release: 0.47.0

tests: adapt JWTs in e2e tests
fix: define token type as claim for better client compatibility
2025-12-06 13:12:58 +03:00 · 2025-04-16 16:32:27 +02:00 · 2025-04-16 16:30:38 +02:00 · 2025-04-16 15:58:38 +02:00 · 2025-04-15 19:28:10 +00:00 · 2025-04-15 20:38:03 +02:00
498 changed files with 27470 additions and 9597 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,32 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/typescript-node
+{
+  "name": "pocket-id",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm",
+  "features": {
+    "ghcr.io/devcontainers/features/go:1": {},
+    "ghcr.io/devcontainers-extra/features/caddy:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "golang.go",
+        "svelte.svelte-vscode"
+      ]
+    }
+  },
+  // Use 'postCreateCommand' to run commands after the container is created.
+  // Install npm dependencies for the frontend.
+  "postCreateCommand": "npm install --prefix frontend"
+
+
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  // "features": {},
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+  // Configure tool-specific properties.
+  // "customizations": {},
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
+}
--- a/.env.example
+++ b/.env.example
@@ -1,2 +1,6 @@
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
 PUBLIC_APP_URL=http://localhost
-TRUST_PROXY=false
+TRUST_PROXY=false
+MAXMIND_LICENSE_KEY=
+PUID=1000
+PGID=1000
--- a/.env.test
+++ b/.env.test
@@ -1,2 +0,0 @@
-APP_ENV=test
-PUBLIC_APP_URL=http://localhost
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -34,4 +34,23 @@ body:
  - type: markdown
    attributes:
      value: |
-        Before submitting, please check if the issues hasn't been raised before.
+        ### Additional Information
+  - type: textarea
+    id: extra-information
+    validations:
+      required: true
+    attributes:
+      label: "Version and Environment"
+      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: log-files
+    validations:
+      required: false
+    attributes:
+      label: "Log Output"
+      description: "Output of log files when the issue occurred to help us diagnose the issue."
+  - type: markdown
+    attributes:
+      value: |
+        **Before submitting, please check if the issue hasn't been raised before.**
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1 +1,5 @@
-blank_issues_enabled: false
+blank_issues_enabled: false
+contact_links:
+  - name: 💬 Discord
+    url: https://discord.gg/8wudU9KaxM
+    about: For help and chatting with the community
--- a/.github/ISSUE_TEMPLATE/language-request.yml
+++ b/.github/ISSUE_TEMPLATE/language-request.yml
@@ -0,0 +1,20 @@
+name: "🌐 Language request"
+description: "You want to contribute to a language that isn't on Crowdin yet?"
+title: "🌐 Language Request: <language name in english>"
+labels: [language-request]
+body:
+  - type: input
+    id: language-name-native
+    attributes:
+      label: "🌐 Language Name (native)"
+      placeholder: "Schweizerdeutsch"
+    validations:
+      required: true
+  - type: input
+    id: language-code
+    attributes:
+      label: "🌐 ISO 639-1 Language Code"
+      description: "You can find your language code [here](https://www.andiamo.co.uk/resources/iso-language-codes/)."
+      placeholder: "de-CH"
+    validations:
+      required: true
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for more information:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://containers.dev/guide/dependabot
+
+version: 2
+updates:
+ - package-ecosystem: "devcontainers"
+   directory: "/"
+   schedule:
+     interval: weekly
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -0,0 +1,39 @@
+name: Run Backend Linter
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "backend/**"
+
+permissions:
+  # Required: allow read access to the content for analysis.
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+  # Optional: allow write access to checks to allow the action to annotate code in the PR.
+  checks: write
+
+jobs:
+  golangci-lint:
+    name: Run Golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: backend/go.mod
+
+      - name: Run Golangci-lint
+        uses: golangci/golangci-lint-action@dec74fa03096ff515422f71d18d41307cacde373 # v7.0.0
+        with:
+          version: v2.0.2
+          working-directory: backend
+          only-new-issues: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/build-and-push-docker-image.yml
+++ b/.github/workflows/build-and-push-docker-image.yml
@@ -6,25 +6,37 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # Using an older version because of https://github.com/actions/runner-images/issues/11471
+    permissions:
+      contents: read
+      packages: write      
    steps:
      - name: checkout code
        uses: actions/checkout@v3

+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{major}}.{{minor}},prefix=v
+
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3

-      - name: Login to Docker registry
-        uses: docker/login-action@v2
+
+      - name: 'Login to GitHub Container Registry'
+        uses: docker/login-action@v3
        with:
-          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
-          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
-
-      - name: Download GeoLite2 City database
-        run: MAXMIND_LICENSE_KEY=${{ secrets.MAXMIND_LICENSE_KEY }} sh scripts/download-ip-database.sh
+            registry: ghcr.io
+            username: ${{github.repository_owner}}
+            password: ${{secrets.GITHUB_TOKEN}}    
    
      - name: Build and push
        uses: docker/build-push-action@v4
@@ -32,6 +44,7 @@ jobs:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
-          tags: stonith404/pocket-id:latest,stonith404/pocket-id:${{  github.ref_name }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -2,27 +2,59 @@ name: E2E Tests
 on:
  push:
    branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
  pull_request:
    branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
+
 jobs:
-  build-and-test:
+  build:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
    timeout-minutes: 20
    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and export
+        uses: docker/build-push-action@v6
+        with:
+          tags: pocket-id/pocket-id:test
+          outputs: type=docker,dest=/tmp/docker-image.tar
+          build-args: BUILD_TAGS=e2etest
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp/docker-image.tar
+
+  test-sqlite:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    runs-on: ubuntu-latest
+    needs: build
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: lts/*
-          cache: 'npm'
+          cache: "npm"
          cache-dependency-path: frontend/package-lock.json
-      
-      - name: Create dummy GeoLite2 City database
-        run: touch ./backend/GeoLite2-City.mmdb
-      
-      - name: Build Docker Image
-        run: docker build -t stonith404/pocket-id .
