
        }
    }`;

-    const getSecretsRes = (await request.post(INTEGRATION_FLYIO_API_URL, {
+    const getSecretsRes = (await standardRequest.post(INTEGRATION_FLYIO_API_URL, {
      query: GetSecrets,
      variables: {
        appName: integration.app,
@ -1332,7 +1331,7 @@ const syncSecretsFlyio = async ({
        }
    }`;

-    await request.post(INTEGRATION_FLYIO_API_URL, {
+    await standardRequest.post(INTEGRATION_FLYIO_API_URL, {
      query: DeleteSecrets,
      variables: {
        input: {
@ -1373,7 +1372,7 @@ const syncSecretsCircleCI = async ({
 }) => {  
  try {
    const circleciOrganizationDetail = (
-      await request.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
+      await standardRequest.get(`${INTEGRATION_CIRCLECI_API_URL}/v2/me/collaborations`, {
        headers: {
          "Circle-Token": accessToken,
          "Accept-Encoding": "application/json",
@ -1386,7 +1385,7 @@ const syncSecretsCircleCI = async ({
    // sync secrets to CircleCI
    Object.keys(secrets).forEach(
      async (key) =>
-        await request.post(
+        await standardRequest.post(
          `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
          {
            name: key,
@ -1403,7 +1402,7 @@ const syncSecretsCircleCI = async ({

    // get secrets from CircleCI
    const getSecretsRes = (
-      await request.get(
+      await standardRequest.get(
        `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar`,
        {
          headers: {
@ -1417,7 +1416,7 @@ const syncSecretsCircleCI = async ({
    // delete secrets from CircleCI
    getSecretsRes.forEach(async (sec: any) => {
      if (!(sec.name in secrets)) {
-        await request.delete(
+        await standardRequest.delete(
          `${INTEGRATION_CIRCLECI_API_URL}/v2/project/${slug}/${integration.app}/envvar/${sec.name}`,
          {
            headers: {
@ -1454,7 +1453,7 @@ const syncSecretsTravisCI = async ({
  try {
    // get secrets from travis-ci  
    const getSecretsRes = (
-      await request.get(
+      await standardRequest.get(
        `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
        {
          headers: {
@ -1476,7 +1475,7 @@ const syncSecretsTravisCI = async ({
      if (!(key in getSecretsRes)) {
        // case: secret does not exist in travis ci
        // -> add secret
-        await request.post(
+        await standardRequest.post(
          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars?repository_id=${integration.appId}`,
          {
            env_var: {
@ -1495,7 +1494,7 @@ const syncSecretsTravisCI = async ({
      } else {
        // case: secret exists in travis ci
        // -> update/set secret
-        await request.patch(
+        await standardRequest.patch(
          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
          {
            env_var: {
@ -1517,7 +1516,7 @@ const syncSecretsTravisCI = async ({
    for await (const key of Object.keys(getSecretsRes)) {
      if (!(key in secrets)){
        // delete secret
-        await request.delete(
+        await standardRequest.delete(
          `${INTEGRATION_TRAVISCI_API_URL}/settings/env_vars/${getSecretsRes[key].id}?repository_id=${getSecretsRes[key].repository_id}`,
          {
            headers: {
@ -1554,23 +1553,48 @@ const syncSecretsGitLab = async ({
  accessToken: string;
 }) => {
  try {
-    // get secrets from gitlab
-    const getSecretsRes = (
-      await request.get(
-        `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
-        { 
-          headers: {
-            "Authorization": `Bearer ${accessToken}`,
-            "Accept-Encoding": "application/json",
-          },
+    interface GitLabSecret {
+      key: string;
+      value: string;
+      environment_scope: string;
+    }
+
+    const getAllEnvVariables = async (integrationAppId: string, accessToken: string) => {
+      const gitLabApiUrl = `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integrationAppId}/variables`;
+      const headers = {
+        "Authorization": `Bearer ${accessToken}`,
+        "Accept-Encoding": "application/json",
+      };
+    
+      let allEnvVariables: GitLabSecret[] = [];
+      let url: string | null = `${gitLabApiUrl}?per_page=100`;
+    
+      while (url) {
+        const response: any = await standardRequest.get(url, { headers });
+        allEnvVariables = [...allEnvVariables, ...response.data];
+    
+        const linkHeader = response.headers.link;
+        const nextLink = linkHeader?.split(',').find((part: string) => part.includes('rel="next"'));
+    
+        if (nextLink) {
+          url = nextLink.trim().split(';')[0].slice(1, -1);
+        } else {
+          url = null;
        }
-      )
-    ).data;
+      }
+    
+      return allEnvVariables;
+    };
+
+    const allEnvVariables = await getAllEnvVariables(integration?.appId, accessToken);
+    const getSecretsRes: GitLabSecret[] = allEnvVariables.filter((secret: GitLabSecret) => 
+      secret.environment_scope === integration.targetEnvironment
+    );

