Merge remote-tracking branch 'origin' into dependabot/npm_and_yarn/frontend/babel/traverse-and-babel/traverse-and-storybook/addon-essentials-and-storybook/csf-tools-and-storybook-7.23.2

7 months ago · d1a26766ca
parent a2c1a17222 32882848ba
commit d1a26766ca
137 changed files with 6973 additions and 3397 deletions
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@ -6,11 +6,12 @@
    "@godaddy/terminus": "^4.12.0",
    "@node-saml/passport-saml": "^4.0.4",
    "@octokit/rest": "^19.0.5",
-    "@sentry/node": "^7.49.0",
+    "@sentry/node": "^7.77.0",
    "@sentry/tracing": "^7.48.0",
    "@types/crypto-js": "^4.1.1",
    "@types/libsodium-wrappers": "^0.7.10",
    "@ucast/mongo2js": "^1.3.4",
+    "ajv": "^8.12.0",
    "argon2": "^0.30.3",
    "aws-sdk": "^2.1364.0",
    "axios": "^1.3.5",
@ -29,12 +30,14 @@
    "helmet": "^5.1.1",
    "infisical-node": "^1.2.1",
    "ioredis": "^5.3.2",
+    "jmespath": "^0.16.0",
    "js-yaml": "^4.1.0",
    "jsonwebtoken": "^9.0.0",
    "jsrp": "^0.2.4",
    "libsodium-wrappers": "^0.7.10",
    "lodash": "^4.17.21",
    "mongoose": "^7.4.1",
+    "mysql2": "^3.6.2",
    "nanoid": "^3.3.6",
    "node-cache": "^5.1.2",
    "nodemailer": "^6.8.0",
@ -42,6 +45,9 @@
    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
+    "pino": "^8.16.1",
+    "pino-http": "^8.5.1",
+    "pg": "^8.11.3",
    "posthog-node": "^2.6.0",
    "probot": "^12.3.1",
    "query-string": "^7.1.3",
@ -52,8 +58,6 @@
    "tweetnacl-util": "^0.15.1",
    "typescript": "^4.9.3",
    "utility-types": "^3.10.0",
-    "winston": "^3.8.2",
-    "winston-loki": "^6.0.6",
    "zod": "^3.22.3"
  },
  "overrides": {
@ -66,7 +70,7 @@
  "main": "src/index.js",
  "scripts": {
    "start": "node build/index.js",
-    "dev": "nodemon",
+    "dev": "nodemon index.js | pino-pretty --colorize",
    "swagger-autogen": "node ./swagger/index.ts",
    "build": "rimraf ./build && tsc && cp -R ./src/templates ./build && cp -R ./src/data ./build",
    "lint": "eslint . --ext .ts",
@ -98,12 +102,15 @@
    "@types/cors": "^2.8.12",
    "@types/express": "^4.17.14",
    "@types/jest": "^29.5.0",
+    "@types/jmespath": "^0.15.1",
    "@types/jsonwebtoken": "^8.5.9",
    "@types/lodash": "^4.14.191",
    "@types/node": "^18.11.3",
    "@types/nodemailer": "^6.4.6",
    "@types/passport": "^1.0.12",
+    "@types/pg": "^8.10.7",
    "@types/picomatch": "^2.3.0",
+    "@types/pino": "^7.0.5",
    "@types/supertest": "^2.0.12",
    "@types/swagger-jsdoc": "^6.0.1",
    "@types/swagger-ui-express": "^4.1.3",
@ -117,6 +124,7 @@
    "jest-junit": "^15.0.0",
    "nodemon": "^2.0.19",
    "npm": "^8.19.3",
+    "pino-pretty": "^10.2.3",
    "smee-client": "^1.2.3",
    "supertest": "^6.3.3",
    "swagger-autogen": "^2.23.5",
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -24,7 +24,6 @@ export const getJwtRefreshLifetime = async () => (await client.getSecret("JWT_RE
 export const getJwtServiceSecret = async () => (await client.getSecret("JWT_SERVICE_SECRET")).secretValue; // TODO: deprecate (related to ST V1)
 export const getJwtSignupLifetime = async () => (await client.getSecret("JWT_SIGNUP_LIFETIME")).secretValue || "15m";
 export const getJwtProviderAuthLifetime = async () => (await client.getSecret("JWT_PROVIDER_AUTH_LIFETIME")).secretValue || "15m";
-export const getJwtServiceTokenSecret = async () => (await client.getSecret("JWT_SERVICE_TOKEN_SECRET")).secretValue;
 export const getMongoURL = async () => (await client.getSecret("MONGO_URL")).secretValue;
 export const getNodeEnv = async () => (await client.getSecret("NODE_ENV")).secretValue || "production";
 export const getVerboseErrorOutput = async () => (await client.getSecret("VERBOSE_ERROR_OUTPUT")).secretValue === "true" && true;
--- a/backend/src/controllers/v1/authController.ts
+++ b/backend/src/controllers/v1/authController.ts
@ -24,10 +24,18 @@ import { validateRequest } from "../../helpers/validation";
 import * as reqValidator from "../../validation/auth";

 declare module "jsonwebtoken" {
+  export interface AuthnJwtPayload extends jwt.JwtPayload {
+    authTokenType: AuthTokenType;
+  }
  export interface UserIDJwtPayload extends jwt.JwtPayload {
    userId: string;
    refreshVersion?: number;
  }
+  export interface ServiceRefreshTokenJwtPayload extends jwt.JwtPayload {
+    serviceTokenDataId: string;
+    authTokenType: string;
+    tokenVersion: number;
+  }
 }

 /**
--- a/backend/src/controllers/v1/integrationAuthController.ts
+++ b/backend/src/controllers/v1/integrationAuthController.ts
@ -10,6 +10,7 @@ import {
  ALGORITHM_AES_256_GCM,
  ENCODING_SCHEME_UTF8,
  INTEGRATION_BITBUCKET_API_URL,
+  INTEGRATION_CHECKLY_API_URL,
  INTEGRATION_GCP_SECRET_MANAGER,
  INTEGRATION_NORTHFLANK_API_URL,
  INTEGRATION_QOVERY_API_URL,
@ -344,6 +345,59 @@ export const getIntegrationAuthVercelBranches = async (req: Request, res: Respon
  });
 };

+/**
+ * Return list of Checkly groups for a specific user
+ * @param req
+ * @param res
+ */
+export const getIntegrationAuthChecklyGroups = async (req: Request, res: Response) => {
+  const {
+    params: { integrationAuthId },
+    query: { accountId }
+  } = await validateRequest(reqValidator.GetIntegrationAuthChecklyGroupsV1, req);
+  
+  const { integrationAuth, accessToken } = await getIntegrationAuthAccessHelper({
+    integrationAuthId: new Types.ObjectId(integrationAuthId)
+  });
+
+  const { permission } = await getUserProjectPermissions(
+    req.user._id,
+    integrationAuth.workspace.toString()
+  );
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.Integrations
+  );
+
+  interface ChecklyGroup {
+    id: number;
+    name: string;
+  }
+  
+  if (accountId && accountId !== "") {
+    const { data }: { data: ChecklyGroup[] } = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/check-groups`, {
+          headers: {
+              Authorization: `Bearer ${accessToken}`,
+              Accept: "application/json",
+              "X-Checkly-Account": accountId
+          }
+      })
+    );
+    
+    return res.status(200).send({
+      groups: data.map((g: ChecklyGroup) => ({
+        name: g.name,
+        groupId: g.id,
+      }))
+    });
+  }
+
+  return res.status(200).send({
+    groups: []
+  });
+}
+
 /**
 * Return list of Qovery Orgs for a specific user
 * @param req
--- a/backend/src/controllers/v3/secretsController.ts
+++ b/backend/src/controllers/v3/secretsController.ts
@ -140,7 +140,7 @@ export const getSecretsRaw = async (req: Request, res: Response) => {
    query: { secretPath, environment, workspaceId }
  } = validatedData;
  const {
-    query: { folderId, include_imports: includeImports }
+    query: { include_imports: includeImports }
  } = validatedData;

  // if the service token has single scope, it will get all secrets for that scope by default
@ -156,13 +156,6 @@ export const getSecretsRaw = async (req: Request, res: Response) => {
    workspaceId = serviceTokenDetails.workspace.toString();
  }

-  if (folderId && folderId !== "root") {
-    const folder = await Folder.findOne({ workspace: workspaceId, environment });
-    if (!folder) throw BadRequestError({ message: "Folder not found" });
-
-    secretPath = getFolderWithPathFromId(folder.nodes, folderId).folderPath;
-  }
-
  if (!environment || !workspaceId)
    throw BadRequestError({ message: "Missing environment or workspace id" });

@ -177,7 +170,6 @@ export const getSecretsRaw = async (req: Request, res: Response) => {
  const secrets = await SecretService.getSecrets({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
-    folderId,
    secretPath,
    authData: req.authData
  });
@ -467,20 +459,13 @@ export const deleteSecretByNameRaw = async (req: Request, res: Response) => {
 export const getSecrets = async (req: Request, res: Response) => {
  const validatedData = await validateRequest(reqValidator.GetSecretsV3, req);
  const {
-    query: { environment, workspaceId, include_imports: includeImports, folderId }
+    query: { environment, workspaceId, include_imports: includeImports }
  } = validatedData;

  let {
    query: { secretPath }
  } = validatedData;

-  if (folderId && folderId !== "root") {
-    const folder = await Folder.findOne({ workspace: workspaceId, environment });
-    if (!folder) return res.send({ secrets: [] });
-
-    secretPath = getFolderWithPathFromId(folder.nodes, folderId).folderPath;
-  }
-
  const { authVerifier: permissionCheckFn } = await checkSecretsPermission({
    authData: req.authData,
    workspaceId,
@ -492,7 +477,6 @@ export const getSecrets = async (req: Request, res: Response) => {
  const secrets = await SecretService.getSecrets({
    workspaceId: new Types.ObjectId(workspaceId),
    environment,
-    folderId,
    secretPath,
    authData: req.authData
  });
@ -875,6 +859,14 @@ export const createSecretByNameBatch = async (req: Request, res: Response) => {
    authData: req.authData
  });

+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
  return res.status(200).send({
    secrets: createdSecrets
  });
@ -919,6 +911,14 @@ export const updateSecretByNameBatch = async (req: Request, res: Response) => {
    authData: req.authData
  });

+  await EventService.handleEvent({
+    event: eventPushSecrets({
+      workspaceId: new Types.ObjectId(workspaceId),
+      environment,
+      secretPath
+    })
+  });
+
  return res.status(200).send({
    secrets: updatedSecrets
  });
--- a/backend/src/ee/controllers/v1/index.ts
+++ b/backend/src/ee/controllers/v1/index.ts
@ -10,6 +10,8 @@ import * as cloudProductsController from "./cloudProductsController";
 import * as roleController from "./roleController";
 import * as secretApprovalPolicyController from "./secretApprovalPolicyController";
 import * as secretApprovalRequestController from "./secretApprovalRequestsController";
+import * as secretRotationProviderController from "./secretRotationProviderController";
+import * as secretRotationController from "./secretRotationController";

 export {
  secretController,
@ -23,5 +25,7 @@ export {
  cloudProductsController,
  roleController,
  secretApprovalPolicyController,
-  secretApprovalRequestController
+  secretApprovalRequestController,
+  secretRotationProviderController,
+  secretRotationController
 };
--- a/backend/src/ee/controllers/v1/roleController.ts
+++ b/backend/src/ee/controllers/v1/roleController.ts
@ -212,12 +212,13 @@ export const getUserPermissions = async (req: Request, res: Response) => {
  const {
    params: { orgId }
  } = await validateRequest(GetUserPermission, req);
-  
-  const { permission } = await getUserOrgPermissions(req.user._id, orgId);
+
+  const { permission, membership } = await getUserOrgPermissions(req.user._id, orgId);

  res.status(200).json({
    data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
    }
  });
 };
@ -226,11 +227,12 @@ export const getUserWorkspacePermissions = async (req: Request, res: Response) =
  const {
    params: { workspaceId }
  } = await validateRequest(GetUserProjectPermission, req);
-  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  const { permission, membership } = await getUserProjectPermissions(req.user._id, workspaceId);

  res.status(200).json({
    data: {
-      permissions: packRules(permission.rules)
+      permissions: packRules(permission.rules),
+      membership
    }
  });
 };
--- a/backend/src/ee/controllers/v1/secretRotationController.ts
+++ b/backend/src/ee/controllers/v1/secretRotationController.ts
@ -0,0 +1,91 @@
+import { Request, Response } from "express";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotation";
+import * as secretRotationService from "../../secretRotation/service";
+import {
+  getUserProjectPermissions,
+  ProjectPermissionActions,
+  ProjectPermissionSub
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const createSecretRotation = async (req: Request, res: Response) => {
+  const {
+    body: {
+      provider,
+      customProvider,
+      interval,
+      outputs,
+      secretPath,
+      environment,
+      workspaceId,
+      inputs
+    }
+  } = await validateRequest(reqValidator.createSecretRotationV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Create,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.createSecretRotation({
+    workspaceId,
+    inputs,
+    environment,
+    secretPath,
+    outputs,
+    interval,
+    customProvider,
+    provider
+  });
+
+  return res.send({ secretRotation });
+};
+
+export const restartSecretRotations = async (req: Request, res: Response) => {
+  const {
+    body: { id }
+  } = await validateRequest(reqValidator.restartSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+  const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Edit,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotation = await secretRotationService.restartSecretRotation({ id });
+  return res.send({ secretRotation });
+};
+
+export const deleteSecretRotations = async (req: Request, res: Response) => {
+  const {
+    params: { id }
+  } = await validateRequest(reqValidator.removeSecretRotationV1, req);
+
+  const doc = await secretRotationService.getSecretRotationById({ id });
+  const { permission } = await getUserProjectPermissions(req.user._id, doc.workspace.toString());
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Delete,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.deleteSecretRotation({ id });
+  return res.send({ secretRotations });
+};
+
+export const getSecretRotations = async (req: Request, res: Response) => {
+  const {
+    query: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const secretRotations = await secretRotationService.getSecretRotationOfWorkspace(workspaceId);
+  return res.send({ secretRotations });
+};
--- a/backend/src/ee/controllers/v1/secretRotationProviderController.ts
+++ b/backend/src/ee/controllers/v1/secretRotationProviderController.ts
@ -0,0 +1,28 @@
+import { Request, Response } from "express";
+import { validateRequest } from "../../../helpers/validation";
+import * as reqValidator from "../../validation/secretRotationProvider";
+import * as secretRotationProviderService from "../../secretRotation/service";
+import {
+  getUserProjectPermissions,
+  ProjectPermissionActions,
+  ProjectPermissionSub
+} from "../../services/ProjectRoleService";
+import { ForbiddenError } from "@casl/ability";
+
+export const getProviderTemplates = async (req: Request, res: Response) => {
+  const {
+    params: { workspaceId }
+  } = await validateRequest(reqValidator.getSecretRotationProvidersV1, req);
+
+  const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
+  ForbiddenError.from(permission).throwUnlessCan(
+    ProjectPermissionActions.Read,
+    ProjectPermissionSub.SecretRotation
+  );
+
+  const rotationProviderList = await secretRotationProviderService.getProviderTemplate({
+    workspaceId
+  });
+
+  return res.send(rotationProviderList);
+};
--- a/backend/src/ee/controllers/v3/serviceTokenDataController.ts
+++ b/backend/src/ee/controllers/v3/serviceTokenDataController.ts
@ -1,3 +1,4 @@
+import jwt from "jsonwebtoken";
 import { Request, Response } from "express";
 import { Types } from "mongoose";
 import { 
@ -24,10 +25,11 @@ import {
  getUserProjectPermissions
 } from "../../services/ProjectRoleService";
 import { ForbiddenError } from "@casl/ability"; 
-import { BadRequestError, ResourceNotFoundError } from "../../../utils/errors";
+import { BadRequestError, ResourceNotFoundError, UnauthorizedRequestError } from "../../../utils/errors";
 import { extractIPDetails, isValidIpOrCidr } from "../../../utils/ip";
 import { EEAuditLogService, EELicenseService } from "../../services";
-import { getJwtServiceTokenSecret } from "../../../config";
+import { getAuthSecret } from "../../../config";
+import { AuthTokenType } from "../../../variables";

 /**
 * Return project key for service token V3
@ -56,6 +58,99 @@ export const getServiceTokenDataKey = async (req: Request, res: Response) => {
    });
 }

+/**
+ * Return access and refresh token as per refresh operation
+ * @param req 
+ * @param res 
+ */
+ export const refreshToken = async (req: Request, res: Response) => {
+    const {
+        body: {
+            refresh_token
+        }
+    } = await validateRequest(reqValidator.RefreshTokenV3, req);
+
+    const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
+		jwt.verify(refresh_token, await getAuthSecret())
+	);
+    
+    if (decodedToken.authTokenType !== AuthTokenType.SERVICE_REFRESH_TOKEN) throw UnauthorizedRequestError();
+    
+    let serviceTokenData = await ServiceTokenDataV3.findOne({
+        _id: new Types.ObjectId(decodedToken.serviceTokenDataId),
+        isActive: true
+    });
+    
+    if (!serviceTokenData) throw UnauthorizedRequestError();
+
+    if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
+        // raise alarm
+        throw UnauthorizedRequestError();
+    }
+    
+    const response: {
+        refresh_token?: string;
+        access_token: string;
+        expires_in: number;
+        token_type: string;
+    } = {
+        refresh_token,
+        access_token: "",
+        expires_in: 0,
+        token_type: "Bearer"
+    };
+
+    if (serviceTokenData.isRefreshTokenRotationEnabled) {
+        serviceTokenData = await ServiceTokenDataV3.findByIdAndUpdate(
+            serviceTokenData._id,
+            {
+                $inc: {
+                    tokenVersion: 1
+                }
+            },
+            {
+                new: true
+            }
+        );
+        
+        if (!serviceTokenData) throw BadRequestError();
+        
+        response.refresh_token = createToken({
+            payload: {
+                serviceTokenDataId: serviceTokenData._id.toString(),
+                authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
+                tokenVersion: serviceTokenData.tokenVersion
+            },
+            secret: await getAuthSecret()
+        });
+    }
+
+    response.access_token = createToken({
+        payload: {
+            serviceTokenDataId: serviceTokenData._id.toString(),
+            authTokenType: AuthTokenType.SERVICE_ACCESS_TOKEN,
+            tokenVersion: serviceTokenData.tokenVersion
+        },
+        expiresIn: serviceTokenData.accessTokenTTL,
+        secret: await getAuthSecret()
+    });
+
+    response.expires_in = serviceTokenData.accessTokenTTL;
+
+    await ServiceTokenDataV3.findByIdAndUpdate(
+        serviceTokenData._id,
+        {
+            refreshTokenLastUsed: new Date(),
+            $inc: { refreshTokenUsageCount: 1 }
+        },
+        {
+            new: true
+        }
+    );
+    
+    return res.status(200).send(response);
+}
+
 /**
 * Create service token data V3
 * @param req 
@ -71,8 +166,10 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
            scopes,
            trustedIps,
            expiresIn, 
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled,
            encryptedKey, // for ServiceTokenDataV3Key
-            nonce // for ServiceTokenDataV3Key
+            nonce, // for ServiceTokenDataV3Key
        }
    } = await validateRequest(reqValidator.CreateServiceTokenV3, req);
    const { permission } = await getUserProjectPermissions(req.user._id, workspaceId);
@ -118,11 +215,15 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
        user,
        workspace: new Types.ObjectId(workspaceId),
        publicKey,
-        usageCount: 0,
+        refreshTokenUsageCount: 0,
+        accessTokenUsageCount: 0,
+        tokenVersion: 1,
        trustedIps: reformattedTrustedIps,
        scopes,
        isActive,
-        expiresAt
+        expiresAt,
+        accessTokenTTL,
+        isRefreshTokenRotationEnabled
    }).save();
    
    await new ServiceTokenDataV3Key({
@ -133,18 +234,19 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
        workspace: new Types.ObjectId(workspaceId)
    }).save();
    
-    const token = createToken({
+    const refreshToken = createToken({
        payload: {
-            _id: serviceTokenData._id.toString()
+            serviceTokenDataId: serviceTokenData._id.toString(),
+            authTokenType: AuthTokenType.SERVICE_REFRESH_TOKEN,
+            tokenVersion: serviceTokenData.tokenVersion
        },
-        expiresIn,
-        secret: await getJwtServiceTokenSecret()
+        secret: await getAuthSecret()
    });
    
    await EEAuditLogService.createAuditLog(
        req.authData,
        {
-            type: EventType.CREATE_SERVICE_TOKEN_V3,
+            type: EventType.CREATE_SERVICE_TOKEN_V3, // TODO: update
            metadata: {
                name,
                isActive,
@ -160,7 +262,7 @@ export const createServiceTokenData = async (req: Request, res: Response) => {
    
    return res.status(200).send({
        serviceTokenData,
-        serviceToken: `stv3.${token}`
+        refreshToken
    });
 }

@ -178,7 +280,9 @@ export const updateServiceTokenData = async (req: Request, res: Response) => {
            isActive,
            scopes,
            trustedIps,
-            expiresIn
+            expiresIn,
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled
        }
    } = await validateRequest(reqValidator.UpdateServiceTokenV3, req);

@ -233,13 +337,15 @@ export const updateServiceTokenData = async (req: Request, res: Response) => {
            isActive,
            scopes,
            trustedIps: reformattedTrustedIps,
-            expiresAt
+            expiresAt,
+            accessTokenTTL,
+            isRefreshTokenRotationEnabled
        },
        {
            new: true
        }
    );
-    
+
    if (!serviceTokenData) throw BadRequestError({
        message: "Failed to update service token"
    });
--- a/backend/src/ee/models/auditLog/enums.ts
+++ b/backend/src/ee/models/auditLog/enums.ts
@ -1,7 +1,8 @@
 export enum ActorType {
-    USER = "user",
-    SERVICE = "service",
-    SERVICE_V3 = "service-v3"
+  USER = "user",
+  SERVICE = "service",
+  SERVICE_V3 = "service-v3",
+  Machine = "machine"
 }

 export enum UserAgentType {
--- a/backend/src/ee/models/auditLog/types.ts
+++ b/backend/src/ee/models/auditLog/types.ts
@ -1,11 +1,5 @@
-import {
-    ActorType,
-    EventType
-} from "./enums";
-import {
-  IServiceTokenV3Scope,
-  IServiceTokenV3TrustedIp
-} from "../../../models/serviceTokenDataV3";
+import { ActorType, EventType } from "./enums";
+import { IServiceTokenV3Scope, IServiceTokenV3TrustedIp } from "../../../models/serviceTokenDataV3";

 interface UserActorMetadata {
  userId: string;
@ -28,14 +22,15 @@ export interface ServiceActor {
 }

 export interface ServiceActorV3 {
-    type: ActorType.SERVICE_V3;
-    metadata: ServiceActorMetadata;
+  type: ActorType.SERVICE_V3;
+  metadata: ServiceActorMetadata;
+}
+
+export interface MachineActor {
+  type: ActorType.Machine;
 }