-      - name: Run Docker Container
-        run: docker run -d --name pocket-id -p 80:80 --env-file .env.test stonith404/pocket-id
+
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp
+
+      - name: Load Docker Image
+        run: docker load -i /tmp/docker-image.tar

      - name: Install frontend dependencies
        working-directory: ./frontend
@@ -32,17 +64,115 @@ jobs:
        working-directory: ./frontend
        run: npx playwright install --with-deps chromium

+      - name: Run Docker Container with Sqlite DB
+        run: |
+          docker run -d --name pocket-id-sqlite \
+          -p 80:80 \
+          -e APP_ENV=test \
+          pocket-id/pocket-id:test
+
+          docker logs -f pocket-id-sqlite &> /tmp/backend.log &
+
      - name: Run Playwright tests
        working-directory: ./frontend
        run: npx playwright test

-      - name: Get container logs
+      - uses: actions/upload-artifact@v4
        if: always()
-        run: docker logs pocket-id
+        with:
+          name: playwright-report-sqlite
+          path: frontend/tests/.report
+          include-hidden-files: true
+          retention-days: 15

      - uses: actions/upload-artifact@v4
        if: always()
        with:
-          name: playwright-report
-          path: frontend/tests/.output
+          name: backend-sqlite
+          path: /tmp/backend.log
+          include-hidden-files: true
+          retention-days: 15
+
+  test-postgres:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-image
+          path: /tmp
+      - name: Load Docker Image
+        run: docker load -i /tmp/docker-image.tar
+
+      - name: Install frontend dependencies
+        working-directory: ./frontend
+        run: npm ci
+
+      - name: Install Playwright Browsers
+        working-directory: ./frontend
+        run: npx playwright install --with-deps chromium
+
+      - name: Create Docker network
+        run: docker network create pocket-id-network
+
+      - name: Start Postgres DB
+        run: |
+          docker run -d --name pocket-id-db \
+          --network pocket-id-network \
+          -e POSTGRES_USER=postgres \
+          -e POSTGRES_PASSWORD=postgres \
+          -e POSTGRES_DB=pocket-id \
+          -p 5432:5432 \
+          postgres:17
+
+      - name: Wait for Postgres to start
+        run: |
+          for i in {1..10}; do
+            if docker exec pocket-id-db pg_isready -U postgres; then
+              echo "Postgres is ready"
+              break
+            fi
+            echo "Waiting for Postgres..."
+            sleep 2
+          done
+
+      - name: Run Docker Container with Postgres DB
+        run: |
+          docker run -d --name pocket-id-postgres \
+          --network pocket-id-network \
+          -p 80:80 \
+          -e APP_ENV=test \
+          -e DB_PROVIDER=postgres \
+          -e DB_CONNECTION_STRING=postgresql://postgres:postgres@pocket-id-db:5432/pocket-id \
+          pocket-id/pocket-id:test
+
+          docker logs -f pocket-id-postgres &> /tmp/backend.log &
+
+      - name: Run Playwright tests
+        working-directory: ./frontend
+        run: npx playwright test
+
+      - uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
+        with:
+          name: playwright-report-postgres
+          path: frontend/tests/.report
+          include-hidden-files: true
+          retention-days: 15
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: backend-postgres
+          path: /tmp/backend.log
+          include-hidden-files: true
          retention-days: 15
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -0,0 +1,35 @@
+name: Unit Tests
+on:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "backend/**"
+
+jobs:
+  test-backend:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'backend/go.mod'
+          cache-dependency-path: 'backend/go.sum'
+      - name: Install dependencies
+        working-directory: backend
+        run: |
+          go get ./...