    for await (const key of Object.keys(secrets)) {
      const existingSecret = getSecretsRes.find((s: any) => s.key == key);
      if (!existingSecret) {
-        await request.post(
+        await standardRequest.post(
          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables`,
          {
            key: key,
@ -1578,7 +1602,7 @@ const syncSecretsGitLab = async ({
            protected: false,
            masked: false,
            raw: false,
-            environment_scope:'*'
+            environment_scope: integration.targetEnvironment
          },
          {
            headers: {
@ -1589,29 +1613,31 @@ const syncSecretsGitLab = async ({
          }
        )
      } else {
-        // udpate secret 
-        await request.put(
-          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${existingSecret.key}`,
-          {
-            ...existingSecret,
-            value: secrets[existingSecret.key]
-          },
-          {
-            headers: {
-              "Authorization": `Bearer ${accessToken}`,
-              "Content-Type": "application/json",
-              "Accept-Encoding": "application/json",
+        // update secret 
+        if (secrets[key] !== existingSecret.value) {
+          await standardRequest.put(
+            `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${existingSecret.key}?filter[environment_scope]=${integration.targetEnvironment}`,
+            {
+              ...existingSecret,
+              value: secrets[existingSecret.key]
            },
-          }
-        )
+            {
+              headers: {
+                "Authorization": `Bearer ${accessToken}`,
+                "Content-Type": "application/json",
+                "Accept-Encoding": "application/json",
+              },
+            }
+          );
+        }
      }
    }

    // delete secrets 
    for await (const sec of getSecretsRes) {
      if (!(sec.key in secrets)) {
-        await request.delete(
-          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${sec.key}`,
+        await standardRequest.delete(
+          `${INTEGRATION_GITLAB_API_URL}/v4/projects/${integration?.appId}/variables/${sec.key}?filter[environment_scope]=${integration.targetEnvironment}`,
          {
            headers: {
              "Authorization": `Bearer ${accessToken}`,
@ -1620,7 +1646,8 @@ const syncSecretsGitLab = async ({
        );
      }
    }
-  }catch (err) {
+
+  } catch (err) {
    Sentry.setUser(null);
    Sentry.captureException(err);
    throw new Error("Failed to sync secrets to GitLab");
@ -1645,7 +1672,7 @@ const syncSecretsSupabase = async ({
  accessToken: string;
 }) => {
  try {
-    const { data: getSecretsRes } = await request.get(
+    const { data: getSecretsRes } = await standardRequest.get(
      `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
      {
        headers: {
@ -1665,7 +1692,7 @@ const syncSecretsSupabase = async ({
      }
    );

-    await request.post(
+    await standardRequest.post(
      `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
      modifiedFormatForSecretInjection,
      {
@ -1683,7 +1710,7 @@ const syncSecretsSupabase = async ({
      }
    });