-export type Actor = 
-    | UserActor
-    | ServiceActor
-    | ServiceActorV3;
+export type Actor = UserActor | ServiceActor | ServiceActorV3 | MachineActor;

 interface GetSecretsEvent {
  type: EventType.GET_SECRETS;
@ -226,36 +221,36 @@ interface DeleteServiceTokenEvent {
 }

 interface CreateServiceTokenV3Event {
-    type: EventType.CREATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+  type: EventType.CREATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    scopes: Array<IServiceTokenV3Scope>;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
 }

 interface UpdateServiceTokenV3Event {
-    type: EventType.UPDATE_SERVICE_TOKEN_V3;
-    metadata: {
-        name?: string;
-        isActive?: boolean;
-        scopes?: Array<IServiceTokenV3Scope>;
-        trustedIps?: Array<IServiceTokenV3TrustedIp>;
-        expiresAt?: Date;
-    }
+  type: EventType.UPDATE_SERVICE_TOKEN_V3;
+  metadata: {
+    name?: string;
+    isActive?: boolean;
+    scopes?: Array<IServiceTokenV3Scope>;
+    trustedIps?: Array<IServiceTokenV3TrustedIp>;
+    expiresAt?: Date;
+  };
 }

 interface DeleteServiceTokenV3Event {
-    type: EventType.DELETE_SERVICE_TOKEN_V3;
-    metadata: {
-        name: string;
-        isActive: boolean;
-        scopes: Array<IServiceTokenV3Scope>;
-        expiresAt?: Date;
-        trustedIps: Array<IServiceTokenV3TrustedIp>;
-    }
+  type: EventType.DELETE_SERVICE_TOKEN_V3;
+  metadata: {
+    name: string;
+    isActive: boolean;
+    scopes: Array<IServiceTokenV3Scope>;
+    expiresAt?: Date;
+    trustedIps: Array<IServiceTokenV3TrustedIp>;
+  };
 }

 interface CreateEnvironmentEvent {
@ -427,15 +422,15 @@ interface UpdateUserRole {
 }

 interface UpdateUserDeniedPermissions {
-    type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS,
-    metadata: {
-        userId: string;
-        email: string;
-        deniedPermissions: {
-            environmentSlug: string;
-            ability: string;
-        }[]
-    }
+  type: EventType.UPDATE_USER_WORKSPACE_DENIED_PERMISSIONS;
+  metadata: {
+    userId: string;
+    email: string;
+    deniedPermissions: {
+      environmentSlug: string;
+      ability: string;
+    }[];
+  };
 }
 interface SecretApprovalMerge {
  type: EventType.SECRET_APPROVAL_MERGED;
--- a/backend/src/ee/routes/v1/index.ts
+++ b/backend/src/ee/routes/v1/index.ts
@ -10,6 +10,8 @@ import secretScanning from "./secretScanning";
 import roles from "./role";
 import secretApprovalPolicy from "./secretApprovalPolicy";
 import secretApprovalRequest from "./secretApprovalRequest";
+import secretRotationProvider from "./secretRotationProvider";
+import secretRotation from "./secretRotation";

 export {
  secret,
@ -23,5 +25,7 @@ export {
  secretScanning,
  roles,
  secretApprovalPolicy,
-  secretApprovalRequest
+  secretApprovalRequest,
+  secretRotationProvider,
+  secretRotation
 };
--- a/backend/src/ee/routes/v1/secretRotation.ts
+++ b/backend/src/ee/routes/v1/secretRotation.ts
@ -0,0 +1,41 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.post(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.createSecretRotation
+);
+
+router.post(
+  "/restart",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.restartSecretRotations
+);
+
+router.get(
+  "/",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.getSecretRotations
+);
+
+router.delete(
+  "/:id",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationController.deleteSecretRotations
+);
+
+export default router;
--- a/backend/src/ee/routes/v1/secretRotationProvider.ts
+++ b/backend/src/ee/routes/v1/secretRotationProvider.ts
@ -0,0 +1,17 @@
+import express from "express";
+
+import { AuthMode } from "../../../variables";
+import { requireAuth } from "../../../middleware";
+import { secretRotationProviderController } from "../../controllers/v1";
+
+const router = express.Router();
+
+router.get(
+  "/:workspaceId",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  secretRotationProviderController.getProviderTemplates
+);
+
+export default router;
--- a/backend/src/ee/routes/v3/serviceTokenData.ts
+++ b/backend/src/ee/routes/v3/serviceTokenData.ts
@ -7,11 +7,16 @@ import { serviceTokenDataController } from "../../controllers/v3";
 router.get(
  "/me/key",
  requireAuth({
-    acceptedAuthModes: [AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  serviceTokenDataController.getServiceTokenDataKey
 );

+router.post(
+  "/me/token",
+  serviceTokenDataController.refreshToken
+);
+
 router.post(
    "/",
    requireAuth({
--- a/backend/src/ee/secretRotation/db.ts
+++ b/backend/src/ee/secretRotation/db.ts
--- a/backend/src/ee/secretRotation/models.ts
+++ b/backend/src/ee/secretRotation/models.ts
@ -0,0 +1,91 @@
+import { Schema, model } from "mongoose";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { ISecretRotation } from "./types";
+
+const secretRotationSchema = new Schema(
+  {
+    workspace: {
+      type: Schema.Types.ObjectId,
+      ref: "Workspace"
+    },
+    provider: {
+      type: String,
+      required: true
+    },
+    customProvider: {
+      type: Schema.Types.ObjectId,
+      ref: "SecretRotationProvider"
+    },
+    environment: {
+      type: String,
+      required: true
+    },
+    secretPath: {
+      type: String,
+      required: true
+    },
+    interval: {
+      type: Number,
+      required: true
+    },
+    lastRotatedAt: {
+      type: String
+    },
+    status: {
+      type: String,
+      enum: ["success", "failed"]
+    },
+    statusMessage: {
+      type: String
+    },
+    // encrypted data on input keys and secrets got
+    encryptedData: {
+      type: String,
+      select: false
+    },
+    encryptedDataIV: {
+      type: String,
+      select: false
+    },
+    encryptedDataTag: {
+      type: String,
+      select: false
+    },
+    algorithm: {
+      // the encryption algorithm used
+      type: String,
+      enum: [ALGORITHM_AES_256_GCM],
+      required: true,
+      select: false,
+      default: ALGORITHM_AES_256_GCM
+    },
+    keyEncoding: {
+      type: String,
+      enum: [ENCODING_SCHEME_UTF8, ENCODING_SCHEME_BASE64],
+      required: true,
+      select: false,
+      default: ENCODING_SCHEME_UTF8
+    },
+    outputs: [
+      {
+        key: {
+          type: String,
+          required: true
+        },
+        secret: {
+          type: Schema.Types.ObjectId,
+          ref: "Secret"
+        }
+      }
+    ]
+  },
+  {
+    timestamps: true
+  }
+);
+
+export const SecretRotation = model<ISecretRotation>("SecretRotation", secretRotationSchema);
--- a/backend/src/ee/secretRotation/queue/queue.ts
+++ b/backend/src/ee/secretRotation/queue/queue.ts
@ -0,0 +1,288 @@
+import Queue, { Job } from "bull";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../../config";
+import { BotService, EventService, TelemetryService } from "../../../services";
+import { SecretRotation } from "../models";
+import { rotationTemplates } from "../templates";
+import {
+  ISecretRotationData,
+  ISecretRotationEncData,
+  ISecretRotationProviderTemplate,
+  TProviderFunctionTypes
+} from "../types";
+import {
+  decryptSymmetric128BitHexKeyUTF8,
+  encryptSymmetric128BitHexKeyUTF8
+} from "../../../utils/crypto";
+import { ISecret, Secret } from "../../../models";
+import { ENCODING_SCHEME_BASE64, ENCODING_SCHEME_UTF8, SECRET_SHARED } from "../../../variables";
+import { EESecretService } from "../../services";
+import { SecretVersion } from "../../models";
+import { eventPushSecrets } from "../../../events";
+import { logger } from "../../../utils/logging";
+
+import {
+  secretRotationPreSetFn,
+  secretRotationRemoveFn,
+  secretRotationSetFn,
+  secretRotationTestFn
+} from "./queue.utils";
+
+const secretRotationQueue = new Queue("secret-rotation-service", process.env.REDIS_URL as string);
+
+secretRotationQueue.process(async (job: Job) => {
+  logger.info(`secretRotationQueue.process: [rotationDocument=${job.data.rotationDocId}]`);
+  const rotationStratDocId = job.data.rotationDocId;
+  const secretRotation = await SecretRotation.findById(rotationStratDocId)
+    .select("+encryptedData +encryptedDataTag +encryptedDataIV +keyEncoding")
+    .populate<{
+      outputs: [
+        {
+          key: string;
+          secret: ISecret;
+        }
+      ];
+    }>("outputs.secret");
+
+  const infisicalRotationProvider = rotationTemplates.find(
+    ({ name }) => name === secretRotation?.provider
+  );
+
+  try {
+    if (!infisicalRotationProvider || !secretRotation)
+      throw new Error("Failed to find rotation strategy");
+
+    if (secretRotation.outputs.some(({ secret }) => !secret))
+      throw new Error("Secrets not found in dashboard");
+
+    const workspaceId = secretRotation.workspace;
+
+    // deep copy
+    const provider = JSON.parse(
+      JSON.stringify(infisicalRotationProvider)
+    ) as ISecretRotationProviderTemplate;
+
+    // decrypt user  provided inputs for secret rotation
+    const encryptionKey = await getEncryptionKey();
+    const rootEncryptionKey = await getRootEncryptionKey();
+    let decryptedData = "";
+    if (rootEncryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_BASE64) {
+      // case: encoding scheme is base64
+      decryptedData = client.decryptSymmetric(
+        secretRotation.encryptedData,
+        rootEncryptionKey,
+        secretRotation.encryptedDataIV,
+        secretRotation.encryptedDataTag
+      );
+    } else if (encryptionKey && secretRotation.keyEncoding === ENCODING_SCHEME_UTF8) {
+      // case: encoding scheme is utf8
+      decryptedData = decryptSymmetric128BitHexKeyUTF8({
+        ciphertext: secretRotation.encryptedData,
+        iv: secretRotation.encryptedDataIV,
+        tag: secretRotation.encryptedDataTag,
+        key: encryptionKey
+      });
+    }
+
+    const variables = JSON.parse(decryptedData) as ISecretRotationEncData;
+
+    // rotation set cycle
+    const newCredential: ISecretRotationData = {
+      inputs: variables.inputs,
+      outputs: {},
+      internal: {}
+    };
+    // special glue code for database
+    if (provider.template.functions.set.type === TProviderFunctionTypes.DB) {
+      const lastCred = variables.creds.at(-1);
+      if (lastCred && variables.creds.length === 1) {
+        newCredential.internal.username =
+          lastCred.internal.username === variables.inputs.username1
+            ? variables.inputs.username2
+            : variables.inputs.username1;
+      } else {
+        newCredential.internal.username = lastCred
+          ? lastCred.internal.username
+          : variables.inputs.username1;
+      }
+    }
+    if (provider.template.functions.set?.pre) {
+      secretRotationPreSetFn(provider.template.functions.set.pre, newCredential);
+    }
+    await secretRotationSetFn(provider.template.functions.set, newCredential);
+    await secretRotationTestFn(provider.template.functions.test, newCredential);
+
+    if (variables.creds.length === 2) {
+      const deleteCycleCred = variables.creds.pop();
+      if (deleteCycleCred && provider.template.functions.remove) {
+        const deleteCycleVar = { inputs: variables.inputs, ...deleteCycleCred };
+        await secretRotationRemoveFn(provider.template.functions.remove, deleteCycleVar);
+      }
+    }
+    variables.creds.unshift({ outputs: newCredential.outputs, internal: newCredential.internal });
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(variables),
+      rootEncryptionKey
+    );
+
+    // save the rotation state
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      encryptedData: ciphertext,
+      encryptedDataIV: iv,
+      encryptedDataTag: tag,
+      status: "success",
+      statusMessage: "Rotated successfully",
+      lastRotatedAt: new Date().toUTCString()
+    });
+
+    const key = await BotService.getWorkspaceKeyWithBot({
+      workspaceId: secretRotation.workspace
+    });
+
+    const encryptedSecrets = secretRotation.outputs.map(({ key: outputKey, secret }) => ({
+      secret,
+      value: encryptSymmetric128BitHexKeyUTF8({
+        plaintext:
+          typeof newCredential.outputs[outputKey] === "object"
+            ? JSON.stringify(newCredential.outputs[outputKey])
+            : String(newCredential.outputs[outputKey]),
+        key
+      })
+    }));
+
+    // now save the secret do a bulk update
+    // can't use the updateSecret function due to various parameter required issue
+    // REFACTOR(akhilmhdh): secret module should be lot more flexible. Ability to update bulk or individually by blindIndex, by id etc
+    await Secret.bulkWrite(
+      encryptedSecrets.map(({ secret, value }) => ({
+        updateOne: {
+          filter: {
+            workspace: workspaceId,
+            environment: secretRotation.environment,
+            _id: secret._id,
+            type: SECRET_SHARED
+          },
+          update: {
+            $inc: {
+              version: 1
+            },
+            secretValueCiphertext: value.ciphertext,
+            secretValueIV: value.iv,
+            secretValueTag: value.tag
+          }
+        }
+      }))
+    );
+
+    await EESecretService.addSecretVersions({
+      secretVersions: encryptedSecrets.map(({ secret, value }) => {
+        const {
+          _id,
+          version,
+          workspace,
+          type,
+          folder,
+          secretBlindIndex,
+          secretKeyIV,
+          secretKeyTag,
+          secretKeyCiphertext,
+          skipMultilineEncoding,
+          environment,
+          algorithm,
+          keyEncoding
+        } = secret;
+
+        return new SecretVersion({
+          secret: _id,
+          version: version + 1,
+          workspace: workspace,
+          type,
+          folder,
+          environment,
+          isDeleted: false,
+          secretBlindIndex: secretBlindIndex,
+          secretKeyCiphertext: secretKeyCiphertext,
+          secretKeyIV: secretKeyIV,
+          secretKeyTag: secretKeyTag,
+          secretValueCiphertext: value.ciphertext,
+          secretValueIV: value.iv,
+          secretValueTag: value.tag,
+          algorithm,
+          keyEncoding,
+          skipMultilineEncoding
+        });
+      })
+    });
+
+    // akhilmhdh: @tony need to do something about this as its depend on authData which is not possibile in here
+    // await EEAuditLogService.createAuditLog(
+    //   {actor:ActorType.Machine},
+    //   {
+    //     type: EventType.UPDATE_SECRETS,
+    //     metadata: {
+    //       environment,
+    //       secretPath,
+    //       secrets: secretsToBeUpdated.map(({ _id, version, secretBlindIndex }) => ({
+    //         secretId: _id.toString(),
+    //         secretKey: secretBlindIndexToKey[secretBlindIndex || ""],
+    //         secretVersion: version + 1
+    //       }))
+    //     }
+    //   },
+    //   {
+    //     workspaceId
+    //   }
+    // );
+
+    const folderId = encryptedSecrets?.[0]?.secret?.folder;
+    // (EE) take a secret snapshot
+    await EESecretService.takeSecretSnapshot({
+      workspaceId,
+      environment: secretRotation.environment,
+      folderId
+    });
+
+    await EventService.handleEvent({
+      event: eventPushSecrets({
+        workspaceId: secretRotation.workspace,
+        environment: secretRotation.environment,
+        secretPath: secretRotation.secretPath
+      })
+    });
+
+    const postHogClient = await TelemetryService.getPostHogClient();
+    if (postHogClient) {
+      postHogClient.capture({
+        event: "secrets rotated",
+        properties: {
+          numberOfSecrets: encryptedSecrets.length,
+          environment: secretRotation.environment,
+          workspaceId,
+          folderId
+        }
+      });
+    }
+  } catch (err) {
+    logger.error(err);
+    await SecretRotation.findByIdAndUpdate(rotationStratDocId, {
+      status: "failed",
+      statusMessage: (err as Error).message,
+      lastRotatedAt: new Date().toUTCString()
+    });
+  }
+
+  return Promise.resolve();
+});
+
+const daysToMillisecond = (days: number) => days * 24 * 60 * 60 * 1000;
+export const startSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  // when migration to bull mq just use the option immedite to trigger repeatable immediately
+  secretRotationQueue.add({ rotationDocId }, { jobId: rotationDocId, removeOnComplete: true });
+  return secretRotationQueue.add(
+    { rotationDocId },
+    { repeat: { every: daysToMillisecond(interval) }, jobId: rotationDocId }
+  );
+};
+
+export const removeSecretRotationQueue = async (rotationDocId: string, interval: number) => {
+  return secretRotationQueue.removeRepeatable({ every: interval * 1000, jobId: rotationDocId });
+};
--- a/backend/src/ee/secretRotation/queue/queue.utils.ts
+++ b/backend/src/ee/secretRotation/queue/queue.utils.ts
@ -0,0 +1,179 @@
+import axios from "axios";
+import jmespath from "jmespath";
+import { customAlphabet } from "nanoid";
+import { Client as PgClient } from "pg";
+import mysql from "mysql2";
+import {
+  ISecretRotationData,
+  TAssignOp,
+  TDbProviderClients,
+  TDbProviderFunction,
+  TDirectAssignOp,
+  THttpProviderFunction,
+  TProviderFunction,
+  TProviderFunctionTypes
+} from "../types";
+const REGEX = /\${([^}]+)}/g;
+const SLUG_ALPHABETS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+const nanoId = customAlphabet(SLUG_ALPHABETS, 10);
+
+export const interpolate = (data: any, getValue: (key: string) => unknown) => {
+  if (!data) return;
+
+  if (typeof data === "number") return data;
+
+  if (typeof data === "string") {
+    return data.replace(REGEX, (_a, b) => getValue(b) as string);
+  }
+
+  if (typeof data === "object" && Array.isArray(data)) {
+    data.forEach((el, index) => {
+      data[index] = interpolate(el, getValue);
+    });
+  }
+
+  if (typeof data === "object") {
+    if ((data as { ref: string })?.ref) return getValue((data as { ref: string }).ref);
+    const temp = data as Record<string, unknown>; // for converting ts object to record type
+    Object.keys(temp).forEach((key) => {
+      temp[key as keyof typeof temp] = interpolate(data[key as keyof typeof temp], getValue);
+    });
+  }
+  return data;
+};
+
+const getInterpolationValue = (variables: ISecretRotationData) => (key: string) => {
+  if (key.includes("|")) {
+    const [keyword, ...arg] = key.split("|").map((el) => el.trim());
+    switch (keyword) {
+      case "random": {
+        return nanoId(parseInt(arg[0], 10));
+      }
+      default: {
+        throw Error(`Interpolation key not found - ${key}`);
+      }
+    }
+  }
+  const [type, keyName] = key.split(".").map((el) => el.trim());
+  return variables[type as keyof ISecretRotationData][keyName];
+};
+
+export const secretRotationHttpFn = async (
+  func: THttpProviderFunction,
+  variables: ISecretRotationData
+) => {
+  // string interpolation
+  const headers = interpolate(func.header, getInterpolationValue(variables));
+  const url = interpolate(func.url, getInterpolationValue(variables));
+  const body = interpolate(func.body, getInterpolationValue(variables));
+  // axios will automatically throw error if req status is not between 2xx range
+  return axios({ method: func.method, url, headers, data: body });
+};
+
+export const secretRotationDbFn = async (
+  func: TDbProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const { type, client, pre, ...dbConnection } = func;
+  const { username, password, host, database, port, query, ca } = interpolate(
+    dbConnection,
+    getInterpolationValue(variables)
+  );
+  const ssl = ca ? { rejectUnauthorized: false, ca } : undefined;
+  if (host === "localhost" || host === "127.0.0.1") throw new Error("Invalid db host");
+  if (client === TDbProviderClients.Pg) {
+    const pgClient = new PgClient({ user: username, password, host, database, port, ssl });
+    await pgClient.connect();
+    const res = await pgClient.query(query);
+    await pgClient.end();
+    return res.rows[0];
+  } else if (client === TDbProviderClients.Sql) {
+    const sqlClient = mysql.createPool({
+      user: username,
+      password,
+      host,
+      database,
+      port,
+      connectionLimit: 1,
+      ssl
+    });
+    const res = await new Promise((resolve, reject) => {
+      sqlClient.query(query, (err, data) => {
+        if (err) return reject(err);
+        resolve(data);
+      });
+    });
+    await new Promise((resolve, reject) => {
+      sqlClient.end(function (err) {
+        if (err) return reject(err);
+        return resolve({});
+      });
+    });
+    return (res as any)?.[0];
+  }
+};
+
+export const secretRotationPreSetFn = (
+  op: Record<string, TDirectAssignOp>,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  Object.entries(op || {}).forEach(([key, assignFn]) => {
+    const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+    variables[type][keyName] = interpolate(assignFn.value, getValFn);
+  });
+};
+
+export const secretRotationSetFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  const getValFn = getInterpolationValue(variables);
+  // http setter
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    const res = await secretRotationHttpFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        variables[type][keyName] = jmespath.search(res.data, assignFn.path);
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+    // db setter
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    const data = await secretRotationDbFn(func, variables);
+    Object.entries(func.setter || {}).forEach(([key, assignFn]) => {
+      const [type, keyName] = key.split(".") as [keyof ISecretRotationData, string];
+      if (assignFn.assign === TAssignOp.JmesPath) {
+        if (typeof data === "object") {
+          variables[type][keyName] = jmespath.search(data, assignFn.path);
+        }
+      } else if (assignFn.value) {
+        variables[type][keyName] = interpolate(assignFn.value, getValFn);
+      }
+    });
+  }
+};
+
+export const secretRotationTestFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    await secretRotationHttpFn(func, variables);
+  } else if (func.type === TProviderFunctionTypes.DB) {
+    await secretRotationDbFn(func, variables);
+  }
+};
+
+export const secretRotationRemoveFn = async (
+  func: TProviderFunction,
+  variables: ISecretRotationData
+) => {
+  if (!func) return;
+  if (func.type === TProviderFunctionTypes.HTTP) {
+    // string interpolation
+    return await secretRotationHttpFn(func, variables);
+  }
+};
--- a/backend/src/ee/secretRotation/service.ts
+++ b/backend/src/ee/secretRotation/service.ts
@ -0,0 +1,130 @@
+import { ISecretRotationEncData, TCreateSecretRotation, TGetProviderTemplates } from "./types";
+import { rotationTemplates } from "./templates";
+import { SecretRotation } from "./models";
+import { client, getEncryptionKey, getRootEncryptionKey } from "../../config";
+import { BadRequestError } from "../../utils/errors";
+import Ajv from "ajv";
+import { removeSecretRotationQueue, startSecretRotationQueue } from "./queue/queue";
+import {
+  ALGORITHM_AES_256_GCM,
+  ENCODING_SCHEME_BASE64,
+  ENCODING_SCHEME_UTF8
+} from "../../variables";
+import { encryptSymmetric128BitHexKeyUTF8 } from "../../utils/crypto";
+
+const ajv = new Ajv({ strict: false });
+
+export const getProviderTemplate = async ({ workspaceId }: TGetProviderTemplates) => {
+  return {
+    custom: [],
+    providers: rotationTemplates
+  };
+};
+
+export const createSecretRotation = async ({
+  workspaceId,
+  secretPath,
+  environment,
+  provider,
+  interval,
+  inputs,
+  outputs
+}: TCreateSecretRotation) => {
+  const rotationTemplate = rotationTemplates.find(({ name }) => name === provider);
+  if (!rotationTemplate) throw BadRequestError({ message: "Provider not found" });
+
+  const formattedInputs: Record<string, unknown> = {};
+  Object.entries(inputs).forEach(([key, value]) => {
+    const type = rotationTemplate.template.inputs.properties[key].type;
+    if (type === "string") {
+      formattedInputs[key] = value;
+      return;
+    }
+    if (type === "integer") {
+      formattedInputs[key] = parseInt(value as string, 10);
+      return;
+    }
+    formattedInputs[key] = JSON.parse(value as string);
+  });
+  // ensure input one follows the correct schema
+  const valid = ajv.validate(rotationTemplate.template.inputs, formattedInputs);
+  if (!valid) {
+    throw BadRequestError({ message: ajv.errors?.[0].message });
+  }
+
+  const encData: Partial<ISecretRotationEncData> = {
+    inputs: formattedInputs,
+    creds: []
+  };
+
+  const secretRotation = new SecretRotation({
+    workspace: workspaceId,
+    provider,
+    environment,
+    secretPath,
+    interval,
+    outputs: Object.entries(outputs).map(([key, secret]) => ({ key, secret }))
+  });
+
+  const encryptionKey = await getEncryptionKey();
+  const rootEncryptionKey = await getRootEncryptionKey();
+
+  if (rootEncryptionKey) {
+    const { ciphertext, iv, tag } = client.encryptSymmetric(
+      JSON.stringify(encData),
+      rootEncryptionKey
+    );
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_BASE64;
+  } else if (encryptionKey) {
+    const { ciphertext, iv, tag } = encryptSymmetric128BitHexKeyUTF8({
+      plaintext: JSON.stringify(encData),
+      key: encryptionKey
+    });
+    secretRotation.encryptedDataIV = iv;
+    secretRotation.encryptedDataTag = tag;
+    secretRotation.encryptedData = ciphertext;
+    secretRotation.algorithm = ALGORITHM_AES_256_GCM;
+    secretRotation.keyEncoding = ENCODING_SCHEME_UTF8;
+  }
+
+  await secretRotation.save();
+  await startSecretRotationQueue(secretRotation._id.toString(), interval);
+
+  return secretRotation;
+};
+
+export const deleteSecretRotation = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findByIdAndRemove(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(doc._id.toString(), doc.interval);
+  return doc;
+};
+
+export const restartSecretRotation = async ({ id }: { id: string }) => {
+  const secretRotation = await SecretRotation.findById(id);
+  if (!secretRotation) throw BadRequestError({ message: "Rotation not found" });
+
+  await removeSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+  await startSecretRotationQueue(secretRotation._id.toString(), secretRotation.interval);
+
+  return secretRotation;
+};
+
+export const getSecretRotationById = async ({ id }: { id: string }) => {
+  const doc = await SecretRotation.findById(id);
+  if (!doc) throw BadRequestError({ message: "Rotation not found" });
+  return doc;
+};
+
+export const getSecretRotationOfWorkspace = async (workspaceId: string) => {
+  const secretRotations = await SecretRotation.find({
+    workspace: workspaceId
+  }).populate("outputs.secret");
+
+  return secretRotations;
+};
--- a/backend/src/ee/secretRotation/templates/index.ts
+++ b/backend/src/ee/secretRotation/templates/index.ts
@ -0,0 +1,28 @@
+import { ISecretRotationProviderTemplate } from "../types";
+import { MYSQL_TEMPLATE } from "./mysql";
+import { POSTGRES_TEMPLATE } from "./postgres";
+import { SENDGRID_TEMPLATE } from "./sendgrid";
+
+export const rotationTemplates: ISecretRotationProviderTemplate[] = [
+  {
+    name: "sendgrid",
+    title: "Twilio Sendgrid",
+    image: "sendgrid.png",
+    description: "Rotate Twilio Sendgrid API keys",
+    template: SENDGRID_TEMPLATE
+  },
+  {
+    name: "postgres",
+    title: "PostgreSQL",
+    image: "postgres.png",
+    description: "Rotate PostgreSQL/CockroachDB user credentials",
+    template: POSTGRES_TEMPLATE
+  },
+  {
+    name: "mysql",
+    title: "MySQL",
+    image: "mysql.png",
+    description: "Rotate MySQL@7/MariaDB user credentials",
+    template: MYSQL_TEMPLATE
+  }
+];
--- a/backend/src/ee/secretRotation/templates/mysql.ts
+++ b/backend/src/ee/secretRotation/templates/mysql.ts
@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const MYSQL_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "3306" },
+      username1: {
+        type: "string",
+        default: "infisical-sql-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-sql-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} IDENTIFIED BY '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Sql,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};
--- a/backend/src/ee/secretRotation/templates/postgres.ts
+++ b/backend/src/ee/secretRotation/templates/postgres.ts
@ -0,0 +1,83 @@
+import { TAssignOp, TDbProviderClients, TProviderFunctionTypes } from "../types";
+
+export const POSTGRES_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_username: { type: "string" as const },
+      admin_password: { type: "string" as const },
+      host: { type: "string" as const },
+      database: { type: "string" as const },
+      port: { type: "integer" as const, default: "5432" },
+      username1: {
+        type: "string",
+        default: "infisical-pg-user1",
+        desc: "This user must be created in your database"
+      },
+      username2: {
+        type: "string",
+        default: "infisical-pg-user2",
+        desc: "This user must be created in your database"
+      },
+      ca: { type: "string", desc: "SSL certificate for db auth(string)" }
+    },
+    required: [
+      "admin_username",
+      "admin_password",
+      "host",
+      "database",
+      "username1",
+      "username2",
+      "port"
+    ],
+    additionalProperties: false
+  },
+  outputs: {
+    db_username: { type: "string" },
+    db_password: { type: "string" }
+  },
+  internal: {
+    rotated_password: { type: "string" },
+    username: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${inputs.admin_username}",
+      password: "${inputs.admin_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "ALTER USER ${internal.username} WITH PASSWORD '${internal.rotated_password}'",
+      setter: {
+        "outputs.db_username": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.username}"
+        },
+        "outputs.db_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${internal.rotated_password}"
+        }
+      },
+      pre: {
+        "internal.rotated_password": {
+          assign: TAssignOp.Direct as const,
+          value: "${random | 32}"
+        }
+      }
+    },
+    test: {
+      type: TProviderFunctionTypes.DB as const,
+      client: TDbProviderClients.Pg,
+      username: "${internal.username}",
+      password: "${internal.rotated_password}",
+      host: "${inputs.host}",
+      database: "${inputs.database}",
+      port: "${inputs.port}",
+      ca: "${inputs.ca}",
+      query: "SELECT NOW()"
+    }
+  }
+};
--- a/backend/src/ee/secretRotation/templates/sendgrid.ts
+++ b/backend/src/ee/secretRotation/templates/sendgrid.ts
@ -0,0 +1,63 @@
+import { TAssignOp, TProviderFunctionTypes } from "../types";
+
+export const SENDGRID_TEMPLATE = {
+  inputs: {
+    type: "object" as const,
+    properties: {
+      admin_api_key: { type: "string" as const, desc: "Sendgrid admin api key to create new keys" },
+      api_key_scopes: {
+        type: "array",
+        items: { type: "string" as const },
+        desc: "Scopes for created tokens by rotation(Array)"
+      }
+    },
+    required: ["admin_api_key", "api_key_scopes"],
+    additionalProperties: false
+  },
+  outputs: {
+    api_key: { type: "string" }
+  },
+  internal: {
+    api_key_id: { type: "string" }
+  },
+  functions: {
+    set: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys",
+      method: "POST",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      body: {
+        name: "infisical-${random | 16}",
+        scopes: { ref: "inputs.api_key_scopes" }
+      },
+      setter: {
+        "outputs.api_key": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key"
+        },
+        "internal.api_key_id": {
+          assign: TAssignOp.JmesPath as const,
+          path: "api_key_id"
+        }
+      }
+    },
+    remove: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "DELETE"
+    },
+    test: {
+      type: TProviderFunctionTypes.HTTP as const,
+      url: "https://api.sendgrid.com/v3/api_keys/${internal.api_key_id}",
+      header: {
+        Authorization: "Bearer ${inputs.admin_api_key}"
+      },
+      method: "GET"
+    }
+  }
+};
--- a/backend/src/ee/secretRotation/types.ts
+++ b/backend/src/ee/secretRotation/types.ts
@ -0,0 +1,131 @@
+import { Document, Types } from "mongoose";
+
+export interface ISecretRotation extends Document {
+  _id: Types.ObjectId;
+  name: string;
+  interval: number;
+  provider: string;
+  customProvider: Types.ObjectId;
+  workspace: Types.ObjectId;
+  environment: string;
+  secretPath: string;
+  outputs: Array<{
+    key: string;
+    secret: Types.ObjectId;
+  }>;
+  status?: "success" | "failed";
+  lastRotatedAt?: string;
+  statusMessage?: string;
+  encryptedData: string;
+  encryptedDataIV: string;
+  encryptedDataTag: string;
+  algorithm: string;
+  keyEncoding: string;
+}
+
+export type ISecretRotationEncData = {
+  inputs: Record<string, unknown>;
+  creds: Array<{
+    outputs: Record<string, unknown>;
+    internal: Record<string, unknown>;
+  }>;
+};
+
+export type ISecretRotationData = {
+  inputs: Record<string, unknown>;
+  outputs: Record<string, unknown>;
+  internal: Record<string, unknown>;
+};
+
+export type ISecretRotationProviderTemplate = {
+  name: string;
+  title: string;
+  image?: string;
+  description?: string;
+  template: TProviderTemplate;
+};
+
+export enum TProviderFunctionTypes {
+  HTTP = "http",
+  DB = "database"
+}
+
+export enum TDbProviderClients {
+  // postgres, cockroack db, amazon red shift
+  Pg = "pg",
+  // mysql and maria db
+  Sql = "sql"
+}
+
+export enum TAssignOp {
+  Direct = "direct",
+  JmesPath = "jmesopath"
+}
+
+export type TJmesPathAssignOp = {
+  assign: TAssignOp.JmesPath;
+  path: string;
+};
+
+export type TDirectAssignOp = {
+  assign: TAssignOp.Direct;
+  value: string;
+};
+
+export type TAssignFunction = TJmesPathAssignOp | TDirectAssignOp;
+
+export type THttpProviderFunction = {
+  type: TProviderFunctionTypes.HTTP;
+  url: string;
+  method: string;
+  header?: Record<string, string>;
+  query?: Record<string, string>;
+  body?: Record<string, unknown>;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TDbProviderFunction = {
+  type: TProviderFunctionTypes.DB;
+  client: TDbProviderClients;
+  username: string;
+  password: string;
+  host: string;
+  database: string;
+  port: string;
+  query: string;
+  setter?: Record<string, TAssignFunction>;
+  pre?: Record<string, TDirectAssignOp>;
+};
+
+export type TProviderFunction = THttpProviderFunction | TDbProviderFunction;
+
+export type TProviderTemplate = {
+  inputs: {
+    type: "object";
+    properties: Record<string, { type: string; [x: string]: unknown; desc?: string }>;
+    required?: string[];
+  };
+  outputs: Record<string, unknown>;
+  functions: {
+    set: TProviderFunction;
+    remove?: TProviderFunction;
+    test: TProviderFunction;
+  };
+};
+
+// function type args
+export type TGetProviderTemplates = {
+  workspaceId: string;
+};
+
+export type TCreateSecretRotation = {
+  provider: string;
+  customProvider?: string;
+  workspaceId: string;
+  secretPath: string;
+  environment: string;
+  interval: number;
+  inputs: Record<string, unknown>;
+  outputs: Record<string, string>;
+};
--- a/backend/src/ee/services/EELicenseService.ts
+++ b/backend/src/ee/services/EELicenseService.ts
@ -38,6 +38,7 @@ interface FeatureSet {
    trial_end: number | null;
    has_used_trial: boolean;
    secretApproval: boolean;
+    secretRotation: boolean;
 }