+      - name: Run backend unit tests
+        working-directory: backend
+        run: |
+          set -e -o pipefail
+          go test -v ./... | tee /tmp/TestResults.log
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: backend-unit-tests
+          path: /tmp/TestResults.log
+          retention-days: 15
--- a/.github/workflows/update-aaguids.yml
+++ b/.github/workflows/update-aaguids.yml
@@ -0,0 +1,34 @@
+name: Update AAGUIDs
+
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Runs every Monday at midnight
+  workflow_dispatch: # Allows manual triggering of the workflow
+
+permissions: 
+    contents: write
+    
+jobs:
+  update-aaguids:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Fetch JSON data
+        run: |
+          curl -o data.json https://raw.githubusercontent.com/pocket-id/passkey-aaguids/refs/heads/main/combined_aaguid.json
+
+      - name: Process JSON data
+        run: |
+          mkdir -p backend/resources
+          jq -c 'map_values(.name)' data.json > backend/resources/aaguids.json
+
+      - name: Commit changes
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git add backend/resources/aaguids.json
+          git diff --staged --quiet || git commit -m "chore: update AAGUIDs"
+          git push
--- a/.gitignore
+++ b/.gitignore
@@ -34,5 +34,20 @@ vite.config.ts.timestamp-*
 # Application specific
 data
 /frontend/tests/.auth
+/frontend/tests/.report
 pocket-id-backend
-/backend/GeoLite2-City.mmdb
+/backend/GeoLite2-City.mmdb
+
+# Misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+#Debug
+backend/cmd/__debug_*
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.10.0
+0.47.0
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,5 @@
+{
+  "recommendations": [
+    "inlang.vs-code-extension"
+  ]
+}
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -0,0 +1,42 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Backend",
+      "type": "go",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/backend/cmd/.env",
+      "env": {
+        "APP_ENV": "development"
+      },
+      "mode": "debug",
+      "program": "${workspaceFolder}/backend/cmd/main.go",
+    },
+    {
+      "name": "Frontend",
+      "type": "node",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/frontend/.env",
+      "cwd": "${workspaceFolder}/frontend",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": [
+        "run",
+        "dev"
+      ]
+    }
+  ],
+  "compounds": [
+    {
+      "name": "Development",
+      "configurations": [
+        "Backend",
+        "Frontend"
+      ],
+      "presentation": {
+        "hidden": false,
+        "group": "",
+        "order": 1
+      }
+    }
+  ],
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "go.buildTags": "e2etest"
+}
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,37 @@
+{
+  // See https://go.microsoft.com/fwlink/?LinkId=733558
+  // for the documentation about the tasks.json format
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "Run Caddy",
+      "type": "shell",
+      "command": "caddy run --config reverse-proxy/Caddyfile",
+      "isBackground": true,
+      "problemMatcher": {
+        "owner": "custom",
+        "pattern": [
+          {
+            "regexp": ".",
+            "file": 1,
+            "location": 2,
+            "message": 3
+          }
+        ],
+        "background": {
+          "activeOnStart": true,
+          "beginsPattern": ".*",
+          "endsPattern": "Caddyfile.*"
+        }
+      },
+      "presentation": {
+        "reveal": "always",
+        "panel": "new"
+      },
+      "runOptions": {
+        "runOn": "folderOpen",
+        "instanceLimit": 1
+      }
+    }
+  ]
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,579 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v0.46.0...v) (2025-04-16)
+
+
+### Features
+
+* add qrcode representation of one time link ([#424](https://github.com/pocket-id/pocket-id/issues/424)) ([#436](https://github.com/pocket-id/pocket-id/issues/436)) ([abf17f6](https://github.com/pocket-id/pocket-id/commit/abf17f62114a2de549b62cec462b9b0659ee23a7))
+* disable animations setting toggle ([#442](https://github.com/pocket-id/pocket-id/issues/442)) ([b45cf68](https://github.com/pocket-id/pocket-id/commit/b45cf68295975f51777dab95950b98b8db0a9ae5))
+
+
+### Bug Fixes
+
+* define token type as claim for better client compatibility ([adf7458](https://github.com/pocket-id/pocket-id/commit/adf74586afb6ef9a00fb122c150b0248c5bc23f0))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.45.0...v) (2025-04-13)
+