-    await request.delete(
+    await standardRequest.delete(
      `${INTEGRATION_SUPABASE_API_URL}/v1/projects/${integration.appId}/secrets`,
      {
        headers: {
--- a/backend/src/integrations/teams.ts
+++ b/backend/src/integrations/teams.ts
@ -1,4 +1,3 @@
-import * as Sentry from "@sentry/node";
 import {
    IIntegrationAuth
 } from '../models';
@ -6,7 +5,7 @@ import {
    INTEGRATION_GITLAB,
    INTEGRATION_GITLAB_API_URL
 } from '../variables';
-import request from '../config/request';
+import { standardRequest } from '../config/request';

 interface Team {
    name: string;
@ -31,21 +30,15 @@ const getTeams = async ({
 }) => {
    
    let teams: Team[] = [];
-    try {
-        switch (integrationAuth.integration) {
-            case INTEGRATION_GITLAB:
-                teams = await getTeamsGitLab({
-                    accessToken
-                });
-                break;
-        }
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error('Failed to get integration teams');
+
+    switch (integrationAuth.integration) {
+        case INTEGRATION_GITLAB:
+            teams = await getTeamsGitLab({
+                accessToken
+            });
+            break;
    }
    
-    
    return teams;
 }

@ -63,30 +56,24 @@ const getTeamsGitLab = async ({
    accessToken: string;
 }) => {
    let teams: Team[] = [];
-    try {
-        const res = (await request.get(
-            `${INTEGRATION_GITLAB_API_URL}/v4/groups`,
-            {
-                headers: {
-                Authorization: `Bearer ${accessToken}`,
-                "Accept-Encoding": "application/json"
-                }
+    const res = (await standardRequest.get(
+        `${INTEGRATION_GITLAB_API_URL}/v4/groups`,
+        {
+            headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Accept-Encoding": "application/json"
            }
-        )).data; 
-    
-      teams = res.map((t: any) => ({
-        name: t.name,
-        teamId: t.id
-      }));
-    } catch (err) {
-        Sentry.setUser(null);
-        Sentry.captureException(err);
-        throw new Error("Failed to get GitLab integration teams");
-    }
+        }
+    )).data; 
+
+    teams = res.map((t: any) => ({
+      name: t.name,
+      teamId: t.id
+    }));
    
    return teams;
 }

 export {
    getTeams
-}
+}
--- a/backend/src/interfaces/middleware/index.ts
+++ b/backend/src/interfaces/middleware/index.ts
@ -0,0 +1,13 @@
+import {
+    IUser,
+    IServiceAccount,
+    IServiceTokenData
+} from '../../models';
+
+export interface AuthData {
+    authMode: string;
+    authPayload: IUser | IServiceAccount | IServiceTokenData;
+    authChannel: string;
+    authIP: string;
+    authUserAgent: string;
+}
--- a/backend/src/interfaces/services/SecretService/index.ts
+++ b/backend/src/interfaces/services/SecretService/index.ts
@ -0,0 +1,52 @@
+import { Types } from 'mongoose';
+import { AuthData } from '../../middleware';
+
+export interface CreateSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type: 'shared' | 'personal';
+    authData: AuthData;
+    secretKeyCiphertext: string;
+    secretKeyIV: string;
+    secretKeyTag: string;
+    secretValueCiphertext: string;
+    secretValueIV: string;
+    secretValueTag: string;
+    secretCommentCiphertext?: string;
+    secretCommentIV?: string;
+    secretCommentTag?: string;
+}
+
+export interface GetSecretsParams {
+    workspaceId: Types.ObjectId;
+    environment: string;
+    authData: AuthData;
+}
+
+export interface GetSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type?: 'shared' | 'personal';
+    authData: AuthData;
+}
+
+export interface UpdateSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type: 'shared' | 'personal',
+    authData: AuthData
+    secretValueCiphertext: string;
+    secretValueIV: string;
+    secretValueTag: string;
+}
+
+export interface DeleteSecretParams {
+    secretName: string;
+    workspaceId: Types.ObjectId;
+    environment: string;
+    type: 'shared' | 'personal';
+    authData: AuthData;
+}
--- a/backend/src/interfaces/utils/crypto.ts
+++ b/backend/src/interfaces/utils/crypto.ts
@ -0,0 +1,41 @@
+export interface IGenerateKeyPairOutput {
+    publicKey: string;
+    privateKey: string
+}
+
+export interface IEncryptAsymmetricInput {
+    plaintext: string;
+    publicKey: string;
+    privateKey: string;
+}
+
+export interface IEncryptAsymmetricOutput {
+    ciphertext: string;
+    nonce: string;
+}
+
+export interface IDecryptAsymmetricInput {
+    ciphertext: string;
+    nonce: string;
+    publicKey: string;
+    privateKey: string;
+}
+
+export interface IEncryptSymmetricInput {
+    plaintext: string;
+    key: string;
+}
+
+export interface IEncryptSymmetricOutput {
+    ciphertext: string;
+    iv: string;
+    tag: string;
+}
+
+export interface IDecryptSymmetricInput {
+    ciphertext: string;
+    iv: string;
+    tag: string;
+    key: string;
+}
+
--- a/backend/src/interfaces/utils/index.ts
+++ b/backend/src/interfaces/utils/index.ts
@ -0,0 +1 @@
+export * from './crypto';
--- a/backend/src/middleware/requestErrorHandler.ts
+++ b/backend/src/middleware/requestErrorHandler.ts
@ -5,18 +5,13 @@ import { getLogger } from "../utils/logger";
 import RequestError, { LogLevel } from "../utils/requestError";
 import { getNodeEnv } from '../config';