 /**
@ -74,7 +75,8 @@ class EELicenseService {
        status: null,
        trial_end: null,
        has_used_trial: true,
-        secretApproval: false
+        secretApproval: false,
+        secretRotation: true,
    }

    public localFeatureSet: NodeCache;
--- a/backend/src/ee/services/ProjectRoleService.ts
+++ b/backend/src/ee/services/ProjectRoleService.ts
@ -50,7 +50,8 @@ export enum ProjectPermissionSub {
  Workspace = "workspace",
  Secrets = "secrets",
  SecretRollback = "secret-rollback",
-  SecretApproval = "secret-approval"
+  SecretApproval = "secret-approval",
+  SecretRotation = "secret-rotation"
 }

 type SubjectFields = {
@ -74,6 +75,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.Settings]
  | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
@ -92,6 +94,11 @@ const buildAdminPermission = () => {
  can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretApproval);
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretApproval);

+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Edit, ProjectPermissionSub.SecretRotation);
+  can(ProjectPermissionActions.Delete, ProjectPermissionSub.SecretRotation);
+
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);

@ -162,6 +169,7 @@ const buildMemberPermission = () => {
  can(ProjectPermissionActions.Delete, ProjectPermissionSub.Secrets);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);

  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
  can(ProjectPermissionActions.Create, ProjectPermissionSub.SecretRollback);
@ -214,6 +222,7 @@ const buildViewerPermission = () => {
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Secrets);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretApproval);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback);
+  can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretRotation);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Member);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Role);
  can(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
--- a/backend/src/ee/validation/secretRotation.ts
+++ b/backend/src/ee/validation/secretRotation.ts
@ -0,0 +1,32 @@
+import { z } from "zod";
+
+export const createSecretRotationV1 = z.object({
+  body: z.object({
+    workspaceId: z.string().trim(),
+    secretPath: z.string().trim(),
+    environment: z.string().trim(),
+    interval: z.number().min(1),
+    provider: z.string().trim(),
+    customProvider: z.string().trim().optional(),
+    inputs: z.record(z.unknown()),
+    outputs: z.record(z.string())
+  })
+});
+
+export const restartSecretRotationV1 = z.object({
+  body: z.object({
+    id: z.string().trim()
+  })
+});
+
+export const getSecretRotationV1 = z.object({
+  query: z.object({
+    workspaceId: z.string().trim()
+  })
+});
+
+export const removeSecretRotationV1 = z.object({
+  params: z.object({
+    id: z.string().trim()
+  })
+});
--- a/backend/src/ee/validation/secretRotationProvider.ts
+++ b/backend/src/ee/validation/secretRotationProvider.ts
@ -0,0 +1,7 @@
+import { z } from "zod";
+
+export const getSecretRotationProvidersV1 = z.object({
+  params: z.object({
+    workspaceId: z.string()
+  })
+});
--- a/backend/src/helpers/auth.ts
+++ b/backend/src/helpers/auth.ts
@ -1,381 +1,13 @@
-import { Request } from "express";
 import { Types } from "mongoose";
 import jwt from "jsonwebtoken";
-import bcrypt from "bcrypt";
-import {
-	APIKeyData,
-	APIKeyDataV2,
-	ITokenVersion,
-	IUser,
-	ServiceTokenData,
-	ServiceTokenDataV3,
-	TokenVersion,
-	User,
-} from "../models";
-import {
-	APIKeyDataNotFoundError,
-	AccountNotFoundError,
-	BadRequestError,
-	ServiceTokenDataNotFoundError,
-	UnauthorizedRequestError,
-} from "../utils/errors";
+import { ITokenVersion, TokenVersion } from "../models";
+import { UnauthorizedRequestError } from "../utils/errors";
 import {
 	getAuthSecret,
 	getJwtAuthLifetime,
-	getJwtRefreshLifetime,
-	getJwtServiceTokenSecret
+	getJwtRefreshLifetime
 } from "../config";
-import {
-	AuthMode,
-	AuthTokenType
-} from "../variables";
-import {
-	ServiceTokenAuthData,
-	ServiceTokenV3AuthData,
-	UserAuthData
-} from "../interfaces/middleware";
-
-import { ActorType } from "../ee/models";
-import { getUserAgentType } from "../utils/posthog";
-
-/**
- * 
- * @param {Object} obj
- * @param {Object} obj.headers - HTTP request headers object
- */
-export const validateAuthMode = ({
-	headers,
-	acceptedAuthModes,
-}: {
-	headers: { [key: string]: string | string[] | undefined },
-	acceptedAuthModes: AuthMode[]
-}) => {
-	
-	const apiKey = headers["x-api-key"];
-	const authHeader = headers["authorization"];
-
-	let authMode, authTokenValue;
-	if (apiKey === undefined && authHeader === undefined) {
-		// case: no auth or X-API-KEY header present
-		throw BadRequestError({ message: "Missing Authorization or X-API-KEY in request header." });
-	}
-
-	if (typeof apiKey === "string") {
-		// case: treat request authentication type as via X-API-KEY (i.e. API Key)
-		authMode = AuthMode.API_KEY;
-		authTokenValue = apiKey;
-	}
-
-	if (typeof authHeader === "string") {
-		// case: treat request authentication type as via Authorization header (i.e. either JWT or service token)
-		const [tokenType, tokenValue] = <[string, string]>authHeader.split(" ", 2) ?? [null, null]
-
-		if (tokenType === null)
-			throw BadRequestError({ message: "Missing Authorization Header in the request header." });
-		if (tokenType.toLowerCase() !== "bearer")
-			throw BadRequestError({ message: `The provided authentication type '${tokenType}' is not supported.` });
-		if (tokenValue === null)
-			throw BadRequestError({ message: "Missing Authorization Body in the request header." });
-
-		const parts = tokenValue.split(".");
-		
-		switch (parts[0]) {
-			case "st":
-				authMode = AuthMode.SERVICE_TOKEN;
-				authTokenValue = tokenValue;
-				break;
-			case "stv3":
-				authMode = AuthMode.SERVICE_TOKEN_V3;
-				authTokenValue = parts.slice(1).join(".");
-				break;
-			default:
-				authMode = AuthMode.JWT;
-				authTokenValue = tokenValue;
-		}
-	}
-
-	if (!authMode || !authTokenValue) throw BadRequestError({ message: "Missing valid Authorization or X-API-KEY in request header." });
-
-	if (!acceptedAuthModes.includes(authMode)) throw BadRequestError({ message: "The provided authentication type is not supported." });
-
-	return ({
-		authMode,
-		authTokenValue,
-	});
-}
-
-/**
- * Return user payload corresponding to JWT token [authTokenValue]
- * that is either for browser / CLI or API Key
- * @param {Object} obj
- * @param {String} obj.authTokenValue - JWT token value
- * @returns {User} user - user corresponding to JWT token
- */
-export const getAuthUserPayload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<UserAuthData> => {
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, await getAuthSecret())
-	);
-
-	if (
-		decodedToken.authTokenType !== AuthTokenType.ACCESS_TOKEN &&
-		decodedToken.authTokenType !== AuthTokenType.API_KEY
-	) {
-		throw UnauthorizedRequestError();
-	}
-	
-	if (decodedToken.authTokenType === AuthTokenType.ACCESS_TOKEN) {
-		const tokenVersion = await TokenVersion.findOneAndUpdate({
-			_id: new Types.ObjectId(decodedToken.tokenVersionId),
-			user: decodedToken.userId
-		}, {
-			lastUsed: new Date(),
-		});
-	
-		if (!tokenVersion) throw UnauthorizedRequestError();
-	
-		if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError();
-	} else if (decodedToken.authTokenType === AuthTokenType.API_KEY) {
-		const apiKeyData = await APIKeyDataV2.findOneAndUpdate(
-			{
-				_id: new Types.ObjectId(decodedToken.apiKeyDataId),
-				user: new Types.ObjectId(decodedToken.userId)
-			},
-			{
-				lastUsed: new Date(),
-				$inc: { usageCount: 1 }
-			},
-			{
-				new: true
-			}
-		);
-		
-		if (!apiKeyData) throw UnauthorizedRequestError();
-	}
-
-	const user = await User.findOne({
-		_id: new Types.ObjectId(decodedToken.userId),
-	}).select("+publicKey +accessVersion");
-
-	if (!user) throw AccountNotFoundError({ message: "Failed to find user" });
-
-	if (!user?.publicKey) throw UnauthorizedRequestError({ message: "Failed to authenticate user with partially set up account" });
-
-	return {
-		actor: {
-			type: ActorType.USER,
-			metadata: {
-				userId: user._id.toString(),
-				email: user.email
-			}
-		},
-		authPayload: user,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-}
-
-/**
- * Return service token data payload corresponding to service token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service token value
- * @returns {ServiceTokenData} serviceTokenData - service token data
- */
-export const getAuthSTDPayload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<ServiceTokenAuthData> => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
-
-	const serviceTokenData = await ServiceTokenData
-		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
-
-	if (!serviceTokenData) {
-		throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
-	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-		// case: service token expired
-		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate expired service token",
-		});
-	}
-
-	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: "Failed to authenticate service token",
-	});
-
-	const serviceTokenDataToReturn = await ServiceTokenData
-		.findOneAndUpdate({
-			_id: new Types.ObjectId(TOKEN_IDENTIFIER),
-		}, {
-			lastUsed: new Date(),
-		}, {
-			new: true,
-		})
-		.select("+encryptedKey +iv +tag")
-
-	if (!serviceTokenDataToReturn) throw ServiceTokenDataNotFoundError({ message: "Failed to find service token data" });
-
-	return {
-		actor: {
-			type: ActorType.SERVICE,
-			metadata: {
-				serviceId: serviceTokenDataToReturn._id.toString(),
-				name: serviceTokenDataToReturn.name
-			}
-		},
-		authPayload: serviceTokenDataToReturn,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-}
-
-/**
- * Return service token data V3 payload corresponding to service token [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - service token value
- * @returns {ServiceTokenData} serviceTokenData - service token data
- */
- export const getAuthSTDV3Payload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<ServiceTokenV3AuthData> => {
-	const decodedToken = <jwt.UserIDJwtPayload>(
-		jwt.verify(authTokenValue, await getJwtServiceTokenSecret())
-	);
-	
-	const serviceTokenData = await ServiceTokenDataV3.findOneAndUpdate(
-		{
-			_id: new Types.ObjectId(decodedToken._id),
-			isActive: true
-		},
-		{
-			lastUsed: new Date(),
-			$inc: { usageCount: 1 }
-		},
-		{
-			new: true
-		}
-	);
-	
-	if (!serviceTokenData) {
-		throw UnauthorizedRequestError({ 
-			message: "Failed to authenticate"
-		});
-	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
-		// case: service token expired
-		await ServiceTokenDataV3.findByIdAndUpdate(
-			serviceTokenData._id,
-			{
-				isActive: false
-			},
-			{
-				new: true
-			}
-		);
-		
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate",
-		});
-	}
-
-	return {
-		actor: {
-			type: ActorType.SERVICE_V3,
-			metadata: {
-				serviceId: serviceTokenData._id.toString(),
-				name: serviceTokenData.name
-			}
-		},
-		authPayload: serviceTokenData,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-}
-
-/**
- * Return API key data payload corresponding to API key [authTokenValue]
- * @param {Object} obj
- * @param {String} obj.authTokenValue - API key value
- * @returns {APIKeyData} apiKeyData - API key data
- */
-export const getAuthAPIKeyPayload = async ({
-	req,
-	authTokenValue,
-}: {
-	req: Request,
-	authTokenValue: string;
-}): Promise<UserAuthData> => {
-	const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
-
-	let apiKeyData = await APIKeyData
-		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
-		.populate<{ user: IUser }>("user", "+publicKey");
-
-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: "Failed to find API key data" });
-	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
-		// case: API key expired
-		await APIKeyData.findByIdAndDelete(apiKeyData._id);
-		throw UnauthorizedRequestError({
-			message: "Failed to authenticate expired API key",
-		});
-	}
-
-	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
-	if (!isMatch) throw UnauthorizedRequestError({
-		message: "Failed to authenticate API key",
-	});
-
-	apiKeyData = await APIKeyData.findOneAndUpdate({
-		_id: new Types.ObjectId(TOKEN_IDENTIFIER),
-	}, {
-		lastUsed: new Date(),
-	}, {
-		new: true,
-	});
-
-	if (!apiKeyData) {
-		throw APIKeyDataNotFoundError({ message: "Failed to find API key data" });
-	}
-
-	const user = await User.findById(apiKeyData.user).select("+publicKey");
-
-	if (!user) {
-		throw AccountNotFoundError({
-			message: "Failed to find user",
-		});
-	}
-
-	return {
-		actor: {
-			type: ActorType.USER,
-			metadata: {
-				userId: user._id.toString(),
-				email: user.email
-			}
-		},
-		authPayload: user,
-		ipAddress: req.realIP,
-		userAgent: req.headers["user-agent"] ?? "",
-		userAgentType: getUserAgentType(req.headers["user-agent"])
-	}
-}
+import { AuthTokenType } from "../variables";