+
+### Features
+
+* global audit log ([#320](https://github.com/pocket-id/pocket-id/issues/320)) ([b65e693](https://github.com/pocket-id/pocket-id/commit/b65e693e12be2e7e4cb75a74d6fd43bacb3f6a94))
+* implement token introspection ([#405](https://github.com/pocket-id/pocket-id/issues/405)) ([7e5d16b](https://github.com/pocket-id/pocket-id/commit/7e5d16be9bdfccfa113924547e313886681d11bb))
+* modernize ui ([#381](https://github.com/pocket-id/pocket-id/issues/381)) ([9881a1d](https://github.com/pocket-id/pocket-id/commit/9881a1df9efe32608ab116db71c0e4f66dae171c))
+* **onboarding:** Added button when you don't have a passkey added. ([#426](https://github.com/pocket-id/pocket-id/issues/426)) ([72061ba](https://github.com/pocket-id/pocket-id/commit/72061ba4278a007437cee3a205c3076d58bde644))
+
+
+### Bug Fixes
+
+* add missing rollback for LDAP sync ([658a9ca](https://github.com/pocket-id/pocket-id/commit/658a9ca6dd8d2304ff3639a000bab02e91ff68a6))
+* create reusable default profile pictures ([#406](https://github.com/pocket-id/pocket-id/issues/406)) ([734c681](https://github.com/pocket-id/pocket-id/commit/734c6813eaef166235ae801747e3652d17ae0e2a))
+* ensure file descriptors are closed + other bugs ([#413](https://github.com/pocket-id/pocket-id/issues/413)) ([2f76461](https://github.com/pocket-id/pocket-id/commit/2f7646105e26423f47cbe49dae97e40c4a01a025))
+* ensure indexes on audit_logs table ([#415](https://github.com/pocket-id/pocket-id/issues/415)) ([9e88926](https://github.com/pocket-id/pocket-id/commit/9e88926283a7a663bfc7fd4f4aa16bd02f614176))
+* ignore profile picture cache after profile picture gets updated ([4ba6893](https://github.com/pocket-id/pocket-id/commit/4ba68938dd2a631c633fcb65d8c35cb039d3f59c))
+* improve LDAP error handling ([#425](https://github.com/pocket-id/pocket-id/issues/425)) ([796bc7e](https://github.com/pocket-id/pocket-id/commit/796bc7ed3453839b1dc8d846b71fe9fac9a2d646))
+* use transactions when operations involve multiple database queries ([#392](https://github.com/pocket-id/pocket-id/issues/392)) ([ec626ee](https://github.com/pocket-id/pocket-id/commit/ec626ee7977306539fd1d70cc9091590f0a54af6))
+* use UUID for temporary file names ([ccc18d7](https://github.com/pocket-id/pocket-id/commit/ccc18d716f16a7ef1775d30982e2ba7b5ff159a6))
+
+
+### Performance Improvements
+
+* run async operations in parallel in server load functions ([1762629](https://github.com/pocket-id/pocket-id/commit/17626295964244c5582806bd0f413da2c799d5ad))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.44.0...v) (2025-03-29)
+
+
+### Features
+
+* add support for ECDSA and EdDSA keys ([#359](https://github.com/pocket-id/pocket-id/issues/359)) ([96876a9](https://github.com/pocket-id/pocket-id/commit/96876a99c586508b72c27669ab200ff6a29db771))
+
+
+### Bug Fixes
+
+* ldap users aren't deleted if removed from ldap server ([7e65827](https://github.com/pocket-id/pocket-id/commit/7e658276f04d08a1f5117796e55d45e310204dab))
+* use value receiver for `AuditLogData` ([cbd1bbd](https://github.com/pocket-id/pocket-id/commit/cbd1bbdf741eedd03e93598d67623c75c74b6212))
+* use WAL for SQLite by default and set busy_timeout ([#388](https://github.com/pocket-id/pocket-id/issues/388)) ([519d58d](https://github.com/pocket-id/pocket-id/commit/519d58d88c906abc5139e35933bdeba0396c10a2))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.43.1...v) (2025-03-25)
+
+
+### Features
+
+* add OIDC refresh_token support ([#325](https://github.com/pocket-id/pocket-id/issues/325)) ([b8dcda8](https://github.com/pocket-id/pocket-id/commit/b8dcda80497e554d163a370eff81fe000f8831f4))
+
+
+### Bug Fixes
+
+* hash the refresh token in the DB (security) ([#379](https://github.com/pocket-id/pocket-id/issues/379)) ([8c96381](https://github.com/pocket-id/pocket-id/commit/8c963818bb90c84dac04018eec93790900d4b0ce))
+* skip ldap objects without a valid unique id ([#376](https://github.com/pocket-id/pocket-id/issues/376)) ([cdfe816](https://github.com/pocket-id/pocket-id/commit/cdfe8161d4429bdfe879887fe0b563a67c14f50b))
+* stop container if Caddy, the frontend or the backend fails ([e6f5019](https://github.com/pocket-id/pocket-id/commit/e6f50191cf05a5d0ac0e0000cf66423646f1920e))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.43.0...v) (2025-03-20)
+
+
+### Bug Fixes
+
+* wrong base locale causes crash ([3120ebf](https://github.com/pocket-id/pocket-id/commit/3120ebf239b90f0bc0a0af33f30622e034782398))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.42.1...v) (2025-03-20)
+
+
+### Features
+