-export const requestErrorHandler: ErrorRequestHandler = (error: RequestError | Error, req, res, next) => {
+export const requestErrorHandler: ErrorRequestHandler = async (error: RequestError | Error, req, res, next) => {
    if (res.headersSent) return next();
-    if (getNodeEnv() !== "production") {
-        /* eslint-disable no-console */
-        console.log(error)
-        /* eslint-enable no-console */
-    }

    //TODO: Find better way to type check for error. In current setting you need to cast type to get the functions and variables from RequestError
    if (!(error instanceof RequestError)) {
-        error = InternalServerError({ context: { exception: error.message }, stack: error.stack })
-        getLogger('backend-main').log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
+        error = InternalServerError({ context: { exception: error.message }, stack: error.stack });
+        (await getLogger('backend-main')).log((<RequestError>error).levelName.toLowerCase(), (<RequestError>error).message)
    }

    //* Set Sentry user identification if req.user is populated
--- a/backend/src/middleware/requireAuth.ts
+++ b/backend/src/middleware/requireAuth.ts
@ -7,9 +7,6 @@ import {
 	getAuthAPIKeyPayload,
 	getAuthSAAKPayload
 } from '../helpers/auth';
-import { 
-	UnauthorizedRequestError
-} from '../utils/errors';
 import {
 	IUser,
 	IServiceAccount,
@ -21,6 +18,7 @@ import {
 	AUTH_MODE_SERVICE_TOKEN,
 	AUTH_MODE_API_KEY
 } from '../variables';
+import { getChannelFromUserAgent } from '../utils/posthog';

 declare module 'jsonwebtoken' {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -47,6 +45,7 @@ const requireAuth = ({
 		
 		// validate auth token against accepted auth modes [acceptedAuthModes]
 		// and return token type [authTokenType] and value [authTokenValue]
+		
 		const { authMode, authTokenValue } = validateAuthMode({
 			headers: req.headers,
 			acceptedAuthModes
@ -88,7 +87,10 @@ const requireAuth = ({
 		
 		req.authData = {
 			authMode,
-			authPayload // User, ServiceAccount, ServiceTokenData
+			authPayload, // User, ServiceAccount, ServiceTokenData
+			authChannel: getChannelFromUserAgent(req.headers['user-agent']),
+			authIP: req.ip,
+			authUserAgent: req.headers['user-agent'] ?? 'other'
 		}
 		
 		return next();
--- a/backend/src/middleware/requireBotAuth.ts
+++ b/backend/src/middleware/requireBotAuth.ts
@ -1,9 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { Bot } from '../models';
-import { validateMembership } from '../helpers/membership';
-import { validateClientForBot } from '../helpers/bot';
-import { AccountNotFoundError } from '../utils/errors';
+import { validateClientForBot } from '../validation';

 type req = 'params' | 'body' | 'query';

--- a/backend/src/middleware/requireIntegrationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuth.ts
@ -1,10 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { Integration, IntegrationAuth } from '../models';
-import { IntegrationService } from '../services';
-import { validateMembership } from '../helpers/membership';
-import { validateClientForIntegration } from '../helpers/integration';
-import { IntegrationNotFoundError, UnauthorizedRequestError } from '../utils/errors';
+import { validateClientForIntegration } from '../validation';