 /**
 * Return newly issued (JWT) auth and refresh tokens to user with id [userId]
--- a/backend/src/helpers/database.ts
+++ b/backend/src/helpers/database.ts
@ -1,5 +1,5 @@
 import mongoose from "mongoose";
-import { getLogger } from "../utils/logger";
+import { logger } from "../utils/logging";

 /**
 * Initialize database connection
@ -18,10 +18,10 @@ export const initDatabaseHelper = async ({
        // allow empty strings to pass the required validator
        mongoose.Schema.Types.String.checkRequired(v => typeof v === "string");

-        (await getLogger("database")).info("Database connection established");
+        logger.info("Database connection established");

    } catch (err) {
-        (await getLogger("database")).error(`Unable to establish Database connection due to the error.\n${err}`);
+        logger.error(err, "Unable to establish database connection");
    }

    return mongoose.connection;
--- a/backend/src/helpers/organization.ts
+++ b/backend/src/helpers/organization.ts
@ -1,4 +1,4 @@
-import mongoose, { Types, mongo } from "mongoose";
+import { Types } from "mongoose";
 import { 
  Bot, 
  BotKey,
@ -55,7 +55,7 @@ import {
 import {
  createBotOrg
 } from "./botOrg";
-import { InternalServerError, ResourceNotFoundError } from "../utils/errors";
+import { ResourceNotFoundError } from "../utils/errors";

 /**
 * Create an organization with name [name]
@ -111,311 +111,215 @@ export const createOrganization = async ({
 * @returns 
 */
 export const deleteOrganization = async ({
-  organizationId,
-  existingSession
+  organizationId
 }: {
  organizationId: Types.ObjectId;
-  existingSession?: mongo.ClientSession;
 }) => {

-  let session;
-  
-  if (existingSession) {
-    session = existingSession;
-  } else {
-    session = await mongoose.startSession(); 
-    session.startTransaction();
-  }
+  const organization = await Organization.findByIdAndDelete(
+    organizationId
+  );

-  try {
-    const organization = await Organization.findByIdAndDelete(
-      organizationId,
-      {
-        session
-      }
-    );
+  if (!organization) throw ResourceNotFoundError();
  
-    if (!organization) throw ResourceNotFoundError();
-    
-    await MembershipOrg.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await BotOrg.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await SSOConfig.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await Role.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-
-    await IncidentContactOrg.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await GitRisks.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await GitAppInstallationSession.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await GitAppOrganizationInstallation.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-
-    const workspaceIds = await Workspace.distinct("_id", {
-      organization: organization._id
-    });
-    
-    await Workspace.deleteMany({
-      organization: organization._id
-    }, {
-      session
-    });
-    
-    await Membership.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await MembershipOrg.deleteMany({
+    organization: organization._id
+  });
+  
+  await BotOrg.deleteMany({
+    organization: organization._id
+  });
+  
+  await SSOConfig.deleteMany({
+    organization: organization._id
+  });
+  
+  await Role.deleteMany({
+    organization: organization._id
+  });

-    await Key.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await Bot.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await BotKey.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await IncidentContactOrg.deleteMany({
+    organization: organization._id
+  });
+  
+  await GitRisks.deleteMany({
+    organization: organization._id
+  });
+  
+  await GitAppInstallationSession.deleteMany({
+    organization: organization._id
+  });
+  
+  await GitAppOrganizationInstallation.deleteMany({
+    organization: organization._id
+  });

-    await SecretBlindIndexData.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await Secret.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await SecretVersion.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  const workspaceIds = await Workspace.distinct("_id", {
+    organization: organization._id
+  });
+  
+  await Workspace.deleteMany({
+    organization: organization._id
+  });
+  
+  await Membership.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await SecretSnapshot.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await SecretImport.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await Key.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await Bot.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await BotKey.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await Folder.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await SecretBlindIndexData.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await Secret.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await SecretVersion.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await FolderVersion.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await SecretSnapshot.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await SecretImport.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await Webhook.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await Folder.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await TrustedIP.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await Tag.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await FolderVersion.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await IntegrationAuth.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await Webhook.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await Integration.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await TrustedIP.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await Tag.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await ServiceToken.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await IntegrationAuth.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await ServiceTokenData.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await Integration.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await ServiceTokenDataV3.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    await ServiceTokenDataV3Key.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await ServiceToken.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await AuditLog.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await ServiceTokenData.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await Log.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await ServiceTokenDataV3.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });
+  
+  await ServiceTokenDataV3Key.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await Action.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await AuditLog.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await SecretApprovalPolicy.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
+  await Log.deleteMany({
+    workspace: {
+      $in: workspaceIds
+    }
+  });

-    await SecretApprovalRequest.deleteMany({
-      workspace: {
-        $in: workspaceIds
-      }
-    }, {
-      session
-    });
-    
-    if (organization.customerId) {
-      // delete from stripe here
-      await licenseServerKeyRequest.delete(
-        `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}`
-      );
+  await Action.deleteMany({
+    workspace: {
+      $in: workspaceIds
    }
-    
-    return organization;
-  } catch (err) {
-    if (!existingSession) {
-      await session.abortTransaction();
+  });
+
+  await SecretApprovalPolicy.deleteMany({
+    workspace: {
+      $in: workspaceIds
    }
-    throw InternalServerError({
-      message: "Failed to delete organization"
-    });
-  } finally {
-    if (!existingSession) {
-      await session.commitTransaction();
-      session.endSession();
+  });
+
+  await SecretApprovalRequest.deleteMany({
+    workspace: {
+      $in: workspaceIds
    }
+  });
+  
+  if (organization.customerId) {
+    // delete from stripe here
+    await licenseServerKeyRequest.delete(
+      `${await getLicenseServerUrl()}/api/license-server/v1/customers/${organization.customerId}`
+    );
  }
+    
+  return organization;
 }

 /**
--- a/backend/src/helpers/secrets.ts
+++ b/backend/src/helpers/secrets.ts
@ -49,7 +49,7 @@ import {
 import { TelemetryService } from "../services";
 import { client, getEncryptionKey, getRootEncryptionKey } from "../config";
 import { EEAuditLogService, EELogService, EESecretService } from "../ee/services";
-import { getAuthDataPayloadIdObj, getAuthDataPayloadUserObj } from "../utils/auth";
+import { getAuthDataPayloadIdObj, getAuthDataPayloadUserObj } from "../utils/authn/helpers";
 import { getFolderByPath, getFolderIdFromServiceToken } from "../services/FolderService";
 import picomatch from "picomatch";
 import path from "path";
@ -553,14 +553,22 @@ export const getSecretsHelper = async ({
  workspaceId,
  environment,
  authData,
-  folderId,
  secretPath = "/"
 }: GetSecretsParams) => {
  let secrets: ISecret[] = [];
  // if using service token filter towards the folderId by secretpath

-  if (!folderId) {
-    folderId = await getFolderIdFromServiceToken(workspaceId, environment, secretPath);
+  const folders = await Folder.findOne({
+    workspace: workspaceId,
+    environment
+  });
+  let folderId = "root";
+  if (!folders && folderId !== "root") return [];
+  // get folder from folder tree
+  if (folders) {
+    const folder = getFolderByPath(folders.nodes, secretPath);
+    if (!folder) return [];
+    folderId = folder?.id;
  }

  // get personal secrets first
--- a/backend/src/helpers/user.ts
+++ b/backend/src/helpers/user.ts
@ -1,4 +1,4 @@
-import mongoose, { Types, mongo } from "mongoose";
+import { Types } from "mongoose";
 import {
  APIKeyData, 
  BackupPrivateKey,
@ -222,141 +222,92 @@ const checkDeleteUserConditions = async ({
 * @returns {User} user - deleted user
 */
 export const deleteUser = async ({
-  userId,
-  existingSession
+  userId
 }: {
  userId: Types.ObjectId;
-	existingSession?: mongo.ClientSession;
 }) => {
+
+  const user = await User.findByIdAndDelete(userId);
  
-  let session;
+  if (!user) throw ResourceNotFoundError();
+
+  await checkDeleteUserConditions({
+    userId: user._id
+  });
  
-  if (existingSession) {
-    session = existingSession;
-  } else {
-    session = await mongoose.startSession();
-    session.startTransaction();
-  }
+  await UserAction.deleteMany({
+    user: user._id
+  });

-  try {
-    const user = await User.findByIdAndDelete(userId, {
-      session
-    });
-    
-    if (!user) throw ResourceNotFoundError();
+  await BackupPrivateKey.deleteMany({
+    user: user._id
+  });

-    await checkDeleteUserConditions({
-      userId: user._id
-    });
-    
-    await UserAction.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
+  await APIKeyData.deleteMany({
+    user: user._id
+  });

-    await BackupPrivateKey.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
+  await Action.deleteMany({
+    user: user._id
+  }); 
+  
+  await Log.deleteMany({
+    user: user._id
+  });

-    await APIKeyData.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
+  await TokenVersion.deleteMany({
+    user: user._id
+  });

-    await Action.deleteMany({
-      user: user._id
-    }, {
-      session
-    }); 
-    
-    await Log.deleteMany({
-      user: user._id
-    }, {
-      session
-    });
+  await Key.deleteMany({
+    receiver: user._id
+  });

-    await TokenVersion.deleteMany({
-      user: user._id
-    });
+  const membershipOrgs = await MembershipOrg.find({
+    user: userId
+  });

-    await Key.deleteMany({
-      receiver: user._id
-    }, {
-      session
+  // delete organizations where user is only member
+  for await (const membershipOrg of membershipOrgs) {
+    const memberCount = await MembershipOrg.countDocuments({
+      organization: membershipOrg.organization
    });
+    
+    if (memberCount === 1) {
+      // organization only has 1 member (the current user)

-    const membershipOrgs = await MembershipOrg.find({
-      user: userId
-    }, null, {
-      session
-    });
-  
-    // delete organizations where user is only member
-    for await (const membershipOrg of membershipOrgs) {
-      const memberCount = await MembershipOrg.countDocuments({
-        organization: membershipOrg.organization
+      await deleteOrganization({
+        organizationId: membershipOrg.organization
      });
-      
-      if (memberCount === 1) {
-        // organization only has 1 member (the current user)
-
-        await deleteOrganization({
-          organizationId: membershipOrg.organization,
-          existingSession: session
-        });
-      }
    }
+  }

-    const memberships = await Membership.find({
-      user: userId
-    }, null, {
-      session
-    });
-  
-    // delete workspaces where user is only member
-    for await (const membership of memberships) {
-      const memberCount = await Membership.countDocuments({
-        workspace: membership.workspace
-      });
-      
-      if (memberCount === 1) {
-        // workspace only has 1 member (the current user) -> delete workspace
-  
-        await deleteWorkspace({
-          workspaceId: membership.workspace,
-          existingSession: session
-        });
-      }
-    }
-    
-    await MembershipOrg.deleteMany({
-      user: userId
-    }, {
-      session
+  const memberships = await Membership.find({
+    user: userId
+  });
+
+  // delete workspaces where user is only member
+  for await (const membership of memberships) {
+    const memberCount = await Membership.countDocuments({
+      workspace: membership.workspace
    });
    
-    await Membership.deleteMany({
-      user: userId
-    }, {
-      session
-    });
+    if (memberCount === 1) {
+      // workspace only has 1 member (the current user) -> delete workspace

-    return user;
-  } catch (err) {
-    if (!existingSession) {
-      await session.abortTransaction();
-    }
-    throw InternalServerError({
-      message: "Failed to delete account"
-    })
-  } finally {
-    if (!existingSession) {
-      await session.commitTransaction();
-      session.endSession();
+      await deleteWorkspace({
+        workspaceId: membership.workspace
+      });
    }
  }
+  
+  await MembershipOrg.deleteMany({
+    user: userId
+  });
+  
+  await Membership.deleteMany({
+    user: userId
+  });
+
+  return user;
 }
--- a/backend/src/helpers/workspace.ts
+++ b/backend/src/helpers/workspace.ts
@ -1,4 +1,4 @@
-import mongoose, { Types, mongo } from "mongoose";
+import { Types } from "mongoose";
 import {
 	Bot,
 	BotKey,
@ -33,8 +33,7 @@ import {
 import { createBot } from "../helpers/bot";
 import { EELicenseService } from "../ee/services";
 import { SecretService } from "../services";
-import { 
-	InternalServerError,
+import {
 	ResourceNotFoundError
 } from "../utils/errors";

@ -102,189 +101,113 @@ export const createWorkspace = async ({
 * @param {String} obj.id - id of workspace to delete
 */
 export const deleteWorkspace = async ({ 
-	workspaceId,
-	existingSession
+	workspaceId
 }: { 
 	workspaceId: Types.ObjectId;
-	existingSession?: mongo.ClientSession;
 }) => {
-
-	let session;
-
-	if (existingSession) {
-		session = existingSession;
-	} else {
-		session = await mongoose.startSession();
-		session.startTransaction();
-	}
+	const workspace = await Workspace.findByIdAndDelete(workspaceId);
 	
-	try {
-		const workspace = await Workspace.findByIdAndDelete(workspaceId, { session });
-		
-		if (!workspace) throw ResourceNotFoundError();
-		
-		await Membership.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		await Key.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		await Bot.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	if (!workspace) throw ResourceNotFoundError();
+	
+	await Membership.deleteMany({
+		workspace: workspace._id
+	});
+	
+	await Key.deleteMany({
+		workspace: workspace._id
+	});
+	
+	await Bot.deleteMany({
+		workspace: workspace._id
+	});

-		await BotKey.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await BotKey.deleteMany({
+		workspace: workspace._id
+	});

-		await SecretBlindIndexData.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretBlindIndexData.deleteMany({
+		workspace: workspace._id
+	});

-		await Secret.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		await SecretVersion.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Secret.deleteMany({
+		workspace: workspace._id
+	});
+	
+	await SecretVersion.deleteMany({
+		workspace: workspace._id
+	});

-		await SecretSnapshot.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretSnapshot.deleteMany({
+		workspace: workspace._id
+	});

-		await SecretImport.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretImport.deleteMany({
+		workspace: workspace._id
+	});

-		await Folder.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Folder.deleteMany({
+		workspace: workspace._id
+	});

-		await FolderVersion.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await FolderVersion.deleteMany({
+		workspace: workspace._id
+	});

-		await Webhook.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Webhook.deleteMany({
+		workspace: workspace._id
+	});

-		await TrustedIP.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await TrustedIP.deleteMany({
+		workspace: workspace._id
+	});

-		await Tag.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Tag.deleteMany({
+		workspace: workspace._id
+	});

-		await IntegrationAuth.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await IntegrationAuth.deleteMany({
+		workspace: workspace._id
+	});

-		await Integration.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Integration.deleteMany({
+		workspace: workspace._id
+	});

-		await ServiceToken.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceToken.deleteMany({
+		workspace: workspace._id
+	});

-		await ServiceTokenData.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceTokenData.deleteMany({
+		workspace: workspace._id
+	});

-		await ServiceTokenDataV3.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceTokenDataV3.deleteMany({
+		workspace: workspace._id
+	});

-		await ServiceTokenDataV3Key.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await ServiceTokenDataV3Key.deleteMany({
+		workspace: workspace._id
+	});

-		await AuditLog.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await AuditLog.deleteMany({
+		workspace: workspace._id
+	});

-		await Log.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Log.deleteMany({
+		workspace: workspace._id
+	});

-		await Action.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await Action.deleteMany({
+		workspace: workspace._id
+	});

-		await SecretApprovalPolicy.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
+	await SecretApprovalPolicy.deleteMany({
+		workspace: workspace._id
+	});

-		await SecretApprovalRequest.deleteMany({
-			workspace: workspace._id
-		}, {
-			session
-		});
-		
-		return workspace;
-	} catch (err) {
-		if (!existingSession) {
-			await session.abortTransaction();
-		}
-		throw InternalServerError({
-			message: "Failed to delete organization"
-		});
-	} finally {
-		if (!existingSession) {
-			await session.commitTransaction();
-			session.endSession();
-		}
-	}
+	await SecretApprovalRequest.deleteMany({
+		workspace: workspace._id
+	});
+	
+	return workspace;
 };
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@ -5,6 +5,8 @@ import express from "express";
 require("express-async-errors");
 import helmet from "helmet";
 import cors from "cors";
+import { logger } from "./utils/logging";
+import httpLogger from "pino-http";
 import { DatabaseService } from "./services";
 import { EELicenseService, GithubSecretScanningService } from "./ee/services";
 import { setUpHealthEndpoint } from "./services/health";
@ -25,8 +27,10 @@ import {
  users as eeUsersRouter,
  workspace as eeWorkspaceRouter,
  roles as v1RoleRouter,
-  secretApprovalPolicy as v1SecretApprovalPolicy,
-  secretApprovalRequest as v1SecretApprovalRequest,
+  secretApprovalPolicy as v1SecretApprovalPolicyRouter,
+  secretApprovalRequest as v1SecretApprovalRequestRouter,
+  secretRotation as v1SecretRotation,
+  secretRotationProvider as v1SecretRotationProviderRouter,
  secretScanning as v1SecretScanningRouter
 } from "./ee/routes/v1";
 import { apiKeyData as v3apiKeyDataRouter } from "./ee/routes/v3";
@ -73,7 +77,7 @@ import {
  workspaces as v3WorkspacesRouter
 } from "./routes/v3";
 import { healthCheck } from "./routes/status";
-import { getLogger } from "./utils/logger";
+// import { getLogger } from "./utils/logger";
 import { RouteNotFoundError } from "./utils/errors";
 import { requestErrorHandler } from "./middleware/requestErrorHandler";
 import {
@ -94,12 +98,20 @@ import path from "path";
 let handler: null | any = null;

 const main = async () => {
+  const port = await getPort();
+
  await setup();

  await EELicenseService.initGlobalFeatureSet();

  const app = express();
  app.enable("trust proxy");
+  
+  app.use(httpLogger({
+    logger,
+    autoLogging: false
+  }));
+
  app.use(express.json());
  app.use(express.urlencoded({ extended: false }));
  app.use(cookieParser());
@ -164,7 +176,7 @@ const main = async () => {
    const nextApp = new NextServer({
      dev: false,
      dir: nextJsBuildPath,
-      port: await getPort(),
+      port,
      conf,
      hostname: "local",
      customServer: false
@ -184,6 +196,8 @@ const main = async () => {
  app.use("/api/v1/cloud-products", eeCloudProductsRouter);
  app.use("/api/v3/api-key", v3apiKeyDataRouter); // new
  app.use("/api/v3/service-token", v3ServiceTokenDataRouter); // new
+  app.use("/api/v1/secret-rotation-providers", v1SecretRotationProviderRouter);
+  app.use("/api/v1/secret-rotations", v1SecretRotation);

  // v1 routes
  app.use("/api/v1/signup", v1SignupRouter);
@ -207,9 +221,9 @@ const main = async () => {
  app.use("/api/v1/webhooks", v1WebhooksRouter);
  app.use("/api/v1/secret-imports", v1SecretImpsRouter);
  app.use("/api/v1/roles", v1RoleRouter);
-  app.use("/api/v1/secret-approvals", v1SecretApprovalPolicy);
+  app.use("/api/v1/secret-approvals", v1SecretApprovalPolicyRouter);
  app.use("/api/v1/sso", v1SSORouter);
-  app.use("/api/v1/secret-approval-requests", v1SecretApprovalRequest);
+  app.use("/api/v1/secret-approval-requests", v1SecretApprovalRequestRouter);

  // v2 routes (improvements)
  app.use("/api/v2/signup", v2SignupRouter);
@ -255,8 +269,8 @@ const main = async () => {

  app.use(requestErrorHandler);

-  const server = app.listen(await getPort(), async () => {
-    (await getLogger("backend-main")).info(`Server started listening at port ${await getPort()}`);
+  const server = app.listen(port, async () => {
+    logger.info(`Server started listening at port ${port}`);
  });

  // await createTestUserForDevelopment();
--- a/backend/src/integrations/apps.ts
+++ b/backend/src/integrations/apps.ts
@ -911,7 +911,7 @@ const getAppsSupabase = async ({ accessToken }: { accessToken: string }) => {
 };

 /**
- * Return list of projects for the Checkly integration
+ * Return list of accounts for the Checkly integration
 * @param {Object} obj
 * @param {String} obj.accessToken - api key for the Checkly API
 * @returns {Object[]} apps - Сheckly accounts
--- a/backend/src/integrations/sync.ts
+++ b/backend/src/integrations/sync.ts
@ -2104,7 +2104,7 @@ const syncSecretsSupabase = async ({
 };

 /**
- * Sync/push [secrets] to Checkly app
+ * Sync/push [secrets] to Checkly app/group
 * @param {Object} obj
 * @param {IIntegration} obj.integration - integration details
 * @param {Object} obj.secrets - secrets to push to integration (object where keys are secret keys and values are secret values)
@ -2121,94 +2121,154 @@ const syncSecretsCheckly = async ({
  accessToken: string;
  appendices?: { prefix: string; suffix: string };
 }) => {
-  let getSecretsRes = (
-    await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/variables`, {
-      headers: {
-        Authorization: `Bearer ${accessToken}`,
-        "Accept-Encoding": "application/json",
-        "X-Checkly-Account": integration.appId
-      }
-    })
-  ).data.reduce(
-    (obj: any, secret: any) => ({
-      ...obj,
-      [secret.key]: secret.value
-    }),
-    {}
-  );

-  getSecretsRes = Object.keys(getSecretsRes).reduce(
-    (
-      result: {
-        [key: string]: string;
-      },
-      key
-    ) => {
-      if (
-        (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
-        (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
-      ) {
-        result[key] = getSecretsRes[key];
-      }
-      return result;
-    },
-    {}
-  );
+  if (integration.targetServiceId) {
+    // sync secrets to checkly group envars