+* add support for translations ([#349](https://github.com/pocket-id/pocket-id/issues/349)) ([269b5a3](https://github.com/pocket-id/pocket-id/commit/269b5a3c9249bb8081c74741141d3d5a69ea42a2))
+* **passkeys:** name new passkeys based on agguids ([#332](https://github.com/pocket-id/pocket-id/issues/332)) ([041c565](https://github.com/pocket-id/pocket-id/commit/041c565dc10f15edb3e8ab58e9a4df5e48a2a6d3))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.42.0...v) (2025-03-18)
+
+
+### Bug Fixes
+
+* kid not added to JWTs ([f7e36a4](https://github.com/pocket-id/pocket-id/commit/f7e36a422ea6b5327360c9a13308ae408ff7fffe))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.41.0...v) (2025-03-18)
+
+
+### Features
+
+* store keys as JWK on disk ([#339](https://github.com/pocket-id/pocket-id/issues/339)) ([a7c9741](https://github.com/pocket-id/pocket-id/commit/a7c9741802667811c530ef4e6313b71615ec6a9b))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.40.1...v) (2025-03-18)
+
+
+### Features
+
+* **profile-picture:** allow reset of profile picture ([#355](https://github.com/pocket-id/pocket-id/issues/355)) ([8f14618](https://github.com/pocket-id/pocket-id/commit/8f146188d57b5c08a4c6204674c15379232280d8))
+
+
+### Bug Fixes
+
+* own avatar not loading ([#351](https://github.com/pocket-id/pocket-id/issues/351)) ([0423d35](https://github.com/pocket-id/pocket-id/commit/0423d354f533d2ff4fd431859af3eea7d4d7044f))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.40.0...v) (2025-03-16)
+
+
+### Bug Fixes
+
+* API keys not working if sqlite is used ([8ead0be](https://github.com/pocket-id/pocket-id/commit/8ead0be8cd0cfb542fe488b7251cfd5274975ae1))
+* caching for own profile picture ([e45d9e9](https://github.com/pocket-id/pocket-id/commit/e45d9e970d327a5120ff9fb0c8d42df8af69bb38))
+* email logo icon displaying too big ([#336](https://github.com/pocket-id/pocket-id/issues/336)) ([b483e2e](https://github.com/pocket-id/pocket-id/commit/b483e2e92fdb528e7de026350a727d6970227426))
+* emails are considered as medium spam by rspamd ([#337](https://github.com/pocket-id/pocket-id/issues/337)) ([39b7f66](https://github.com/pocket-id/pocket-id/commit/39b7f6678c98cadcdc3abfbcb447d8eb0daa9eb0))
+* Fixes and performance improvements in utils package ([#331](https://github.com/pocket-id/pocket-id/issues/331)) ([348192b](https://github.com/pocket-id/pocket-id/commit/348192b9d7e2698add97810f8fba53d13d0df018))
+* remove custom claim key restrictions ([9f28503](https://github.com/pocket-id/pocket-id/commit/9f28503d6c73d3521d1309bee055704a0507e9b5))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.39.0...v) (2025-03-13)
+
+
+### Features
+
+* allow setting path where keys are stored ([#327](https://github.com/pocket-id/pocket-id/issues/327)) ([7b654c6](https://github.com/pocket-id/pocket-id/commit/7b654c6bd111ddcddd5e3450cbf326d9cf1777b6))
+
+
+### Bug Fixes
+
+* **docker:** missing write permissions on scripts ([ec4b41a](https://github.com/pocket-id/pocket-id/commit/ec4b41a1d26ea00bb4a95f654ac4cc745b2ce2e8))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.38.0...v) (2025-03-11)
+
+
+### Features
+
+* api key authentication ([#291](https://github.com/pocket-id/pocket-id/issues/291)) ([62915d8](https://github.com/pocket-id/pocket-id/commit/62915d863a4adc09cf467b75c414a045be43c2bb))
+
+
+### Bug Fixes
+
+* alternative login method link on mobile ([9ef2ddf](https://github.com/pocket-id/pocket-id/commit/9ef2ddf7963c6959992f3a5d6816840534e926e9))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.37.0...v) (2025-03-10)
+
+
+### Features
+
+* add env variable to disable update check ([31198fe](https://github.com/pocket-id/pocket-id/commit/31198feec2ae77dd6673c42b42002871ddd02d37))
+
+
+### Bug Fixes
+
+* redirection not correctly if signing in with email code ([e5ec264](https://github.com/pocket-id/pocket-id/commit/e5ec264bfd535752565bcc107099a9df5cb8aba7))
+* typo in account settings ([#307](https://github.com/pocket-id/pocket-id/issues/307)) ([c822192](https://github.com/pocket-id/pocket-id/commit/c8221921245deb3008f655740d1a9460dcdab2fc))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.36.0...v) (2025-03-10)
+
+
+### Features
+
+* **account:** add ability to sign in with login code ([#271](https://github.com/pocket-id/pocket-id/issues/271)) ([eb1426e](https://github.com/pocket-id/pocket-id/commit/eb1426ed2684b5ddd185db247a8e082b28dfd014))
+* increase default item count per page ([a9713cf](https://github.com/pocket-id/pocket-id/commit/a9713cf6a1e3c879dc773889b7983e51bbe3c45b))
+
+
+### Bug Fixes
+