 /**
 * Validate if user on request is a member of workspace with proper roles associated
--- a/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
+++ b/backend/src/middleware/requireIntegrationAuthorizationAuth.ts
@ -1,11 +1,6 @@
-import * as Sentry from '@sentry/node';
 import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
-import { IntegrationAuth, IWorkspace } from '../models';
-import { IntegrationService } from '../services';
-import { validateClientForIntegrationAuth } from '../helpers/integrationAuth';
-import { validateMembership } from '../helpers/membership';
-import { UnauthorizedRequestError } from '../utils/errors';
+import { validateClientForIntegrationAuth } from '../validation';

 type req = 'params' | 'body' | 'query';

--- a/backend/src/middleware/requireMembershipAuth.ts
+++ b/backend/src/middleware/requireMembershipAuth.ts
@ -1,13 +1,6 @@
 import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError } from '../utils/errors';
-import {
-    Membership,
-} from '../models';
-import {
-    validateClientForMembership,
-    validateMembership
-} from '../helpers/membership';
+import { validateClientForMembership } from '../validation';

 type req = 'params' | 'body' | 'query';

--- a/backend/src/middleware/requireMembershipOrgAuth.ts
+++ b/backend/src/middleware/requireMembershipOrgAuth.ts
@ -1,16 +1,6 @@
 import { Types } from 'mongoose';
 import { Request, Response, NextFunction } from 'express';
-import { UnauthorizedRequestError } from '../utils/errors';
-import {
-    MembershipOrg
-} from '../models';
-import { 
-    validateClientForMembershipOrg,
-    validateMembershipOrg
-} from '../helpers/membershipOrg';
-
-
-// TODO: transform
+import { validateClientForMembershipOrg } from '../validation';

 type req = 'params' | 'body' | 'query';

--- a/backend/src/middleware/requireMfaAuth.ts
+++ b/backend/src/middleware/requireMfaAuth.ts
@ -26,7 +26,7 @@ const requireMfaAuth = async (
 	if(AUTH_TOKEN_VALUE === null) return next(BadRequestError({message: 'Missing Authorization Body in the request header'}))
 	
 	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(AUTH_TOKEN_VALUE, getJwtMfaSecret())
+		jwt.verify(AUTH_TOKEN_VALUE, await getJwtMfaSecret())
 	);

 	const user = await User.findOne({
--- a/backend/src/middleware/requireOrganizationAuth.ts
+++ b/backend/src/middleware/requireOrganizationAuth.ts
@ -1,9 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { IOrganization, MembershipOrg } from '../models';
-import { UnauthorizedRequestError, ValidationError } from '../utils/errors';
-import { validateMembershipOrg } from '../helpers/membershipOrg';
-import { validateClientForOrganization } from '../helpers/organization';
+import { validateClientForOrganization } from '../validation';

 type req = 'params' | 'body' | 'query';

--- a/backend/src/middleware/requireSecretAuth.ts
+++ b/backend/src/middleware/requireSecretAuth.ts
@ -1,13 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { UnauthorizedRequestError, SecretNotFoundError } from '../utils/errors';
-import { Secret } from '../models';
-import {
-    validateMembership
-} from '../helpers/membership';
-import {
-    validateClientForSecret
-} from '../helpers/secrets';
+import { validateClientForSecret } from '../validation';

 // note: used for old /v1/secret and /v2/secret routes.
 // newer /v2/secrets routes use [requireSecretsAuth] middleware with the exception
--- a/backend/src/middleware/requireSecretsAuth.ts
+++ b/backend/src/middleware/requireSecretsAuth.ts
@ -1,8 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import { Types } from 'mongoose';
-import { UnauthorizedRequestError } from '../utils/errors';
-import { Secret, Membership } from '../models';
-import { validateClientForSecrets } from '../helpers/secrets';
+import { validateClientForSecrets } from '../validation';

 const requireSecretsAuth = ({
    acceptedRoles,
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`.github/resources/docker-compose.be-test.yml:generic-api-key:16`