-  // add secrets
-  for await (const key of Object.keys(secrets)) {
-    if (!(key in getSecretsRes)) {
-      // case: secret does not exist in checkly
-      // -> add secret
-      await standardRequest.post(
-        `${INTEGRATION_CHECKLY_API_URL}/v1/variables`,
-        {
-          key,
-          value: secrets[key].value
+    let getGroupSecretsRes = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/check-groups/${integration.targetServiceId}`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json",
+          "X-Checkly-Account": integration.appId
+        }
+      })
+    ).data.environmentVariables.reduce(
+      (obj: any, secret: any) => ({
+        ...obj,
+        [secret.key]: secret.value
+      }),
+      {}
+    );
+
+    getGroupSecretsRes = Object.keys(getGroupSecretsRes).reduce(
+      (
+        result: {
+          [key: string]: string;
        },
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            Accept: "application/json",
-            "Content-Type": "application/json",
-            "X-Checkly-Account": integration.appId
-          }
+        key
+      ) => {
+        if (
+          (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
+          (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
+        ) {
+          result[key] = getGroupSecretsRes[key];
        }
-      );
-    } else {
-      // case: secret exists in checkly
-      // -> update/set secret
+        return result;
+      },
+      {}
+    );

-      if (secrets[key] !== getSecretsRes[key]) {
-        await standardRequest.put(
-          `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
+    const groupEnvironmentVariables = Object.keys(secrets).map(key => ({
+      key,
+      value: secrets[key].value
+    }));
+
+    await standardRequest.put(
+      `${INTEGRATION_CHECKLY_API_URL}/v1/check-groups/${integration.targetServiceId}`,
+      {
+        environmentVariables: groupEnvironmentVariables
+      },
+      {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          Accept: "application/json",
+          "X-Checkly-Account": integration.appId
+        }
+      }
+    );
+  } else {
+    // sync secrets to checkly global envars
+    
+    let getSecretsRes = (
+      await standardRequest.get(`${INTEGRATION_CHECKLY_API_URL}/v1/variables`, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "Accept-Encoding": "application/json",
+          "X-Checkly-Account": integration.appId
+        }
+      })
+    ).data.reduce(
+      (obj: any, secret: any) => ({
+        ...obj,
+        [secret.key]: secret.value
+      }),
+      {}
+    );
+  
+    getSecretsRes = Object.keys(getSecretsRes).reduce(
+      (
+        result: {
+          [key: string]: string;
+        },
+        key
+      ) => {
+        if (
+          (appendices?.prefix !== undefined ? key.startsWith(appendices?.prefix) : true) &&
+          (appendices?.suffix !== undefined ? key.endsWith(appendices?.suffix) : true)
+        ) {
+          result[key] = getSecretsRes[key];
+        }
+        return result;
+      },
+      {}
+    );
+  
+    // add secrets
+    for await (const key of Object.keys(secrets)) {
+      if (!(key in getSecretsRes)) {
+        // case: secret does not exist in checkly
+        // -> add secret
+        await standardRequest.post(
+          `${INTEGRATION_CHECKLY_API_URL}/v1/variables`,
          {
+            key,
            value: secrets[key].value
          },
          {
            headers: {
              Authorization: `Bearer ${accessToken}`,
-              "Content-Type": "application/json",
              Accept: "application/json",
+              "Content-Type": "application/json",
              "X-Checkly-Account": integration.appId
            }
          }
        );
-      }
-    }
-  }
-
-  for await (const key of Object.keys(getSecretsRes)) {
-    if (!(key in secrets)) {
-      // delete secret
-      await standardRequest.delete(`${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`, {
-        headers: {
-          Authorization: `Bearer ${accessToken}`,
-          Accept: "application/json",
-          "X-Checkly-Account": integration.appId
+      } else {
+        // case: secret exists in checkly
+        // -> update/set secret
+  
+        if (secrets[key] !== getSecretsRes[key]) {
+          await standardRequest.put(
+            `${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`,
+            {
+              value: secrets[key].value
+            },
+            {
+              headers: {
+                Authorization: `Bearer ${accessToken}`,
+                "Content-Type": "application/json",
+                Accept: "application/json",
+                "X-Checkly-Account": integration.appId
+              }
+            }
+          );
        }
-      });
+      }
    }
+  
+    for await (const key of Object.keys(getSecretsRes)) {
+      if (!(key in secrets)) {
+        // delete secret
+        await standardRequest.delete(`${INTEGRATION_CHECKLY_API_URL}/v1/variables/${key}`, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: "application/json",
+            "X-Checkly-Account": integration.appId
+          }
+        });
+      }
+    }  
  }
 };

--- a/backend/src/interfaces/middleware/index.ts
+++ b/backend/src/interfaces/middleware/index.ts
@ -1,39 +1,27 @@
 import { Types } from "mongoose";
-import {
-    IServiceTokenData,
-    IServiceTokenDataV3,
-    IUser,
-} from "../../models";
-import { 
-    ServiceActor,
-    ServiceActorV3,
-    UserActor,
-    UserAgentType
-} from "../../ee/models";
+import { IServiceTokenData, IServiceTokenDataV3, IUser } from "../../models";
+import { ServiceActor, ServiceActorV3, UserActor, UserAgentType } from "../../ee/models";

 interface BaseAuthData {
-    ipAddress: string;
-    userAgent: string;
-    userAgentType: UserAgentType;
-    tokenVersionId?: Types.ObjectId;
+  ipAddress: string;
+  userAgent: string;
+  userAgentType: UserAgentType;
+  tokenVersionId?: Types.ObjectId;
 }

 export interface UserAuthData extends BaseAuthData {
-    actor: UserActor;
-    authPayload: IUser;
+  actor: UserActor;
+  authPayload: IUser;
 }

 export interface ServiceTokenV3AuthData extends BaseAuthData {
-    actor: ServiceActorV3;
-    authPayload: IServiceTokenDataV3;
+  actor: ServiceActorV3;
+  authPayload: IServiceTokenDataV3;
 }

 export interface ServiceTokenAuthData extends BaseAuthData {
-    actor: ServiceActor;
-    authPayload: IServiceTokenData;
+  actor: ServiceActor;
+  authPayload: IServiceTokenData;
 }

-export type AuthData =
-    | UserAuthData
-    | ServiceTokenV3AuthData
-    | ServiceTokenAuthData;
+export type AuthData = UserAuthData | ServiceTokenV3AuthData | ServiceTokenAuthData;
--- a/backend/src/interfaces/services/SecretService/index.ts
+++ b/backend/src/interfaces/services/SecretService/index.ts
@ -26,7 +26,6 @@ export interface CreateSecretParams {
 export interface GetSecretsParams {
  workspaceId: Types.ObjectId;
  environment: string;
-  folderId?: string;
  secretPath: string;
  authData: AuthData;
 }
--- a/backend/src/middleware/requestErrorHandler.ts
+++ b/backend/src/middleware/requestErrorHandler.ts
@ -2,49 +2,45 @@ import * as Sentry from "@sentry/node";
 import { ErrorRequestHandler } from "express";
 import { TokenExpiredError } from "jsonwebtoken";
 import { InternalServerError, UnauthorizedRequestError } from "../utils/errors";
-import { getLogger } from "../utils/logger";
-import RequestError from "../utils/requestError";
+import { logger } from "../utils/logging";
+import RequestError, { mapToPinoLogLevel } from "../utils/requestError";
 import { ForbiddenError } from "@casl/ability";

 export const requestErrorHandler: ErrorRequestHandler = async (
-  error: RequestError | Error,
+  err: RequestError | Error,
  req,
  res,
  next
 ) => {
  if (res.headersSent) return next();

-  const logAndCaptureException = async (error: RequestError) => {
-    (await getLogger("backend-main")).log(
-      (<RequestError>error).levelName.toLowerCase(),
-      `${error.stack}\n${error.message}`
-    );
-
-    //* Set Sentry user identification if req.user is populated
-    if (req.user !== undefined && req.user !== null) {
-      Sentry.setUser({ email: (req.user as any).email });
-    }
-
-    Sentry.captureException(error);
-  };
+  let error: RequestError;
+  
+  switch (true) {
+    case err instanceof TokenExpiredError:
+      error = UnauthorizedRequestError({ stack: err.stack, message: "Token expired" });
+      break;
+    case err instanceof ForbiddenError:
+      error = UnauthorizedRequestError({ context: { exception: err.message }, stack: err.stack })
+      break;
+    case err instanceof RequestError:
+      error = err as RequestError;
+      break;
+    default:
+      error = InternalServerError({ context: { exception: err.message }, stack: err.stack });
+      break;
+  }

-  if (error instanceof RequestError) {
-    if (error instanceof TokenExpiredError) {
-      error = UnauthorizedRequestError({ stack: error.stack, message: "Token expired" });
-    }
-    await logAndCaptureException((<RequestError>error));
-  } else {
-    if (error instanceof ForbiddenError) {
-      error = UnauthorizedRequestError({ context: { exception: error.message }, stack: error.stack })
-    } else {
-      error = InternalServerError({ context: { exception: error.message }, stack: error.stack });
-    }
+  logger[mapToPinoLogLevel(error.level)](error);

-    await logAndCaptureException((<RequestError>error));
+  if (req.user) {
+    Sentry.setUser({ email: (req.user as any).email });
  }

+  Sentry.captureException(error);
+
  delete (<any>error).stacktrace // remove stack trace from being sent to client
-  res.status((<RequestError>error).statusCode).json(error);
+  res.status((<RequestError>error).statusCode).json(error); // revise json part here

  next();
 };
--- a/backend/src/middleware/requireAuth.ts
+++ b/backend/src/middleware/requireAuth.ts
@ -1,14 +1,9 @@
 import jwt from "jsonwebtoken";
 import { NextFunction, Request, Response } from "express";
-import {
-	getAuthAPIKeyPayload,
-	getAuthSTDPayload,
-	getAuthSTDV3Payload,
-	getAuthUserPayload,
-	validateAuthMode,
-} from "../helpers/auth";
 import { AuthMode } from "../variables";
 import { AuthData } from "../interfaces/middleware";
+import { extractAuthMode, getAuthData } from "../utils/authn/helpers";
+import { UnauthorizedRequestError } from "../utils/errors";

 declare module "jsonwebtoken" {
 	export interface UserIDJwtPayload extends jwt.JwtPayload {
@ -32,42 +27,39 @@ const requireAuth = ({
 	acceptedAuthModes: AuthMode[];
 }) => {
 	return async (req: Request, res: Response, next: NextFunction) => {
+		
+		// extract auth mode
+		const { authMode, authTokenValue } = await extractAuthMode({
+			headers: req.headers
+		});

-		// validate auth token against accepted auth modes [acceptedAuthModes]
-		// and return token type [authTokenType] and value [authTokenValue]
-		const { authMode, authTokenValue } = validateAuthMode({
-			headers: req.headers,
-			acceptedAuthModes,
+		// validate auth mode
+		if (!acceptedAuthModes.includes(authMode)) throw UnauthorizedRequestError({
+			message: "Failed to authenticate unaccepted authentication mode"
 		});
 		
-		let authData: AuthData;
+		// get auth data / payload
+		const authData: AuthData = await getAuthData({
+			authMode,
+			authTokenValue,
+			ipAddress: req.realIP,
+			userAgent: req.headers["user-agent"] ?? ""
+		});
 		
 		switch (authMode) {
 			case AuthMode.SERVICE_TOKEN:
-				authData = await getAuthSTDPayload({
-					req,
-					authTokenValue,
-				});
 				req.serviceTokenData = authData.authPayload;
 				break;
-			case AuthMode.SERVICE_TOKEN_V3:
-				authData = await getAuthSTDV3Payload({
-					req,
-					authTokenValue
-				});
+			case AuthMode.SERVICE_ACCESS_TOKEN:
+				req.serviceTokenData = authData.authPayload;
 				break;
 			case AuthMode.API_KEY:
-				authData = await getAuthAPIKeyPayload({
-					req,
-					authTokenValue
-				});
+				req.user = authData.authPayload;
+				break;
+			case AuthMode.API_KEY_V2:
 				req.user = authData.authPayload;
 				break;
 			case AuthMode.JWT:
-				authData = await getAuthUserPayload({
-					req,
-					authTokenValue
-				});
 				req.user = authData.authPayload;
 				break;
 		}
--- a/backend/src/models/serviceTokenDataV3.ts
+++ b/backend/src/models/serviceTokenDataV3.ts
@ -25,9 +25,14 @@ export interface IServiceTokenDataV3 extends Document {
    user: Types.ObjectId;
    publicKey: string;
    isActive: boolean;
-    lastUsed?: Date;
-    usageCount: number;
+    refreshTokenLastUsed?: Date;
+    accessTokenLastUsed?: Date;
+    refreshTokenUsageCount: number;
+    accessTokenUsageCount: number;
+    tokenVersion: number;
+    isRefreshTokenRotationEnabled: boolean;
    expiresAt?: Date;
+    accessTokenTTL: number;
    scopes: Array<IServiceTokenV3Scope>;
    trustedIps: Array<IServiceTokenV3TrustedIp>;
 }
@ -57,19 +62,43 @@ const serviceTokenDataV3Schema = new Schema(
            default: true,
            required: true
        },
-        lastUsed: {
+        refreshTokenLastUsed: {
            type: Date,
            required: false
        },
-        usageCount: {
+        accessTokenLastUsed: {
+            type: Date,
+            required: false
+        },
+        refreshTokenUsageCount: {
+            type: Number,
+            default: 0,
+            required: true
+        },
+        accessTokenUsageCount: {
            type: Number,
            default: 0,
            required: true
        },
-        expiresAt: {
+        tokenVersion: {
+            type: Number,
+            default: 1,
+            required: true
+        },
+        isRefreshTokenRotationEnabled: {
+            type: Boolean,
+            default: false,
+            required: true
+        },
+        expiresAt: { // consider revising field name
            type: Date,
            required: false,
-            expires: 0
+            // expires: 0
+        },
+        accessTokenTTL: { // seconds
+            type: Number,
+            default: 7200,
+            required: true
        },
        scopes: {
            type: [
--- a/backend/src/routes/v1/integrationAuth.ts
+++ b/backend/src/routes/v1/integrationAuth.ts
@ -60,6 +60,14 @@ router.get(
  integrationAuthController.getIntegrationAuthVercelBranches
 );

+router.get(
+  "/:integrationAuthId/checkly/groups",
+  requireAuth({
+    acceptedAuthModes: [AuthMode.JWT]
+  }),
+  integrationAuthController.getIntegrationAuthChecklyGroups
+);
+
 router.get(
  "/:integrationAuthId/qovery/orgs",
  requireAuth({
--- a/backend/src/routes/v3/secrets.ts
+++ b/backend/src/routes/v3/secrets.ts
@ -7,7 +7,7 @@ import { AuthMode } from "../../variables";
 router.get(
  "/raw",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  secretsController.getSecretsRaw
 );
@ -15,7 +15,7 @@ router.get(
 router.get(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "query"
@ -29,7 +29,7 @@ router.get(
 router.post(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -43,7 +43,7 @@ router.post(
 router.patch(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -57,7 +57,7 @@ router.patch(
 router.delete(
  "/raw/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -71,7 +71,7 @@ router.delete(
 router.get(
  "/",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "query"
@ -83,7 +83,7 @@ router.get(
 router.post(
  "/batch",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -94,7 +94,7 @@ router.post(
 router.patch(
  "/batch",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -105,7 +105,7 @@ router.patch(
 router.delete(
  "/batch",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -116,7 +116,7 @@ router.delete(
 router.post(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -127,7 +127,7 @@ router.post(
 router.get(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "query"
@ -138,7 +138,7 @@ router.get(
 router.patch(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
@ -149,7 +149,7 @@ router.patch(
 router.delete(
  "/:secretName",
  requireAuth({
-    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_TOKEN_V3]
+    acceptedAuthModes: [AuthMode.JWT, AuthMode.API_KEY, AuthMode.API_KEY_V2, AuthMode.SERVICE_TOKEN, AuthMode.SERVICE_ACCESS_TOKEN]
  }),
  requireBlindIndicesEnabled({
    locationWorkspaceId: "body"
--- a/backend/src/services/RedisService.ts
+++ b/backend/src/services/RedisService.ts
@ -1,11 +1,12 @@
 import Redis, { Redis as TRedis } from "ioredis";
+import { logger } from "../utils/logging";

 let redisClient: TRedis | null;

 if (process.env.REDIS_URL) {
  redisClient = new Redis(process.env.REDIS_URL as string);
 } else {
-  console.warn("Redis URL not set, skipping Redis initialization.");
+  logger.warn("Redis URL not set, skipping Redis initialization.");
  redisClient = null;
 }

--- a/backend/src/services/TelemetryService.ts
+++ b/backend/src/services/TelemetryService.ts
@ -1,5 +1,5 @@
 import { PostHog } from "posthog-node";
-import { getLogger } from "../utils/logger";
+import { logger } from "../utils/logging";
 import { AuthData } from "../interfaces/middleware";
 import {
  getNodeEnv,
@ -22,13 +22,13 @@ class Telemetry {
   * Logs telemetry enable/disable notice.
   */
  static logTelemetryMessage = async () => {
+
    if(!(await getTelemetryEnabled())){
-      (await getLogger("backend-main")).info([
-        "",
+      [
        "To improve, Infisical collects telemetry data about general usage.",
        "This helps us understand how the product is doing and guide our product development to create the best possible platform; it also helps us demonstrate growth as we support Infisical as open-source software.",
        "To opt into telemetry, you can set `TELEMETRY_ENABLED=true` within the environment variables.",
-      ].join("\n"))
+      ].forEach(line => logger.info(line));
    }
  }

--- a/backend/src/services/health.ts
+++ b/backend/src/services/health.ts
@ -1,10 +1,10 @@
 import mongoose from "mongoose";
 import { createTerminus } from "@godaddy/terminus";
-import { getLogger } from "../utils/logger";
+import { logger } from "../utils/logging";

 export const setUpHealthEndpoint = <T>(server: T) => {
  const onSignal = async () => {
-    (await getLogger("backend-main")).info("Server is starting clean-up");
+    logger.info("Server is starting clean-up");
    return Promise.all([
      new Promise((resolve) => {
        if (mongoose.connection && mongoose.connection.readyState == 1) {
--- a/backend/src/services/smtp.ts
+++ b/backend/src/services/smtp.ts
@ -16,7 +16,7 @@ import {
  getSmtpSecure,
  getSmtpUsername,
 } from "../config";
-import { getLogger } from "../utils/logger";
+import { logger } from "../utils/logging";

 export const initSmtp = async () => {
  const mailOpts: SMTPConnection.Options = {
@ -84,15 +84,14 @@ export const initSmtp = async () => {
    .then(async () => {
      Sentry.setUser(null);
      Sentry.captureMessage("SMTP - Successfully connected");
-      (await getLogger("backend-main")).info(
-        "SMTP - Successfully connected"
-      );
+      logger.info("SMTP - Successfully connected");
    })
    .catch(async (err) => {
      Sentry.setUser(null);
      Sentry.captureException(
        `SMTP - Failed to connect to ${await getSmtpHost()}:${await getSmtpPort()} \n\t${err}`
      );
+      logger.error(err, `SMTP - Failed to connect to ${await getSmtpHost()}:${await getSmtpPort()}`);
    });