+* add back setup page ([6a8dd84](https://github.com/pocket-id/pocket-id/commit/6a8dd84ca9396ff3369385af22f7e1f081bec2b2))
+* add timeout to update check ([04efc36](https://github.com/pocket-id/pocket-id/commit/04efc3611568a0b0127b542b8cc252d9e783af46))
+* make sorting consistent around tables ([8e344f1](https://github.com/pocket-id/pocket-id/commit/8e344f1151628581b637692a1de0e48e7235a22d))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.6...v) (2025-03-06)
+
+
+### Features
+
+* display groups on the account page ([#296](https://github.com/pocket-id/pocket-id/issues/296)) ([0f14a93](https://github.com/pocket-id/pocket-id/commit/0f14a93e1d6a723b0994ba475b04702646f04464))
+* enable sd_notify support ([#277](https://github.com/pocket-id/pocket-id/issues/277)) ([91f254c](https://github.com/pocket-id/pocket-id/commit/91f254c7bb067646c42424c5c62ebcd90a0c8792))
+
+
+### Bug Fixes
+
+* default sorting on tables ([#299](https://github.com/pocket-id/pocket-id/issues/299)) ([ff34e3b](https://github.com/pocket-id/pocket-id/commit/ff34e3b925321c80e9d7d42d0fd50e397d198435))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.5...v) (2025-03-03)
+
+
+### Bug Fixes
+
+* support `LOGIN` authentication method for SMTP ([#292](https://github.com/pocket-id/pocket-id/issues/292)) ([2d733fc](https://github.com/pocket-id/pocket-id/commit/2d733fc79faefca23d54b22768029c3ba3427410))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.4...v) (2025-03-03)
+
+
+### Bug Fixes
+
+* profile picture orientation if image is rotated with EXIF ([1026ee4](https://github.com/pocket-id/pocket-id/commit/1026ee4f5b5c7fda78b65c94a5d0f899525defd1))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.3...v) (2025-03-01)
+
+
+### Bug Fixes
+
+* add `groups` scope and claim to well known endpoint ([4bafee4](https://github.com/pocket-id/pocket-id/commit/4bafee4f58f5a76898cf66d6192916d405eea389))
+* profile picture of other user can't be updated ([#273](https://github.com/pocket-id/pocket-id/issues/273)) ([ef25f6b](https://github.com/pocket-id/pocket-id/commit/ef25f6b6b84b52f1310d366d40aa3769a6fe9bef))
+* support POST for OIDC userinfo endpoint ([1652cc6](https://github.com/pocket-id/pocket-id/commit/1652cc65f3f966d018d81a1ae22abb5ff1b4c47b))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.2...v) (2025-02-25)
+
+
+### Bug Fixes
+
+* add option to manually select SMTP TLS method ([#268](https://github.com/pocket-id/pocket-id/issues/268)) ([01a9de0](https://github.com/pocket-id/pocket-id/commit/01a9de0b04512c62d0f223de33d711f93c49b9cc))
+* **ldap:** sync error if LDAP user collides with an existing user ([fde951b](https://github.com/pocket-id/pocket-id/commit/fde951b543281fedf9f602abae26b50881e3d157))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.1...v) (2025-02-24)
+
+
+### Bug Fixes
+
+* delete profile picture if user gets deleted ([9a167d4](https://github.com/pocket-id/pocket-id/commit/9a167d4076872e5e3e5d78d2a66ef7203ca5261b))
+* updating profile picture of other user updates own profile picture ([887c5e4](https://github.com/pocket-id/pocket-id/commit/887c5e462a50c8fb579ca6804f1a643d8af78fe8))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.0...v) (2025-02-22)
+
+
+### Bug Fixes
+
+* add validation that `PUBLIC_APP_URL` can't contain a path ([a6ae7ae](https://github.com/pocket-id/pocket-id/commit/a6ae7ae28713f7fc8018ae2aa7572986df3e1a5b))
+* binary profile picture can't be imported from LDAP ([840a672](https://github.com/pocket-id/pocket-id/commit/840a672fc35ca8476caf86d7efaba9d54bce86aa))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.34.0...v) (2025-02-19)
+
+
+### Features
+
+* add ability to upload a profile picture ([#244](https://github.com/pocket-id/pocket-id/issues/244)) ([652ee6a](https://github.com/pocket-id/pocket-id/commit/652ee6ad5d6c46f0d35c955ff7bb9bdac6240ca6))
+
+
+### Bug Fixes
+
+* app config strings starting with a number are parsed incorrectly ([816c198](https://github.com/pocket-id/pocket-id/commit/816c198a42c189cb1f2d94885d2e3623e47e2848))
+* emails do not get rendered correctly in Gmail ([dca9e7a](https://github.com/pocket-id/pocket-id/commit/dca9e7a11a3ba5d3b43a937f11cb9d16abad2db5))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.33.0...v) (2025-02-16)
+
+
+### Features
+
+* add LDAP group membership attribute ([#236](https://github.com/pocket-id/pocket-id/issues/236)) ([39b46e9](https://github.com/pocket-id/pocket-id/commit/39b46e99a9b930ea39cf640c3080530cfff5be6e))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.32.0...v) (2025-02-14)
+
+
+### Features
+
+* add end session endpoint ([#232](https://github.com/pocket-id/pocket-id/issues/232)) ([7550333](https://github.com/pocket-id/pocket-id/commit/7550333fe2ff6424f3168f63c5179d76767532fd))
+
+
+### Bug Fixes
+
+* alignment of OIDC client details ([c3980d3](https://github.com/pocket-id/pocket-id/commit/c3980d3d28a7158a4dc9369af41f185b891e485e))
+* layout of OIDC client details page on mobile ([3de1301](https://github.com/pocket-id/pocket-id/commit/3de1301fa84b3ab4fff4242d827c7794d44910f2))
+* show  "Sync Now" and "Test Email" button even if UI config is disabled ([4d0fff8](https://github.com/pocket-id/pocket-id/commit/4d0fff821e2245050ce631b4465969510466dfae))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.31.0...v) (2025-02-13)
+
+
+### Features
+
+* add ability to set custom Geolite DB URL ([2071d00](https://github.com/pocket-id/pocket-id/commit/2071d002fc5c3b5ff7a3fca6a5c99f5517196853))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.30.0...v) (2025-02-12)
+
+
+### Features
+
+* add ability to override the UI configuration with environment variables ([4e85842](https://github.com/pocket-id/pocket-id/commit/4e858420e9d9713e19f3b35c45c882403717f72f))
+* add warning for only having one passkey configured ([#220](https://github.com/pocket-id/pocket-id/issues/220)) ([39e403d](https://github.com/pocket-id/pocket-id/commit/39e403d00f3870f9e960427653a1d9697da27a6f))
+* display source in user and group table ([#225](https://github.com/pocket-id/pocket-id/issues/225)) ([9ed2adb](https://github.com/pocket-id/pocket-id/commit/9ed2adb0f8da13725fd9a4ef6a7798c377d13513))
+
+
+### Bug Fixes
+
+* user linking in ldap group sync ([#222](https://github.com/pocket-id/pocket-id/issues/222)) ([2d78349](https://github.com/pocket-id/pocket-id/commit/2d78349b381d7ca10f47d3c03cef685a576b1b49))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.29.0...v) (2025-02-08)
+
+
+### Features
+
+* add custom ldap search filters ([#216](https://github.com/pocket-id/pocket-id/issues/216)) ([626f87d](https://github.com/pocket-id/pocket-id/commit/626f87d59211f4129098b91dc1d020edb4aca692))
+* update host configuration to allow external access ([#218](https://github.com/pocket-id/pocket-id/issues/218)) ([bea1158](https://github.com/pocket-id/pocket-id/commit/bea115866fd8e4b15d3281c422d2fb72312758b1))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.28.1...v) (2025-02-05)
+
+
+### Features
+
+* add JSON support in custom claims ([15cde6a](https://github.com/pocket-id/pocket-id/commit/15cde6ac66bc857ac28df545a37c1f4341977595))
+* add option to disable Caddy in the Docker container ([e864d5d](https://github.com/pocket-id/pocket-id/commit/e864d5dcbff1ef28dc6bf120e4503093a308c5c8))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.28.0...v) (2025-02-04)
+
+
+### Bug Fixes
+
+* don't return error page if version info fetching failed ([d06257e](https://github.com/stonith404/pocket-id/commit/d06257ec9b5e46e25e40c174b4bef02dca0a1ea3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.2...v) (2025-02-03)
+
+
+### Features
+
+* allow LDAP users and groups to be deleted if LDAP gets disabled ([9ab1787](https://github.com/stonith404/pocket-id/commit/9ab178712aa3cc71546a89226e67b7ba91245251))
+* map allowed groups to OIDC clients ([#202](https://github.com/stonith404/pocket-id/issues/202)) ([13b02a0](https://github.com/stonith404/pocket-id/commit/13b02a072f20ce10e12fd8b897cbf42a908f3291))
+
+
+### Bug Fixes
+
+* **caddy:** trusted_proxies for IPv6 enabled hosts ([#189](https://github.com/stonith404/pocket-id/issues/189)) ([37a835b](https://github.com/stonith404/pocket-id/commit/37a835b44e308622f6862de494738dd2bfb58ef0))
+* missing user service dependency ([61e71ad](https://github.com/stonith404/pocket-id/commit/61e71ad43b8f0f498133d3eb2381382e7bc642b9))
+* non LDAP user group can't be updated after update ([ecd74b7](https://github.com/stonith404/pocket-id/commit/ecd74b794f1ffb7da05bce0046fb8d096b039409))
+* use cursor pointer on clickable elements ([7798580](https://github.com/stonith404/pocket-id/commit/77985800ae9628104e03e7f2e803b7ed9eaaf4e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.1...v) (2025-01-27)
+
+
+### Bug Fixes
+
+* smtp hello for tls connections ([#180](https://github.com/stonith404/pocket-id/issues/180)) ([781ff7a](https://github.com/stonith404/pocket-id/commit/781ff7ae7b84b13892e7a565b7a78f20c52ee2c9))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.0...v) (2025-01-24)
+
+
+### Bug Fixes
+
+* add `__HOST` prefix to cookies ([#175](https://github.com/stonith404/pocket-id/issues/175)) ([164ce6a](https://github.com/stonith404/pocket-id/commit/164ce6a3d7fa8ae5275c94302952cf318e3b3113))