  return transporter;
--- a/backend/src/utils/auth.ts
+++ b/backend/src/utils/auth.ts
@ -1,435 +0,0 @@
-import express from "express";
-import passport from "passport";
-import { Types } from "mongoose";
-import { AuthData } from "../interfaces/middleware";
-import {
-  AuthMethod,
-  MembershipOrg,
-  Organization,
-  ServiceAccount,
-  ServiceTokenData,
-  ServiceTokenDataV3,
-  User
-} from "../models";
-import { createToken } from "../helpers/auth";
-import {
-  getAuthSecret,
-  getClientIdGitHubLogin,
-  getClientIdGitLabLogin,
-  getClientIdGoogleLogin,
-  getClientSecretGitHubLogin,
-  getClientSecretGitLabLogin,
-  getClientSecretGoogleLogin,
-  getJwtProviderAuthLifetime,
-  getSiteURL,
-  getUrlGitLabLogin
-} from "../config";
-import { getSSOConfigHelper } from "../ee/helpers/organizations";
-import { InternalServerError, OrganizationNotFoundError } from "./errors";
-import { ACCEPTED, AuthTokenType, INTEGRATION_GITHUB_API_URL, INVITED, MEMBER } from "../variables";
-import { standardRequest } from "../config/request";
-
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const GoogleStrategy = require("passport-google-oauth20").Strategy;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const GitHubStrategy = require("passport-github").Strategy;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const GitLabStrategy = require("passport-gitlab2").Strategy;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { MultiSamlStrategy } = require("@node-saml/passport-saml");
-
-/**
- * Returns an object containing the id of the authentication data payload
- * @param {AuthData} authData - authentication data object
- * @returns 
- */
-const getAuthDataPayloadIdObj = (authData: AuthData) => {
-  if (authData.authPayload instanceof User) {
-    return { userId: authData.authPayload._id };
-  }
-
-  if (authData.authPayload instanceof ServiceAccount) {
-    return { serviceAccountId: authData.authPayload._id };
-  }
-
-  if (authData.authPayload instanceof ServiceTokenData) {
-    return { serviceTokenDataId: authData.authPayload._id };
-  }
-
-  if (authData.authPayload instanceof ServiceTokenDataV3) {
-    return { serviceTokenDataId: authData.authPayload._id };
-  }
-};
-
-/**
- * Returns an object containing the user associated with the authentication data payload
- * @param {AuthData} authData - authentication data object
- * @returns 
- */
-const getAuthDataPayloadUserObj = (authData: AuthData) => {
-  if (authData.authPayload instanceof User) {
-    return { user: authData.authPayload._id };
-  }
-
-  if (authData.authPayload instanceof ServiceAccount) {
-    return { user: authData.authPayload.user };
-  }
-
-  if (authData.authPayload instanceof ServiceTokenData) {
-    return { user: authData.authPayload.user };
-  }
-  
-  if (authData.authPayload instanceof ServiceTokenDataV3) {
-    return { user: authData.authPayload.user };
-  }
-}
-
-const initializePassport = async () => {
-  const clientIdGoogleLogin = await getClientIdGoogleLogin();
-  const clientSecretGoogleLogin = await getClientSecretGoogleLogin();
-  const clientIdGitHubLogin = await getClientIdGitHubLogin();
-  const clientSecretGitHubLogin = await getClientSecretGitHubLogin();
-  const urlGitLab = await getUrlGitLabLogin();
-  const clientIdGitLabLogin = await getClientIdGitLabLogin();
-  const clientSecretGitLabLogin = await getClientSecretGitLabLogin();
-
-  if (clientIdGoogleLogin && clientSecretGoogleLogin) {
-    passport.use(new GoogleStrategy({
-      passReqToCallback: true,
-      clientID: clientIdGoogleLogin,
-      clientSecret: clientSecretGoogleLogin,
-      callbackURL: "/api/v1/sso/google",
-      scope: ["profile", " email"],
-    }, async (
-      req: express.Request,
-      accessToken: string,
-      refreshToken: string,
-      profile: any,
-      done: any
-    ) => {
-      try {
-        const email = profile.emails[0].value;
-        
-        let user = await User.findOne({
-          email
-        }).select("+publicKey");
-        
-        if (!user) {
-          user = await new User({
-            email,
-            authMethods: [AuthMethod.GOOGLE],
-            firstName: profile.name.givenName,
-            lastName: profile.name.familyName
-          }).save();
-        }
-
-        let isLinkingRequired = false;
-        if (!user.authMethods.includes(AuthMethod.GOOGLE)) {
-          isLinkingRequired = true;
-        }
-
-        const isUserCompleted = !!user.publicKey;
-        const providerAuthToken = createToken({
-          payload: {
-            authTokenType: AuthTokenType.PROVIDER_TOKEN,
-            userId: user._id.toString(),
-            email: user.email,
-            firstName: user.firstName,
-            lastName: user.lastName,
-            authMethod: AuthMethod.GOOGLE,
-            isUserCompleted,
-            isLinkingRequired,
-            ...(req.query.state ? {
-              callbackPort: req.query.state as string
-            } : {})
-          },
-          expiresIn: await getJwtProviderAuthLifetime(),
-          secret: await getAuthSecret(),
-        });
-
-        req.isUserCompleted = isUserCompleted;
-        req.providerAuthToken = providerAuthToken;
-        done(null, profile);
-      } catch (err) {
-        done(null, false);
-      }
-    }));
-  }
-
-  if (clientIdGitHubLogin && clientSecretGitHubLogin) {
-    passport.use(new GitHubStrategy({
-      passReqToCallback: true,
-      clientID: clientIdGitHubLogin,
-      clientSecret: clientSecretGitHubLogin,
-      callbackURL: "/api/v1/sso/github",
-      scope: ["user:email"]
-    },
-    async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
-      interface GitHubEmail {
-        email: string;
-        primary: boolean;
-        verified: boolean;
-        visibility: null | string;
-      }
-      
-      const { data }: { data: GitHubEmail[] } = await standardRequest.get(
-        `${INTEGRATION_GITHUB_API_URL}/user/emails`,
-        {
-          headers: {
-            Authorization: `Bearer ${accessToken}`
-          }
-        }
-      );
-      
-      const primaryEmail = data.filter((gitHubEmail: GitHubEmail) => gitHubEmail.primary)[0];
-      const email = primaryEmail.email;
-      
-      let user = await User.findOne({
-        email
-      }).select("+publicKey");
-
-      if (!user) {
-        user = await new User({
-          email: email,
-          authMethods: [AuthMethod.GITHUB],
-          firstName: profile.displayName,
-          lastName: ""
-        }).save();
-      }
-      
-      let isLinkingRequired = false;
-      if (!user.authMethods.includes(AuthMethod.GITHUB)) {
-        isLinkingRequired = true;
-      }
-
-      const isUserCompleted = !!user.publicKey;
-      const providerAuthToken = createToken({
-        payload: {
-          authTokenType: AuthTokenType.PROVIDER_TOKEN,
-          userId: user._id.toString(),
-          email: user.email,
-          firstName: user.firstName,
-          lastName: user.lastName,
-          authMethod: AuthMethod.GITHUB,
-          isUserCompleted,
-          isLinkingRequired,
-          ...(req.query.state ? {
-            callbackPort: req.query.state as string
-          } : {})
-        },
-        expiresIn: await getJwtProviderAuthLifetime(),
-        secret: await getAuthSecret(),
-      });
-
-      req.isUserCompleted = isUserCompleted;
-      req.providerAuthToken = providerAuthToken;
-      return done(null, profile);
-    }
-    ));
-  }
-
-  if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) {
-    passport.use(new GitLabStrategy({
-      passReqToCallback: true,
-      clientID: clientIdGitLabLogin,
-      clientSecret: clientSecretGitLabLogin,
-      callbackURL: "/api/v1/sso/gitlab",
-      baseURL: urlGitLab
-    },
-    async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
-      const email = profile.emails[0].value;
-      
-      let user = await User.findOne({
-        email
-      }).select("+publicKey");
-
-      if (!user) {
-        user = await new User({
-          email: email,
-          authMethods: [AuthMethod.GITLAB],
-          firstName: profile.displayName,
-          lastName: ""
-        }).save();
-      }
-      
-      let isLinkingRequired = false;
-      if (!user.authMethods.includes(AuthMethod.GITLAB)) {
-        isLinkingRequired = true;
-      }
-
-      const isUserCompleted = !!user.publicKey;
-      const providerAuthToken = createToken({
-        payload: {
-          authTokenType: AuthTokenType.PROVIDER_TOKEN,
-          userId: user._id.toString(),
-          email: user.email,
-          firstName: user.firstName,
-          lastName: user.lastName,
-          authMethod: AuthMethod.GITLAB,
-          isUserCompleted,
-          isLinkingRequired,
-          ...(req.query.state ? {
-            callbackPort: req.query.state as string
-          } : {})
-        },
-        expiresIn: await getJwtProviderAuthLifetime(),
-        secret: await getAuthSecret(),
-      });
-
-      req.isUserCompleted = isUserCompleted;
-      req.providerAuthToken = providerAuthToken;
-      return done(null, profile);
-    }
-    ));
-  }
-  
-  passport.use("saml", new MultiSamlStrategy(
-    {
-      passReqToCallback: true,
-      getSamlOptions: async (req: any, done: any) => {
-        const { ssoIdentifier } = req.params;
-        
-        const ssoConfig = await getSSOConfigHelper({
-          ssoConfigId: new Types.ObjectId(ssoIdentifier)
-        });
-        
-        interface ISAMLConfig {
-          callbackUrl: string;
-          entryPoint: string;
-          issuer: string;
-          cert: string;
-          audience: string;
-          wantAuthnResponseSigned?: boolean;
-        }
-        
-        const samlConfig: ISAMLConfig = ({
-          callbackUrl: `${await getSiteURL()}/api/v1/sso/saml2/${ssoIdentifier}`,
-          entryPoint: ssoConfig.entryPoint,
-          issuer: ssoConfig.issuer,
-          cert: ssoConfig.cert,
-          audience: await getSiteURL()
-        });
-        
-        if (ssoConfig.authProvider.toString() === AuthMethod.JUMPCLOUD_SAML.toString()) {
-          samlConfig.wantAuthnResponseSigned = false;
-        }
-        
-        if (ssoConfig.authProvider.toString() === AuthMethod.AZURE_SAML.toString()) {
-          if (req.body.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
-            samlConfig.audience = `spn:${ssoConfig.issuer}`;
-          }
-        }
-        
-        req.ssoConfig = ssoConfig;
-        
-        done(null, samlConfig);
-      },
-    },
-    async (req: any, profile: any, done: any) => {
-      if (!req.ssoConfig.isActive) return done(InternalServerError());
-
-      const organization = await Organization.findById(req.ssoConfig.organization);
-      
-      if (!organization) return done(OrganizationNotFoundError());
-
-      const email = profile.email;
-      const firstName = profile.firstName;
-      const lastName = profile.lastName;
-
-      let user = await User.findOne({
-        email
-      }).select("+publicKey");
-      
-      if (user) {
-        // if user does not have SAML enabled then update 
-        const hasSamlEnabled = user.authMethods
-          .some(
-            (authMethod: AuthMethod) => [
-                AuthMethod.OKTA_SAML,
-                AuthMethod.AZURE_SAML,
-                AuthMethod.JUMPCLOUD_SAML
-            ].includes(authMethod)
-          );
-        
-        if (!hasSamlEnabled) {
-          await User.findByIdAndUpdate(
-            user._id, 
-            {
-              authMethods: [req.ssoConfig.authProvider]
-            },
-            {
-              new: true
-            }
-          );
-        }
-        
-        let membershipOrg = await MembershipOrg.findOne(
-          {
-            user: user._id,
-            organization: organization._id
-          }
-        );
-        
-        if (!membershipOrg) {
-          membershipOrg = await new MembershipOrg({
-            inviteEmail: email,
-            user: user._id,
-            organization: organization._id,
-            role: MEMBER,
-            status: ACCEPTED
-          }).save();
-        }
-        
-        if (membershipOrg.status === INVITED) {
-          membershipOrg.status = ACCEPTED;
-          await membershipOrg.save();
-        }
-      } else {
-        user = await new User({
-          email,
-          authMethods: [req.ssoConfig.authProvider],
-          firstName,
-          lastName
-        }).save();
-        
-        await new MembershipOrg({
-          inviteEmail: email,
-          user: user._id,
-          organization: organization._id,
-          role: MEMBER,
-          status: INVITED
-        }).save();
-      }
-      
-      const isUserCompleted = !!user.publicKey;
-      const providerAuthToken = createToken({
-        payload: {
-          authTokenType: AuthTokenType.PROVIDER_TOKEN,
-          userId: user._id.toString(),
-          email: user.email,
-          firstName,
-          lastName,
-          organizationName: organization?.name,
-          authMethod: req.ssoConfig.authProvider,
-          isUserCompleted,
-          ...(req.body.RelayState ? {
-            callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
-          } : {})
-        },
-        expiresIn: await getJwtProviderAuthLifetime(),
-        secret: await getAuthSecret(),
-      });
-      
-      req.isUserCompleted = isUserCompleted;
-      req.providerAuthToken = providerAuthToken;
-
-      done(null, profile);
-    }
-  ));
-}
-
-export {
-  getAuthDataPayloadIdObj,
-  getAuthDataPayloadUserObj,
-  initializePassport,
-}
--- a/backend/src/utils/authn/authModeValidators/apiKey.ts
+++ b/backend/src/utils/authn/authModeValidators/apiKey.ts
@ -0,0 +1,50 @@
+import { Types } from "mongoose";
+import { 
+    APIKeyData,
+    IUser,
+    User
+} from "../../../models";
+import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
+import bcrypt from "bcrypt";
+
+interface ValidateAPIKeyParams {
+    authTokenValue: string;
+}
+
+export const validateAPIKey = async ({
+    authTokenValue
+}: ValidateAPIKeyParams) => {
+
+    const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
+    
+	let apiKeyData = await APIKeyData
+		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
+		.populate<{ user: IUser }>("user", "+publicKey");
+
+	if (!apiKeyData) {
+		throw UnauthorizedRequestError();
+	} else if (apiKeyData?.expiresAt && new Date(apiKeyData.expiresAt) < new Date()) {
+		// case: API key expired
+		await APIKeyData.findByIdAndDelete(apiKeyData._id);
+		throw UnauthorizedRequestError();
+	}
+
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, apiKeyData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError();
+
+	apiKeyData = await APIKeyData.findOneAndUpdate({
+		_id: new Types.ObjectId(TOKEN_IDENTIFIER),
+	}, {
+		lastUsed: new Date(),
+	}, {
+		new: true,
+	});
+
+	if (!apiKeyData) throw UnauthorizedRequestError();
+
+	const user = await User.findById(apiKeyData.user).select("+publicKey");
+
+	if (!user) throw AccountNotFoundError();
+
+	return user;
+}
--- a/backend/src/utils/authn/authModeValidators/apiKeyV2.ts
+++ b/backend/src/utils/authn/authModeValidators/apiKeyV2.ts
@ -0,0 +1,39 @@
+import jwt from "jsonwebtoken";
+import { APIKeyDataV2, User } from "../../../models";
+import { getAuthSecret } from "../../../config";
+import { AuthTokenType } from "../../../variables";
+import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
+
+interface ValidateAPIKeyV2Params {
+    authTokenValue: string;
+}
+
+export const validateAPIKeyV2 = async ({
+    authTokenValue
+}: ValidateAPIKeyV2Params) => {
+    
+    const decodedToken = <jwt.UserIDJwtPayload>(
+        jwt.verify(authTokenValue, await getAuthSecret())
+    );
+    
+    if (decodedToken.authTokenType !== AuthTokenType.API_KEY) throw UnauthorizedRequestError();
+    
+    const apiKeyData = await APIKeyDataV2.findByIdAndUpdate(
+        decodedToken.apiKeyDataId,
+        {
+            lastUsed: new Date(),
+            $inc: { usageCount: 1 }
+        },
+        {
+            new: true
+        }
+    );
+    
+    if (!apiKeyData) throw UnauthorizedRequestError();
+    
+    const user = await User.findById(apiKeyData.user).select("+publicKey");
+    
+	if (!user) throw AccountNotFoundError();
+    
+    return user;
+}
--- a/backend/src/utils/authn/authModeValidators/index.ts
+++ b/backend/src/utils/authn/authModeValidators/index.ts
@ -0,0 +1,5 @@
+export * from "./apiKey";
+export * from "./apiKeyV2";
+export * from "./jwt";
+export * from "./serviceTokenV2";
+export * from "./serviceTokenV3";
--- a/backend/src/utils/authn/authModeValidators/jwt.ts
+++ b/backend/src/utils/authn/authModeValidators/jwt.ts
@ -0,0 +1,41 @@
+import jwt from "jsonwebtoken";
+import { Types } from "mongoose";
+import { TokenVersion, User } from "../../../models";
+import { getAuthSecret } from "../../../config";
+import { AuthTokenType } from "../../../variables";
+import { AccountNotFoundError, UnauthorizedRequestError } from "../../errors";
+
+interface ValidateJWTParams {
+    authTokenValue: string;
+}
+
+export const validateJWT = async ({
+    authTokenValue
+}: ValidateJWTParams) => {
+    
+    const decodedToken = <jwt.UserIDJwtPayload>(
+        jwt.verify(authTokenValue, await getAuthSecret())
+    );
+
+    if (decodedToken.authTokenType !== AuthTokenType.ACCESS_TOKEN) throw UnauthorizedRequestError();
+
+    const tokenVersion = await TokenVersion.findOneAndUpdate({
+        _id: new Types.ObjectId(decodedToken.tokenVersionId),
+        user: decodedToken.userId
+    }, {
+        lastUsed: new Date(),
+    });
+    
+	if (!tokenVersion) throw UnauthorizedRequestError();
+    if (decodedToken.accessVersion !== tokenVersion.accessVersion) throw UnauthorizedRequestError();
+
+    const user = await User.findOne({
+		_id: new Types.ObjectId(decodedToken.userId),
+	}).select("+publicKey");
+
+	if (!user) throw AccountNotFoundError({ message: "Failed to find user" });
+
+	if (!user?.publicKey) throw UnauthorizedRequestError({ message: "Failed to authenticate user with partially set up account" });
+
+    return user;
+}
--- a/backend/src/utils/authn/authModeValidators/serviceTokenV2.ts
+++ b/backend/src/utils/authn/authModeValidators/serviceTokenV2.ts
@ -0,0 +1,44 @@
+import { Types } from "mongoose";
+import { ServiceTokenData } from "../../../models";
+import { ResourceNotFoundError, UnauthorizedRequestError } from "../../errors";
+import bcrypt from "bcrypt";
+
+interface ValidateServiceTokenV2Params {
+    authTokenValue: string;
+}
+
+export const validateServiceTokenV2 = async ({
+    authTokenValue
+}: ValidateServiceTokenV2Params) => {
+    const [_, TOKEN_IDENTIFIER, TOKEN_SECRET] = <[string, string, string]>authTokenValue.split(".", 3);
+
+	const serviceTokenData = await ServiceTokenData
+		.findById(TOKEN_IDENTIFIER, "+secretHash +expiresAt")
+
+	if (!serviceTokenData) {
+		throw UnauthorizedRequestError();
+	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+		// case: service token expired
+		await ServiceTokenData.findByIdAndDelete(serviceTokenData._id);
+		throw UnauthorizedRequestError({
+			message: "Failed to authenticate expired service token",
+		});
+	}
+
+	const isMatch = await bcrypt.compare(TOKEN_SECRET, serviceTokenData.secretHash);
+	if (!isMatch) throw UnauthorizedRequestError();
+
+	const serviceTokenDataToReturn = await ServiceTokenData
+		.findOneAndUpdate({
+			_id: new Types.ObjectId(TOKEN_IDENTIFIER),
+		}, {
+			lastUsed: new Date(),
+		}, {
+			new: true,
+		})
+		.select("+encryptedKey +iv +tag")
+
+	if (!serviceTokenDataToReturn) throw ResourceNotFoundError();
+
+	return serviceTokenDataToReturn;
+}
--- a/backend/src/utils/authn/authModeValidators/serviceTokenV3.ts
+++ b/backend/src/utils/authn/authModeValidators/serviceTokenV3.ts
@ -0,0 +1,64 @@
+import jwt from "jsonwebtoken";
+import { Types } from "mongoose";
+import { ServiceTokenDataV3 } from "../../../models";
+import { getAuthSecret } from "../../../config";
+import { AuthTokenType } from "../../../variables";
+import { UnauthorizedRequestError } from "../../errors";
+
+interface ValidateServiceTokenV3Params {
+    authTokenValue: string;
+}
+
+export const validateServiceTokenV3 = async ({
+    authTokenValue
+}: ValidateServiceTokenV3Params) => {
+    const decodedToken = <jwt.ServiceRefreshTokenJwtPayload>(
+		jwt.verify(authTokenValue, await getAuthSecret())
+	);
+
+	if (decodedToken.authTokenType !== AuthTokenType.SERVICE_ACCESS_TOKEN) throw UnauthorizedRequestError();
+	
+	const serviceTokenData = await ServiceTokenDataV3.findOne({
+		_id: new Types.ObjectId(decodedToken.serviceTokenDataId),
+		isActive: true
+	});
+	
+	if (!serviceTokenData) {
+		throw UnauthorizedRequestError({ 
+			message: "Failed to authenticate"
+		});
+	} else if (serviceTokenData?.expiresAt && new Date(serviceTokenData.expiresAt) < new Date()) {
+		// case: service token expired
+		await ServiceTokenDataV3.findByIdAndUpdate(
+			serviceTokenData._id,
+			{
+				isActive: false
+			},
+			{
+				new: true
+			}
+		);
+		
+		throw UnauthorizedRequestError({
+			message: "Failed to authenticate",
+		});
+	} else if (decodedToken.tokenVersion !== serviceTokenData.tokenVersion) {
+		// TODO: raise alarm
+		throw UnauthorizedRequestError({
+			message: "Failed to authenticate",
+		});
+	}
+	
+	await ServiceTokenDataV3.findByIdAndUpdate(
+		serviceTokenData._id,
+		{
+			accessTokenLastUsed: new Date(),
+			$inc: { accessTokenUsageCount: 1 }
+		},
+		{
+			new: true
+		}
+	);
+
+    return serviceTokenData;
+}
--- a/backend/src/utils/authn/helpers/authDataExtractors.ts
+++ b/backend/src/utils/authn/helpers/authDataExtractors.ts
@ -0,0 +1,53 @@
+import { AuthData } from "../../../interfaces/middleware";
+import {
+  ServiceAccount,
+  ServiceTokenData,
+  ServiceTokenDataV3,
+  User
+} from "../../../models";
+
+/**
+ * Returns an object containing the id of the authentication data payload
+ * @param {AuthData} authData - authentication data object
+ * @returns 
+ */
+ export const getAuthDataPayloadIdObj = (authData: AuthData) => {
+    if (authData.authPayload instanceof User) {
+        return { userId: authData.authPayload._id };
+    }
+  
+    if (authData.authPayload instanceof ServiceAccount) {
+        return { serviceAccountId: authData.authPayload._id };
+    }
+  
+    if (authData.authPayload instanceof ServiceTokenData) {
+        return { serviceTokenDataId: authData.authPayload._id };
+    }
+  
+    if (authData.authPayload instanceof ServiceTokenDataV3) {
+        return { serviceTokenDataId: authData.authPayload._id };
+    }
+};
+  
+/**
+ * Returns an object containing the user associated with the authentication data payload
+ * @param {AuthData} authData - authentication data object
+ * @returns 
+ */
+export const getAuthDataPayloadUserObj = (authData: AuthData) => {
+    if (authData.authPayload instanceof User) {
+        return { user: authData.authPayload._id };
+    }
+
+    if (authData.authPayload instanceof ServiceAccount) {
+        return { user: authData.authPayload.user };
+    }
+
+    if (authData.authPayload instanceof ServiceTokenData) {
+        return { user: authData.authPayload.user };
+    }
+
+    if (authData.authPayload instanceof ServiceTokenDataV3) {
+        return { user: authData.authPayload.user };
+    }
+}
--- a/backend/src/utils/authn/helpers/index.ts
+++ b/backend/src/utils/authn/helpers/index.ts
@ -0,0 +1,195 @@
+import { AuthData } from "../../../interfaces/middleware";
+import jwt from "jsonwebtoken";
+import { getAuthSecret } from "../../../config";
+import { ActorType } from "../../../ee/models";
+import { AuthMode, AuthTokenType } from "../../../variables";
+import { UnauthorizedRequestError } from "../../errors";
+import {
+  validateAPIKey,
+  validateAPIKeyV2,
+  validateJWT,
+  validateServiceTokenV2,
+  validateServiceTokenV3
+} from "../authModeValidators";
+import { getUserAgentType } from "../../posthog";
+
+export * from "./authDataExtractors";
+
+interface ExtractAuthModeParams {
+    headers: { [key: string]: string | string[] | undefined }
+}
+
+interface ExtractAuthModeReturn {
+    authMode: AuthMode;
+    authTokenValue: string;
+}
+
+interface GetAuthDataParams {
+    authMode: AuthMode;
+    authTokenValue: string;
+    ipAddress: string;
+    userAgent: string;
+}
+
+/**
+ * Returns the recognized authentication mode based on token in [headers]; accepted token types include:
+ * - SERVICE_TOKEN
+ * - API_KEY
+ * - JWT
+ * - SERVICE_ACCESS_TOKEN (from ST V3)
+ * - API_KEY_V2
+ * @param {Object} params
+ * @param {Object.<string, (string|string[]|undefined)>} params.headers - The HTTP request headers, usually from Express's `req.headers`.
+ * @returns {Promise<AuthMode>} The derived authentication mode based on the headers.
+ * @throws {UnauthorizedError} Throws an error if no applicable authMode is found.
+ */
+export const extractAuthMode = async ({
+    headers
+}: ExtractAuthModeParams): Promise<ExtractAuthModeReturn> => {
+
+    const apiKey = headers["x-api-key"] as string;
+	const authHeader = headers["authorization"] as string;
+    
+    if (apiKey) {
+        return { authMode: AuthMode.API_KEY, authTokenValue: apiKey };
+    }
+    
+    if (!authHeader) throw UnauthorizedRequestError({
+        message: "Failed to authenticate unknown authentication method"
+    });
+
+    if (!authHeader.startsWith("Bearer ")) throw UnauthorizedRequestError({
+        message: "Failed to authenticate unknown authentication method"
+    });
+
+    const authTokenValue = authHeader.slice(7);
+    
+    if (authTokenValue.startsWith("st.")) {
+        return { authMode: AuthMode.SERVICE_TOKEN, authTokenValue };
+    }
+
+    const decodedToken = <jwt.AuthnJwtPayload>(
+        jwt.verify(authTokenValue, await getAuthSecret())
+    );
+
+    switch (decodedToken.authTokenType) {
+        case AuthTokenType.ACCESS_TOKEN:
+            return { authMode: AuthMode.JWT, authTokenValue };
+        case AuthTokenType.API_KEY:
+            return { authMode: AuthMode.API_KEY_V2, authTokenValue };
+        case AuthTokenType.SERVICE_ACCESS_TOKEN:
+            return { authMode: AuthMode.SERVICE_ACCESS_TOKEN, authTokenValue };
+        default:
+            throw UnauthorizedRequestError({
+                message: "Failed to authenticate unknown authentication method"
+            });
+    }
+}
+
+export const getAuthData = async ({
+    authMode,
+    authTokenValue,
+    ipAddress,
+    userAgent
+}: GetAuthDataParams): Promise<AuthData> => {
+
+    const userAgentType = getUserAgentType(userAgent);
+
+    switch (authMode) {
+        case AuthMode.SERVICE_TOKEN: {
+            const serviceTokenData = await validateServiceTokenV2({
+                authTokenValue
+            });
+
+            return {
+                actor: {
+                    type: ActorType.SERVICE,
+                    metadata: {
+                        serviceId: serviceTokenData._id.toString(),
+                        name: serviceTokenData.name
+                    }
+                },
+                authPayload: serviceTokenData,
+                ipAddress,
+                userAgent,
+                userAgentType
+            }
+        }
+        case AuthMode.SERVICE_ACCESS_TOKEN: {
+            const serviceTokenData = await validateServiceTokenV3({
+                authTokenValue
+            });
+
+            return {
+                actor: {
+                    type: ActorType.SERVICE_V3,
+                    metadata: {
+                        serviceId: serviceTokenData._id.toString(),
+                        name: serviceTokenData.name
+                    }
+                },
+                authPayload: serviceTokenData,
+                ipAddress,
+                userAgent,
+                userAgentType
+            }
+        }
+        case AuthMode.API_KEY: {
+            const user = await validateAPIKey({
+                authTokenValue
+            });
+            
+            return {
+                actor: {
+                    type: ActorType.USER,
+                    metadata: {
+                        userId: user._id.toString(),
+                        email: user.email
+                    }
+                },
+                authPayload: user,
+                ipAddress,
+                userAgent,
+                userAgentType
+            }
+        }
+        case AuthMode.API_KEY_V2: {
+            const user = await validateAPIKeyV2({
+                authTokenValue
+            });
+
+            return {
+                actor: {
+                    type: ActorType.USER,
+                    metadata: {
+                        userId: user._id.toString(),
+                        email: user.email
+                    }
+                },
+                authPayload: user,
+                ipAddress,
+                userAgent,
+                userAgentType
+            }
+        }
+        case AuthMode.JWT: {
+            const user = await validateJWT({
+                authTokenValue
+            });
+            
+            return {
+                actor: {
+                    type: ActorType.USER,
+                    metadata: {
+                        userId: user._id.toString(),
+                        email: user.email
+                    }
+                },
+                authPayload: user,
+                ipAddress,
+                userAgent,
+                userAgentType
+            }
+        }
+    }
+}
--- a/backend/src/utils/authn/passport/github.ts
+++ b/backend/src/utils/authn/passport/github.ts
@ -0,0 +1,60 @@
+import express from "express";
+import passport from "passport";
+import {
+    getClientIdGitHubLogin,
+    getClientSecretGitHubLogin,
+} from "../../../config";
+import { standardRequest } from "../../../config/request";
+import { AuthMethod } from "../../../models";
+import { INTEGRATION_GITHUB_API_URL } from "../../../variables";
+import { handleSSOUserTokenFlow } from "./helpers";
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const GitHubStrategy = require("passport-github").Strategy;
+
+export const initializeGitHubStrategy = async () => {
+    const clientIdGitHubLogin = await getClientIdGitHubLogin();
+    const clientSecretGitHubLogin = await getClientSecretGitHubLogin();
+    if (clientIdGitHubLogin && clientSecretGitHubLogin) {
+        passport.use(
+            new GitHubStrategy({
+                passReqToCallback: true,
+                clientID: clientIdGitHubLogin,
+                clientSecret: clientSecretGitHubLogin,
+                callbackURL: "/api/v1/sso/github",
+                scope: ["user:email"]
+            }, async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
+                interface GitHubEmail {
+                    email: string;
+                    primary: boolean;
+                    verified: boolean;
+                    visibility: null | string;
+                }
+                
+                const { data }: { data: GitHubEmail[] } = await standardRequest.get(
+                    `${INTEGRATION_GITHUB_API_URL}/user/emails`,
+                    {
+                        headers: {
+                            Authorization: `Bearer ${accessToken}`
+                        }
+                    }
+                );
+                
+                const primaryEmail = data.filter((gitHubEmail: GitHubEmail) => gitHubEmail.primary)[0];
+                const email = primaryEmail.email;
+                    
+                const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
+                    email,
+                    firstName: profile.displayName,
+                    lastName: "",
+                    authMethod: AuthMethod.GITHUB,
+                    callbackPort: req.query.state as string
+                });
+
+                req.isUserCompleted = isUserCompleted;
+                req.providerAuthToken = providerAuthToken;
+                return done(null, profile);
+            })
+        );
+    }
+}
--- a/backend/src/utils/authn/passport/gitlab.ts
+++ b/backend/src/utils/authn/passport/gitlab.ts
@ -0,0 +1,44 @@
+import express from "express";
+import passport from "passport";
+import {
+    getClientIdGitLabLogin,
+    getClientSecretGitLabLogin,
+    getUrlGitLabLogin
+} from "../../../config";
+import { AuthMethod } from "../../../models";
+import { handleSSOUserTokenFlow } from "./helpers";
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const GitLabStrategy = require("passport-gitlab2").Strategy;
+
+export const initializeGitLabStrategy = async () => {
+    const urlGitLab = await getUrlGitLabLogin();
+    const clientIdGitLabLogin = await getClientIdGitLabLogin();
+    const clientSecretGitLabLogin = await getClientSecretGitLabLogin();
+
+    if (urlGitLab && clientIdGitLabLogin && clientSecretGitLabLogin) {
+        passport.use(
+            new GitLabStrategy({
+                passReqToCallback: true,
+                clientID: clientIdGitLabLogin,
+                clientSecret: clientSecretGitLabLogin,
+                callbackURL: "/api/v1/sso/gitlab",
+                baseURL: urlGitLab
+            }, async (req : express.Request, accessToken : any, refreshToken : any, profile : any, done : any) => {
+                const email = profile.emails[0].value;
+
+                const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
+                    email,
+                    firstName: profile.displayName,
+                    lastName: "",
+                    authMethod: AuthMethod.GITLAB,
+                    callbackPort: req.query.state as string
+                });
+
+                req.isUserCompleted = isUserCompleted;
+                req.providerAuthToken = providerAuthToken;
+                return done(null, profile);
+            })
+        );
+    }
+}
--- a/backend/src/utils/authn/passport/google.ts
+++ b/backend/src/utils/authn/passport/google.ts
@ -0,0 +1,48 @@
+import express from "express";
+import passport from "passport";
+import { getClientIdGoogleLogin, getClientSecretGoogleLogin } from "../../../config";
+import { AuthMethod } from "../../../models";
+
+import { handleSSOUserTokenFlow } from "./helpers";
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const GoogleStrategy = require("passport-google-oauth20").Strategy;
+
+export const initializeGoogleStrategy = async () => {
+    const clientIdGoogleLogin = await getClientIdGoogleLogin();
+    const clientSecretGoogleLogin = await getClientSecretGoogleLogin();
+
+    if (clientIdGoogleLogin && clientSecretGoogleLogin) {
+        passport.use(new GoogleStrategy({
+          passReqToCallback: true,
+          clientID: clientIdGoogleLogin,
+          clientSecret: clientSecretGoogleLogin,
+          callbackURL: "/api/v1/sso/google",
+          scope: ["profile", " email"],
+        }, async (
+          req: express.Request,
+          accessToken: string,
+          refreshToken: string,
+          profile: any,
+          done: any
+        ) => {
+          try {
+            const email = profile.emails[0].value;
+            
+            const { isUserCompleted, providerAuthToken } = await handleSSOUserTokenFlow({
+              email,
+              firstName: profile.name.givenName,
+              lastName: profile.name.familyName,
+              authMethod: AuthMethod.GOOGLE,
+              callbackPort: req.query.state as string
+            });
+    
+            req.isUserCompleted = isUserCompleted;
+            req.providerAuthToken = providerAuthToken;
+            done(null, profile);
+          } catch (err) {
+            done(null, false);
+          }
+        }));
+    }
+}
--- a/backend/src/utils/authn/passport/helpers.ts
+++ b/backend/src/utils/authn/passport/helpers.ts
@ -0,0 +1,62 @@
+import { 
+    AuthMethod,
+    User
+} from "../../../models";
+import { createToken } from "../../../helpers/auth";
+import { AuthTokenType } from "../../../variables";
+import { getAuthSecret, getJwtProviderAuthLifetime} from "../../../config";
+
+interface SSOUserTokenFlowParams {
+    email: string;
+    firstName: string;
+    lastName: string;
+    authMethod: AuthMethod;
+    callbackPort?: string;
+}
+
+export const handleSSOUserTokenFlow = async ({
+    email,
+    firstName,
+    lastName,
+    authMethod,
+    callbackPort
+}: SSOUserTokenFlowParams) => {
+    let user = await User.findOne({
+        email
+    }).select("+publicKey");
+    
+    if (!user) {
+        user = await new User({
+            email,
+            authMethods: [authMethod],
+            firstName,
+            lastName
+        }).save();
+    }
+
+    let isLinkingRequired = false;
+    if (!user.authMethods.includes(authMethod)) {
+    isLinkingRequired = true;
+    }
+
+    const isUserCompleted = !!user.publicKey;
+    const providerAuthToken = createToken({
+    payload: {
+        authTokenType: AuthTokenType.PROVIDER_TOKEN,
+        userId: user._id.toString(),
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName,
+        authMethod,
+        isUserCompleted,
+        isLinkingRequired,
+        ...(callbackPort ? {
+            callbackPort
+        } : {})
+    },
+    expiresIn: await getJwtProviderAuthLifetime(),
+    secret: await getAuthSecret(),
+    });
+    
+    return { isUserCompleted, providerAuthToken };
+}
--- a/backend/src/utils/authn/passport/index.ts
+++ b/backend/src/utils/authn/passport/index.ts
@ -0,0 +1,4 @@
+export { initializeGoogleStrategy } from "./google";
+export { initializeGitHubStrategy } from "./github";
+export { initializeGitLabStrategy } from "./gitlab";
+export { initializeSamlStrategy } from "./saml";
--- a/backend/src/utils/authn/passport/saml.ts
+++ b/backend/src/utils/authn/passport/saml.ts
@ -0,0 +1,173 @@
+import passport from "passport";
+import {
+    getAuthSecret,
+    getJwtProviderAuthLifetime,
+    getSiteURL
+} from "../../../config";
+import {
+    AuthMethod,
+    MembershipOrg,
+    Organization,
+    User
+} from "../../../models";
+import {
+    createToken
+} from "../../../helpers/auth";
+import { 
+    ACCEPTED,
+    AuthTokenType,
+    INVITED,
+    MEMBER
+} from "../../../variables";
+import { Types } from "mongoose";
+import { getSSOConfigHelper } from "../../../ee/helpers/organizations";
+import { InternalServerError, OrganizationNotFoundError } from "../../errors";
+
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { MultiSamlStrategy } = require("@node-saml/passport-saml");
+
+export const initializeSamlStrategy = async () => {
+    passport.use("saml", new MultiSamlStrategy(
+        {
+          passReqToCallback: true,
+          getSamlOptions: async (req: any, done: any) => {
+            const { ssoIdentifier } = req.params;
+            
+            const ssoConfig = await getSSOConfigHelper({
+              ssoConfigId: new Types.ObjectId(ssoIdentifier)
+            });
+            
+            interface ISAMLConfig {
+              callbackUrl: string;
+              entryPoint: string;
+              issuer: string;
+              cert: string;
+              audience: string;
+              wantAuthnResponseSigned?: boolean;
+            }
+            
+            const samlConfig: ISAMLConfig = ({
+              callbackUrl: `${await getSiteURL()}/api/v1/sso/saml2/${ssoIdentifier}`,
+              entryPoint: ssoConfig.entryPoint,
+              issuer: ssoConfig.issuer,
+              cert: ssoConfig.cert,
+              audience: await getSiteURL()
+            });
+            
+            if (ssoConfig.authProvider.toString() === AuthMethod.JUMPCLOUD_SAML.toString()) {
+              samlConfig.wantAuthnResponseSigned = false;
+            }
+            
+            if (ssoConfig.authProvider.toString() === AuthMethod.AZURE_SAML.toString()) {
+              if (req.body.RelayState && JSON.parse(req.body.RelayState).spInitiated) {
+                samlConfig.audience = `spn:${ssoConfig.issuer}`;
+              }
+            }
+            
+            req.ssoConfig = ssoConfig;
+            
+            done(null, samlConfig);
+          },
+        },
+        async (req: any, profile: any, done: any) => {
+          if (!req.ssoConfig.isActive) return done(InternalServerError());
+    
+          const organization = await Organization.findById(req.ssoConfig.organization);
+          
+          if (!organization) return done(OrganizationNotFoundError());
+    
+          const email = profile.email;
+          const firstName = profile.firstName;
+          const lastName = profile.lastName;
+    
+          let user = await User.findOne({
+            email
+          }).select("+publicKey");
+          
+          if (user) {
+            // if user does not have SAML enabled then update 
+            const hasSamlEnabled = user.authMethods
+              .some(
+                (authMethod: AuthMethod) => [
+                    AuthMethod.OKTA_SAML,
+                    AuthMethod.AZURE_SAML,
+                    AuthMethod.JUMPCLOUD_SAML
+                ].includes(authMethod)
+              );
+            
+            if (!hasSamlEnabled) {
+              await User.findByIdAndUpdate(
+                user._id, 
+                {
+                  authMethods: [req.ssoConfig.authProvider]
+                },
+                {
+                  new: true
+                }
+              );
+            }
+            
+            let membershipOrg = await MembershipOrg.findOne(
+              {
+                user: user._id,
+                organization: organization._id
+              }
+            );
+            
+            if (!membershipOrg) {
+              membershipOrg = await new MembershipOrg({
+                inviteEmail: email,
+                user: user._id,
+                organization: organization._id,
+                role: MEMBER,
+                status: ACCEPTED
+              }).save();
+            }
+            
+            if (membershipOrg.status === INVITED) {
+              membershipOrg.status = ACCEPTED;
+              await membershipOrg.save();
+            }
+          } else {
+            user = await new User({
+              email,
+              authMethods: [req.ssoConfig.authProvider],
+              firstName,
+              lastName
+            }).save();
+            
+            await new MembershipOrg({
+              inviteEmail: email,
+              user: user._id,
+              organization: organization._id,
+              role: MEMBER,
+              status: INVITED
+            }).save();
+          }
+          
+          const isUserCompleted = !!user.publicKey;
+          const providerAuthToken = createToken({
+            payload: {
+              authTokenType: AuthTokenType.PROVIDER_TOKEN,
+              userId: user._id.toString(),
+              email: user.email,
+              firstName,
+              lastName,
+              organizationName: organization?.name,
+              authMethod: req.ssoConfig.authProvider,
+              isUserCompleted,
+              ...(req.body.RelayState ? {
+                callbackPort: JSON.parse(req.body.RelayState).callbackPort as string
+              } : {})
+            },
+            expiresIn: await getJwtProviderAuthLifetime(),
+            secret: await getAuthSecret(),
+          });
+          
+          req.isUserCompleted = isUserCompleted;
+          req.providerAuthToken = providerAuthToken;
+    
+          done(null, profile);
+        }
+    ));
+}
--- a/backend/src/utils/errors.ts
+++ b/backend/src/utils/errors.ts
@ -29,7 +29,7 @@ export const UnauthorizedRequestError = (error?: Partial<RequestErrorContext>) =
 });

 export const ForbiddenRequestError = (error?: Partial<RequestErrorContext>) => new RequestError({
-    logLevel: error?.logLevel ?? LogLevel.INFO,
+    logLevel: error?.logLevel ?? LogLevel.WARN,
    statusCode: error?.statusCode ?? 403,
    type: error?.type ?? "forbidden",
    message: error?.message ?? "You are not allowed to access this resource",
--- a/backend/src/utils/logger.ts
+++ b/backend/src/utils/logger.ts
@ -1,67 +0,0 @@
-/* eslint-disable no-console */
-import { createLogger, format, transports } from "winston";
-import LokiTransport from "winston-loki";
-import { getLokiHost, getNodeEnv } from "../config";
-
-const { combine, colorize, label, printf, splat, timestamp } = format;
-
-const logFormat = (prefix: string) => combine(
-  timestamp(),
-  splat(),
-  label({ label: prefix }),
-  printf((info) => `${info.timestamp} ${info.label} ${info.level}: ${info.message}`)
-);
-
-const createLoggerWithLabel = async (level: string, label: string) => {
-  const _level = level.toLowerCase() || "info"
-  //* Always add Console output to transports
-  const _transports: any[] = [
-    new transports.Console({
-      format: combine(
-        colorize(),
-        logFormat(label),
-        // format.json()
-      ),
-    }),
-  ]
-  //* Add LokiTransport if it's enabled
-  if((await getLokiHost()) !== undefined){
-    _transports.push(
-      new LokiTransport({
-        host: await getLokiHost(),
-        handleExceptions: true,
-        handleRejections: true,
-        batching: true,
-        level: _level,
-        timeout: 30000,
-        format: format.combine(
-          format.json()
-        ),
-        labels: {
-          app: process.env.npm_package_name, 
-          version: process.env.npm_package_version, 
-          environment: await getNodeEnv(),
-        },
-        onConnectionError: (err: Error)=> console.error("Connection error while connecting to Loki Server.\n", err),
-      })
-    )
-  }
-  
-  
-  return createLogger({
-    level: _level,
-    transports: _transports,
-    format: format.combine(
-      logFormat(label),
-      format.metadata({ fillExcept: ["message", "level", "timestamp", "label"] })
-    ),
-  });
-}
-
-export const getLogger = async (loggerName: "backend-main" | "database") => {
-  const logger = {
-    "backend-main": await createLoggerWithLabel("info", "[IFSC:backend-main]"),
-    "database": await createLoggerWithLabel("info", "[IFSC:database]"),
-  }
-  return logger[loggerName]
-} 
--- a/backend/src/utils/logging/index.ts
+++ b/backend/src/utils/logging/index.ts
@ -0,0 +1 @@
+export { logger } from "./logger";
--- a/backend/src/utils/logging/logger.ts
+++ b/backend/src/utils/logging/logger.ts
@ -0,0 +1,15 @@
+import pino from "pino";
+
+export const logger = pino({
+  level: process.env.PINO_LOG_LEVEL || "trace",
+  timestamp: pino.stdTimeFunctions.isoTime,
+  formatters: {
+    bindings: (bindings) => {
+        return {
+            pid: bindings.pid,
+            hostname: bindings.hostname
+            // node_version: process.version
+        };
+    },
+  }
+});
--- a/backend/src/utils/requestError.ts
+++ b/backend/src/utils/requestError.ts
@ -2,34 +2,30 @@ import { Request } from "express"
 import { getVerboseErrorOutput } from "../config";

 export enum LogLevel {
-    DEBUG = 100,
-    INFO = 200,
-    NOTICE = 250,
-    WARNING = 300,
-    ERROR = 400,
-    CRITICAL = 500,
-    ALERT = 550,
-    EMERGENCY = 600,
+  TRACE = 10,
+  DEBUG = 20,
+  INFO = 30,
+  WARN = 40,
+  ERROR = 50,
+  FATAL = 60
 }

-export const mapToWinstonLogLevel = (customLogLevel: LogLevel): string => {
+type PinoLogLevel = "trace" | "debug" | "info" | "warn" | "error" | "fatal";
+
+export const mapToPinoLogLevel = (customLogLevel: LogLevel): PinoLogLevel => {
  switch (customLogLevel) {
+    case LogLevel.TRACE:
+      return "trace";
    case LogLevel.DEBUG:
      return "debug";
    case LogLevel.INFO:
      return "info";
-    case LogLevel.NOTICE:
-      return "notice";
-    case LogLevel.WARNING:
+    case LogLevel.WARN:
      return "warn";
    case LogLevel.ERROR:
      return "error";
-    case LogLevel.CRITICAL:
-      return "crit";
-    case LogLevel.ALERT:
-      return "alert";
-    case LogLevel.EMERGENCY:
-      return "emerg";
+    case LogLevel.FATAL:
+      return "fatal";
  }
 }

@ -42,10 +38,10 @@ export type RequestErrorContext =  {
 	stack?: string|undefined
 }

-export default class RequestError extends Error{
+export default class RequestError extends Error {

    private _logLevel: LogLevel
-    private _logName: string
+    private _logName: string;
    statusCode: number
    type: string
    context: Record<string, unknown>
@ -55,9 +51,10 @@ export default class RequestError extends Error{
    constructor(
        {logLevel, statusCode, type, message, context, stack} : RequestErrorContext
        ){
+        
        super(message)
        this._logLevel = logLevel || LogLevel.INFO
-        this._logName = LogLevel[this._logLevel]
+        this._logName = LogLevel[this._logLevel];
        this.statusCode = statusCode
        this.type = type
        this.context = context || {}
@ -83,8 +80,12 @@ export default class RequestError extends Error{
        })
    }

-    get level(){ return this._logLevel }
-    get levelName(){ return this._logName }
+    get level(){ 
+      return this._logLevel 
+    }
+    get levelName(){ 
+      return this._logName 
+    }

    withTags(...tags: string[]|number[]){
        this.context["tags"] = Object.assign(tags, this.context["tags"])
--- a/backend/src/utils/setup/backfillData.ts
+++ b/backend/src/utils/setup/backfillData.ts
@ -1,4 +1,3 @@
-/* eslint-disable no-console */
 import crypto from "crypto";
 import { Types } from "mongoose";
 import { encryptSymmetric128BitHexKeyUTF8 } from "../crypto";
@ -47,6 +46,7 @@ import {
  ProjectPermissionSub,
  memberProjectPermissions
 } from "../../ee/services/ProjectRoleService";
+import { logger } from "../logging";

 /**
 * Backfill secrets to ensure that they're all versioned and have
@ -88,7 +88,7 @@ export const backfillSecretVersions = async () => {
      )
    });
  }
-  console.log("Migration: Secret version migration v1 complete");
+  logger.info("Migration: Secret version migration v1 complete");
 };

 /**
@ -518,7 +518,7 @@ export const backfillSecretFolders = async () => {
      .limit(50);
  }

-  console.log("Migration: Folder migration v1 complete");
+  logger.info("Migration: Folder migration v1 complete");
 };

 export const backfillServiceToken = async () => {
@ -534,7 +534,7 @@ export const backfillServiceToken = async () => {
      }
    }
  );
-  console.log("Migration: Service token migration v1 complete");
+  logger.info("Migration: Service token migration v1 complete");
 };

 export const backfillIntegration = async () => {
@ -550,7 +550,7 @@ export const backfillIntegration = async () => {
      }
    }
  );
-  console.log("Migration: Integration migration v1 complete");
+  logger.info("Migration: Integration migration v1 complete");
 };

 export const backfillServiceTokenMultiScope = async () => {
@ -575,7 +575,7 @@ export const backfillServiceTokenMultiScope = async () => {
    }
  }

-  console.log("Migration: Service token migration v2 complete");
+  logger.info("Migration: Service token migration v2 complete");
 };

 /**
@ -650,7 +650,7 @@ export const backfillTrustedIps = async () => {
    });

    await TrustedIP.bulkWrite(operations);
-    console.log("Backfill: Trusted IPs complete");
+    logger.info("Backfill: Trusted IPs complete");
  }
 };

@ -698,7 +698,7 @@ export const backfillPermission = async () => {

  if (lock) {
    try {
-      console.info("Lock acquired for script [backfillPermission]");
+      logger.info("Lock acquired for script [backfillPermission]");

      const memberships = await Membership.find({
        deniedPermissions: {
@ -801,7 +801,7 @@ export const backfillPermission = async () => {
        }
      }

-      console.info("Backfill: Finished converting old denied permission in workspace to viewers");
+      logger.info("Backfill: Finished converting old denied permission in workspace to viewers");

      await MembershipOrg.updateMany(
        {
@ -814,14 +814,14 @@ export const backfillPermission = async () => {
        }
      );

-      console.info("Backfill: Finished converting owner role to member");
+      logger.info("Backfill: Finished converting owner role to member");

    } catch (error) {
-      console.error("An error occurred when running script [backfillPermission]:", error);
+      logger.error(error, "An error occurred when running script [backfillPermission]");
    }

  } else {
-    console.info("Could not acquire lock for script [backfillPermission], skipping");
+    logger.info("Could not acquire lock for script [backfillPermission], skipping");
  }
 };

@ -837,5 +837,5 @@ export const migrateRoleFromOwnerToAdmin = async () => {
    }
  );

-  console.info("Backfill: Finished converting owner role to member");
+  logger.info("Backfill: Finished converting owner role to member");
 }
--- a/backend/src/utils/setup/index.ts
+++ b/backend/src/utils/setup/index.ts
@ -11,7 +11,6 @@ import {
  backfillBots,
  backfillEncryptionMetadata,
  backfillIntegration,
-  backfillPermission,
  backfillSecretBlindIndexData,
  backfillSecretFolders,
  backfillSecretVersions,
@ -27,7 +26,13 @@ import {
  reencryptSecretBlindIndexDataSalts
 } from "./reencryptData";
 import { getMongoURL, getNodeEnv, getRedisUrl, getSentryDSN } from "../../config";
-import { initializePassport } from "../auth";
+import {
+  initializeGitHubStrategy,
+  initializeGitLabStrategy,
+  initializeGoogleStrategy,
+  initializeSamlStrategy
+} from "../authn/passport";
+import { logger } from "../logging";

 /**
 * Prepare Infisical upon startup. This includes tasks like:
@ -41,7 +46,7 @@ import { initializePassport } from "../auth";
 */
 export const setup = async () => {
  if ((await getRedisUrl()) === undefined || (await getRedisUrl()) === "") {
-    console.error(
+    logger.error(
      "WARNING: Redis is not yet configured. Infisical may not function as expected without it."
    );
  }
@ -55,7 +60,11 @@ export const setup = async () => {
  // initializing global feature set
  await EELicenseService.initGlobalFeatureSet();

-  await initializePassport();
+  // initializing auth strategies
+  await initializeGoogleStrategy();
+  await initializeGitHubStrategy()
+  await initializeGitLabStrategy();
+  await initializeSamlStrategy();

  // re-encrypt any data previously encrypted under server hex 128-bit ENCRYPTION_KEY
  // to base64 256-bit ROOT_ENCRYPTION_KEY
--- a/backend/src/validation/integrationAuth.ts
+++ b/backend/src/validation/integrationAuth.ts
@ -117,6 +117,15 @@ export const GetIntegrationAuthVercelBranchesV1 = z.object({
  })
 });

+export const GetIntegrationAuthChecklyGroupsV1 = z.object({
+  params: z.object({
+    integrationAuthId: z.string().trim()
+  }),
+  query: z.object({
+    accountId: z.string().trim()
+  })
+});
+
 export const GetIntegrationAuthQoveryOrgsV1 = z.object({
  params: z.object({
    integrationAuthId: z.string().trim()
--- a/backend/src/validation/secrets.ts
+++ b/backend/src/validation/secrets.ts
@ -228,7 +228,6 @@ export const GetSecretsRawV3 = z.object({
    workspaceId: z.string().trim().optional(),
    environment: z.string().trim().optional(),
    secretPath: z.string().trim().default("/"),
-    folderId: z.string().trim().optional(),
    include_imports: z
      .enum(["true", "false"])
      .default("false")
@ -302,7 +301,6 @@ export const GetSecretsV3 = z.object({
    workspaceId: z.string().trim(),
    environment: z.string().trim(),
    secretPath: z.string().trim().default("/"),
-    folderId: z.string().trim().optional(),
    include_imports: z
      .enum(["true", "false"])
      .default("false")
--- a/backend/src/validation/serviceTokenDataV3.ts
+++ b/backend/src/validation/serviceTokenDataV3.ts
@ -60,6 +60,12 @@ import { checkIPAgainstBlocklist } from "../utils/ip";
  }
 };

+export const RefreshTokenV3 = z.object({
+  body: z.object({
+    refresh_token: z.string().trim()
+  })
+});
+
 export const CreateServiceTokenV3 = z.object({
  body: z.object({
    name: z.string().trim(),
@ -80,8 +86,10 @@ export const CreateServiceTokenV3 = z.object({
      .array()
      .min(1),
    expiresIn: z.number().optional(),
+    accessTokenTTL: z.number().int().min(1),
    encryptedKey: z.string().trim(),
-    nonce: z.string().trim()
+    nonce: z.string().trim(),
+    isRefreshTokenRotationEnabled: z.boolean().default(false)
  })
 });
  
@ -108,7 +116,9 @@ export const UpdateServiceTokenV3 = z.object({
      .array()
      .min(1)
      .optional(),
-    expiresIn: z.number().optional()
+    expiresIn: z.number().optional(),
+    accessTokenTTL: z.number().int().min(1).optional(),
+    isRefreshTokenRotationEnabled: z.boolean().optional()
  }),
 });

--- a/backend/src/variables/authentication.ts
+++ b/backend/src/variables/authentication.ts
@ -1,17 +1,22 @@
+// TODO: merge [AuthTokenType] and [AuthMode]
+
 export enum AuthTokenType {
    ACCESS_TOKEN = "accessToken",
    REFRESH_TOKEN = "refreshToken",
-    SIGNUP_TOKEN = "signupToken",
-    MFA_TOKEN = "mfaToken",
-    PROVIDER_TOKEN = "providerToken",
-    API_KEY = "apiKey"
+    SIGNUP_TOKEN = "signupToken", // TODO: remove in favor of claim
+    MFA_TOKEN = "mfaToken", // TODO: remove in favor of claim
+    PROVIDER_TOKEN = "providerToken", // TODO: remove in favor of claim
+    API_KEY = "apiKey",
+    SERVICE_ACCESS_TOKEN = "serviceAccessToken",
+    SERVICE_REFRESH_TOKEN = "serviceRefreshToken"
 }

 export enum AuthMode {
    JWT = "jwt",
    SERVICE_TOKEN = "serviceToken",
-    SERVICE_TOKEN_V3 = "serviceTokenV3",
-    API_KEY = "apiKey"
+    SERVICE_ACCESS_TOKEN = "serviceAccessToken",
+    API_KEY = "apiKey",
+    API_KEY_V2 = "apiKeyV2"
 }

 export const K8_USER_AGENT_NAME = "k8-operator"
--- a/docs/documentation/platform/secret-rotation/mysql.mdx
+++ b/docs/documentation/platform/secret-rotation/mysql.mdx
@ -0,0 +1,37 @@
+---
+title: "MySQL/MariaDB"
+description: "Rotated database user password of a MySQL or MariaDB"
+---
+
+Infisical will update periodically the provided database user's password.
+
+<Warning>
+	At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
+</Warning>
+
+## Working
+
+1. User's has to create the two user's for Infisical to rotate and provide them required database access
+2. Infisical will connect with your database with admin access
+3. If last rotated one was username1, then username2 is chosen to be rotated
+5. Update it's password with random value
+6. After testing it gets saved to the provided secret mapping
+
+## Rotation Configuration
+
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `MySQL`
+3. Provide the inputs
+	- Admin Username: DB admin username
+	- Admin Password: DB admin password
+	- Host: DB host
+	- Port: DB port(number)
+	- Username1: The first username in two to rotate
+	- Username2: The second username in two to rotate
+	- CA: Certificate to connect with database(string)
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
+
+Congrats. You have 10x your MySQL/MariaDB access security. 
--- a/docs/documentation/platform/secret-rotation/overview.mdx
+++ b/docs/documentation/platform/secret-rotation/overview.mdx
@ -0,0 +1,44 @@
+# Secret Rotation Overview
+
+## Introduction
+
+Secret rotation is a process that involves updating secret credentials periodically to minimize the risk of their compromise. 
+Rotating secrets helps prevent unauthorized access to systems and sensitive data by ensuring that old credentials are replaced with new ones regularly.
+
+Rotated secrets may include, but are not limited to:
+
+1. API keys for external services
+2. Database credentials for various platforms
+
+## Rotation Process
+
+The practice of rotating secrets is a systematic and interval-based operation, carried out in four fundamental phases.
+
+### 1. Creation
+
+The system initiates the rotation process by either making an API call to an external service or generating a new secret value internally.
+Upon successful creation, the system will temporarily have three versions of the secret:
+
+- **Current active secret**: The one currently in use.
+- **Future active secret (pending)**: The newly created secret, awaiting validation.
+- **Previous active secret**: The old secret, soon to be retired.
+
+### 2. Testing
+
+The newly generated secret is subjected to a verification process to ensure its validity and functionality.
+This involves conducting checks or tests that simulate actual operations the secret would perform.
+Only the current active and the future active (pending) secrets are considered operational at this stage, while the previous active secret remains in standby mode.
+
+### 3. Deletion
+
+Post-verification, the system deactivates and deletes the previous active secret, leaving only the current and future active (pending) secrets in the system.
+
+### 4. Activation
+
+Finally, the system promotes the future active (pending) secret to be the new current active secret. It then triggers necessary side effects, such as invoking webhooks and generating events, to notify other services of the change.
+
+## Infisical Secret Rotation Strategies
+
+1. [SendGrid Integration](./sendgrid)
+2. [PostgreSQL/CockroachDB Implementation](./postgres)
+3. [MySQL/MariaDB Configuration](./mysql)
--- a/docs/documentation/platform/secret-rotation/postgres.mdx
+++ b/docs/documentation/platform/secret-rotation/postgres.mdx
@ -0,0 +1,37 @@
+---
+title: "PostgreSQL/CockroachDB"
+description: "Rotated database user password of a postgreSQL or cochroach db"
+---
+
+Infisical will update periodically the provided database user's password.
+
+<Warning>
+	At present Infisical do require access to your database. We will soon be released Infisical agent based rotation which would help you rotate without direct database access from Infisical cloud.
+</Warning>
+
+## Working
+
+1. User's has to create the two user's for Infisical to rotate and provide them required database access
+2. Infisical will connect with your database with admin access
+3. If last rotated one was username1, then username2 is chosen to be rotated
+5. Update it's password with random value
+6. After testing it gets saved to the provided secret mapping
+
+## Rotation Configuration
+
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `PostgreSQL`
+3. Provide the inputs
+	- Admin Username: DB admin username
+	- Admin Password: DB admin password
+	- Host: DB host
+	- Port: DB port(number)
+	- Username1: The first username in two to rotate
+	- Username2: The second username in two to rotate
+	- CA: Certificate to connect with database(string)
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
+
+Congrats. You have 10x your PostgreSQL/CockroachDB access security. 
--- a/docs/documentation/platform/secret-rotation/sendgrid.mdx
+++ b/docs/documentation/platform/secret-rotation/sendgrid.mdx
@ -0,0 +1,31 @@
+---
+title: "Twilio SendGrid"
+description: "Rotate Twilio SendGrid API keys"
+---
+
+Twilio SendGrid is a cloud-based email delivery platform that helps businesses send transactional and marketing emails.
+It uses an API key to do various operations. Using Infisical you can easily dynamically change the keys.
+
+## Working
+
+1. Infisical will need an admin token of SendGrid to create API keys dynamically.
+2. Using the given admin token and scope by user Infisical will create and rotate API keys periodically
+3. Under the hood infisical uses [SendGrid API](https://docs.sendgrid.com/api-reference/api-keys/create-api-keys)
+
+## Rotation Configuration
+
+1. Head over to Secret Rotation configuration page of your project by clicking on side bar `Secret Rotation`
+2. Click on `Twilio SendGrid Card`
+3. Provide the inputs
+	- Admin API Key: 
+		SendGrid admin key to create lower scoped API keys.
+	- API Key Scopes
+		SendGrid generated API Key's scopes. For more info refer [this doc](https://docs.sendgrid.com/api-reference/api-key-permissions/api-key-permissions)
+
+4. Final step
+	- Select `Environment`, `Secret Path` and `Interval` to rotate the secrets
+	- Finally select the secrets in your provided board to replace with new secret after each rotation
+	- Your done and good to go.
+
+Now your output mapped secret value will be replaced periodically by SendGrid.
+		
--- a/docs/images/integrations/checkly/integrations-checkly-auth.png
+++ b/docs/images/integrations/checkly/integrations-checkly-auth.png
--- a/docs/images/integrations/checkly/integrations-checkly-create.png
+++ b/docs/images/integrations/checkly/integrations-checkly-create.png
--- a/docs/images/integrations/checkly/integrations-checkly.png
+++ b/docs/images/integrations/checkly/integrations-checkly.png
--- a/docs/integrations/cloud/checkly.mdx
+++ b/docs/integrations/cloud/checkly.mdx
@ -34,6 +34,13 @@ Press on the Checkly tile and input your Checkly API Key to grant Infisical acce
 Select which Infisical environment secrets you want to sync to Checkly and press create integration to start syncing secrets.

 ![integrations checkly](../../images/integrations/checkly/integrations-checkly-create.png)
+
+<Note>
+  Infisical integrates with Checkly's environment variables at the **global** and **group** levels.
+  
+  To sync secrets to a specific group, you can select a group from the Checkly Group dropdown; otherwise, leaving it empty will sync secrets globally.
+</Note>
+
 ![integrations checkly](../../images/integrations/checkly/integrations-checkly.png)

 <Info>
--- a/docs/mint.json
+++ b/docs/mint.json
@ -34,7 +34,10 @@
    }
  },
  "topbarLinks": [
-    { "name": "Log In", "url": "https://app.infisical.com/login" }
+    {
+      "name": "Log In",
+      "url": "https://app.infisical.com/login"
+    }
  ],
  "topbarCtaButton": {
    "name": "Start for Free",
@ -120,6 +123,15 @@
        "documentation/platform/audit-logs",
        "documentation/platform/token",
        "documentation/platform/mfa",
+        {
+          "group": "Secret Rotation",
+          "pages": [
+            "documentation/platform/secret-rotation/overview",
+            "documentation/platform/secret-rotation/sendgrid",
+            "documentation/platform/secret-rotation/postgres",
+            "documentation/platform/secret-rotation/mysql"
+          ]
+        },
        {
          "group": "SSO",
          "pages": [
--- a/docs/self-hosting/configuration/envars.mdx
+++ b/docs/self-hosting/configuration/envars.mdx
@ -153,29 +153,18 @@ Other environment variables are listed below to increase the functionality of yo
      JWT token lifetime expressed in seconds or a string describing a time span
    </ParamField>

-{" "}
+#### Logging

-<ParamField
-  query="MONGO_USERNAME"
-  type="string"
-  default="none"
-  optional
-></ParamField>
-
-{" "}
+Infisical uses Sentry to report error logs

 <ParamField
-  query="MONGO_PASSWORD"
+  query="PINO_LOG_LEVEL"
  type="string"
-  default="none"
+  default="info"
  optional
-></ParamField>
-
-#### Error logging
-
-Infisical uses Sentry to report error logs
-
-{" "}
+>
+  The minimum log level for application logging; can be one of `trace`, `debug`, `info`, `warn`, `error`, or `fatal`.
+</ParamField>

 <ParamField
  query="SENTRY_DSN"
--- a/frontend/public/images/secretRotation/mysql.png
+++ b/frontend/public/images/secretRotation/mysql.png
--- a/frontend/public/images/secretRotation/postgres.png
+++ b/frontend/public/images/secretRotation/postgres.png
--- a/frontend/public/images/secretRotation/sendgrid.png
+++ b/frontend/public/images/secretRotation/sendgrid.png
--- a/frontend/public/lotties/rotation.json
+++ b/frontend/public/lotties/rotation.json
--- a/frontend/src/components/permissions/OrgPermissionCan.tsx
+++ b/frontend/src/components/permissions/OrgPermissionCan.tsx
@ -21,7 +21,7 @@ export const OrgPermissionCan: FunctionComponent<Props> = ({
  allowedLabel,
  ...props
 }) => {
-  const permission = useOrgPermission();
+  const { permission } = useOrgPermission();

  return (
    <Can {...props} passThrough={passThrough} ability={props?.ability || permission}>
--- a/frontend/src/components/v2/FormControl/FormControl.tsx
+++ b/frontend/src/components/v2/FormControl/FormControl.tsx
@ -9,16 +9,24 @@ export type FormLabelProps = {
  isRequired?: boolean;
  label?: ReactNode;
  icon?: ReactNode;
+  className?: string;
 };

-export const FormLabel = ({ id, label, isRequired, icon }: FormLabelProps) => (
+export const FormLabel = ({ id, label, isRequired, icon, className }: FormLabelProps) => (
  <Label.Root
-    className="mb-0.5 ml-1 block flex items-center text-sm font-normal text-mineshaft-400"
+    className={twMerge(
+      "mb-0.5 ml-1 block flex items-center text-sm font-normal text-mineshaft-400",
+      className
+    )}
    htmlFor={id}
  >
    {label}
    {isRequired && <span className="ml-1 text-red">*</span>}
-    {icon && <span className="ml-2 text-mineshaft-300 hover:text-mineshaft-200 cursor-default">{icon}</span>}
+    {icon && (
+      <span className="ml-2 text-mineshaft-300 hover:text-mineshaft-200 cursor-default">
+        {icon}
+      </span>
+    )}
  </Label.Root>
 );

--- a/frontend/src/components/v2/Stepper/Stepper.tsx
+++ b/frontend/src/components/v2/Stepper/Stepper.tsx
@ -0,0 +1,78 @@
+import { Children, cloneElement, ReactElement, ReactNode } from "react";
+import { faCheck } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { twMerge } from "tailwind-merge";
+
+export type StepperProps = {
+  activeStep: number;
+  children: ReactNode;
+  direction: "vertical" | "horizontal";
+  className?: string;
+};
+
+export const Stepper = ({ activeStep, children, direction, className }: StepperProps) => {
+  return (
+    <div
+      className={twMerge(
+        "flex items-center w-full space-x-3 p-2 border border-bunker-300/30 rounded-md",
+        className
+      )}
+    >
+      {Children.map(children as ReactNode, (child: ReactNode, index) => {
+        const isCompleted = activeStep > index;
+        const isActive = index === activeStep;
+        const isNotLast = index + 1 !== (children as Array<ReactNode>).length;
+        return (
+          <div
+            className={twMerge(
+              "flex items-center space-x-3 flex-shrink-0",
+              isNotLast && "flex-grow"
+            )}
+          >
+            <div className="flex items-center space-x-2 flex-shrink-0">
+              <div
+                className={twMerge(
+                  "w-7 h-7 flex items-center justify-center font-medium text-mineshaft-800 text-sm rounded-full transition-all",
+                  isCompleted ? "bg-primary" : "border text-bunker-300 border-primary/30",
+                  isActive && "bg-primary text-mineshaft-800"
+                )}
+              >
+                {isCompleted ? <FontAwesomeIcon icon={faCheck} /> : index + 1}
+              </div>
+              {cloneElement(child as ReactElement, {
+                direction,
+                activeStep,
+                isCompleted,
+                isActive
+              })}
+            </div>
+            {isNotLast && (
+              <div
+                style={{ height: "1px" }}
+                className={twMerge("flex-grow bg-bunker-300/30", isCompleted && "bg-primary")}
+              />
+            )}
+          </div>
+        );
+      })}
+    </div>
+  );
+};
+
+export type StepProps = {
+  title: string;
+  description?: ReactNode;
+  // isActive?: boolean;
+  // isCompleted?: boolean;
+  // activeStep?: number;
+  // direction?: "vertical" | "horizontal";
+};
+
+export const Step = ({ title, description }: StepProps) => {
+  return (
+    <div className="flex flex-col text-gray-300">
+      <div className="font-medium text-sm">{title}</div>
+      {description && <div className="text-xs">{description}</div>}
+    </div>
+  );
+};
--- a/frontend/src/components/v2/Stepper/index.tsx
+++ b/frontend/src/components/v2/Stepper/index.tsx
@ -0,0 +1,2 @@
+export type { StepperProps,StepProps } from "./Stepper";
+export { Step,Stepper } from "./Stepper";
--- a/frontend/src/components/v2/index.tsx
+++ b/frontend/src/components/v2/index.tsx
@ -22,6 +22,7 @@ export * from "./SecretInput";
 export * from "./Select";
 export * from "./Skeleton";
 export * from "./Spinner";
+export * from "./Stepper";
 export * from "./Switch";
 export * from "./Table";
 export * from "./Tabs";
--- a/frontend/src/context/OrgPermissionContext/OrgPermissionContext.tsx
+++ b/frontend/src/context/OrgPermissionContext/OrgPermissionContext.tsx
@ -1,6 +1,7 @@
 import { createContext, ReactNode, useContext } from "react";

 import { useGetUserOrgPermissions } from "@app/hooks/api";
+import { OrgUser } from "@app/hooks/api/types";

 import { useOrganization } from "../OrganizationContext";
 import { TOrgPermission } from "./types";
@ -9,7 +10,10 @@ type Props = {
  children: ReactNode;
 };

-const OrgPermissionContext = createContext<null | TOrgPermission>(null);
+const OrgPermissionContext = createContext<null | {
+  permission: TOrgPermission;
+  membership: OrgUser | null;
+}>(null);

 export const OrgPermissionProvider = ({ children }: Props): JSX.Element => {
  const { currentOrg } = useOrganization();
--- a/frontend/src/context/ProjectPermissionContext/types.ts
+++ b/frontend/src/context/ProjectPermissionContext/types.ts
@ -21,7 +21,8 @@ export enum ProjectPermissionSub {
  Workspace = "workspace",
  Secrets = "secrets",
  SecretRollback = "secret-rollback",
-  SecretApproval = "secret-approval"
+  SecretApproval = "secret-approval",
+  SecretRotation = "secret-rotation"
 }

 type SubjectFields = {
@ -45,6 +46,7 @@ export type ProjectPermissionSet =
  | [ProjectPermissionActions, ProjectPermissionSub.Settings]
  | [ProjectPermissionActions, ProjectPermissionSub.ServiceTokens]
  | [ProjectPermissionActions, ProjectPermissionSub.SecretApproval]
+  | [ProjectPermissionActions, ProjectPermissionSub.SecretRotation]
  | [ProjectPermissionActions.Delete, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Edit, ProjectPermissionSub.Workspace]
  | [ProjectPermissionActions.Read, ProjectPermissionSub.SecretRollback]
--- a/frontend/src/hoc/withPermission/withPermission.tsx
+++ b/frontend/src/hoc/withPermission/withPermission.tsx
@ -21,7 +21,7 @@ export const withPermission = <T extends {}, J extends TOrgPermission>(
  { action, subject, className, containerClassName }: Props<Generics<J>["abilities"]>
 ) => {
  const HOC = (hocProps: T) => {
-    const permission = useOrgPermission();
+    const { permission } = useOrgPermission();

    // akhilmhdh: Set as any due to casl/react ts type bug
    // REASON: casl due to its type checking can't seem to union even if union intersection is applied
--- a/frontend/src/hooks/api/index.tsx
+++ b/frontend/src/hooks/api/index.tsx
@ -12,6 +12,7 @@ export * from "./secretApproval";
 export * from "./secretApprovalRequest";
 export * from "./secretFolders";
 export * from "./secretImports";
+export * from "./secretRotation";
 export * from "./secrets";
 export * from "./secretSnapshots";
 export * from "./serviceAccounts";
--- a/Show More
+++ b/Show More