+* send hostname derived from `PUBLIC_APP_URL` with SMTP EHLO command ([397544c](https://github.com/stonith404/pocket-id/commit/397544c0f3f2b49f1f34ae53e6b9daf194d1ae28))
+* use OS hostname for SMTP EHLO message ([47c39f6](https://github.com/stonith404/pocket-id/commit/47c39f6d382c496cb964262adcf76cc8dbb96da3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.26.0...v) (2025-01-22)
+
+
+### Features
+
+* display private IP ranges correctly in audit log ([#139](https://github.com/stonith404/pocket-id/issues/139)) ([72923bb](https://github.com/stonith404/pocket-id/commit/72923bb86dc5d07d56aea98cf03320667944b553))
+
+
+### Bug Fixes
+
+* add save changes dialog before sending test email ([#165](https://github.com/stonith404/pocket-id/issues/165)) ([d02f475](https://github.com/stonith404/pocket-id/commit/d02f4753f3fbda75cd415ebbfe0702765c38c144))
+* ensure the downloaded GeoLite2 DB is not corrupted & prevent RW race condition ([#138](https://github.com/stonith404/pocket-id/issues/138)) ([f7710f2](https://github.com/stonith404/pocket-id/commit/f7710f298898d322885c1c83680e26faaa0bb800))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.1...v) (2025-01-20)
+
+
+### Features
+
+* support wildcard callback URLs ([8a1db0c](https://github.com/stonith404/pocket-id/commit/8a1db0cb4a5d4b32b4fdc19d41fff688a7c71a56))
+
+
+### Bug Fixes
+
+* non LDAP users get created with a empty LDAP ID string ([3f02d08](https://github.com/stonith404/pocket-id/commit/3f02d081098ad2caaa60a56eea4705639f80d01f))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.25.0...v) (2025-01-19)
+
+
+### Bug Fixes
+
+* disable account details inputs if user is imported from LDAP ([a8b9d60](https://github.com/stonith404/pocket-id/commit/a8b9d60a86e80c10d6fba07072b1d32cec400ecb))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.24.1...v) (2025-01-19)
+
+
+### Features
+
+* add LDAP sync ([#106](https://github.com/stonith404/pocket-id/issues/106)) ([5101b14](https://github.com/stonith404/pocket-id/commit/5101b14eec68a9507e1730994178d0ebe8185876))
+* allow sign in with email ([#100](https://github.com/stonith404/pocket-id/issues/100)) ([06b90ed](https://github.com/stonith404/pocket-id/commit/06b90eddd645cce57813f2536e4a6a8836548f2b))
+* automatically authorize client if signed in ([d5dd118](https://github.com/stonith404/pocket-id/commit/d5dd118a3f4ad6eed9ca496c458201bb10f148a0))
+
+
+### Bug Fixes
+
+* always set secure on cookie ([#130](https://github.com/stonith404/pocket-id/issues/130)) ([fda08ac](https://github.com/stonith404/pocket-id/commit/fda08ac1cd88842e25dc47395ed1288a5cfac4f8))
+* don't panic if LDAP sync fails on startup ([e284e35](https://github.com/stonith404/pocket-id/commit/e284e352e2b95fac1d098de3d404e8531de4b869))
+* improve spacing of checkboxes on application configuration page ([090eca2](https://github.com/stonith404/pocket-id/commit/090eca202d198852e6fbf4e6bebaf3b5ada13944))
+* search input not displayed if response hasn't any items ([05a98eb](https://github.com/stonith404/pocket-id/commit/05a98ebe87d7a88e8b96b144c53250a40d724ec3))
+* session duration ignored in cookie expiration ([bc8f454](https://github.com/stonith404/pocket-id/commit/bc8f454ea173ecc60e06450a1d22e24207f76714))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.24.0...v) (2025-01-13)
+
+
+### Bug Fixes
+
+* audit log table overflow if row data is long ([4d337a2](https://github.com/stonith404/pocket-id/commit/4d337a20c5cb92ef80bb7402f9b99b08e3ad0b6b))
+* optional arguments not working with `create-one-time-access-token.sh` ([8885571](https://github.com/stonith404/pocket-id/commit/888557171d61589211b10f70dce405126216ad61))
+* remove restrictive validation for group names ([be6e25a](https://github.com/stonith404/pocket-id/commit/be6e25a167de8bf07075b46f09d9fc1fa6c74426))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.23.0...v) (2025-01-11)
+
+
+### Features
+
+* add sorting for tables ([fd69830](https://github.com/stonith404/pocket-id/commit/fd69830c2681985e4fd3c5336a2b75c9fb7bc5d4))
+
+
+### Bug Fixes
+
+* pkce state not correctly reflected in oidc client info ([61d18a9](https://github.com/stonith404/pocket-id/commit/61d18a9d1b167ff59a59523ff00d00ca8f23258d))
+* send test email to the user that has requested it ([a649c4b](https://github.com/stonith404/pocket-id/commit/a649c4b4a543286123f4d1f3c411fe1a7e2c6d71))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.22.0...v) (2025-01-03)
+
+
+### Features
+
+* add PKCE for non public clients ([adcf3dd](https://github.com/stonith404/pocket-id/commit/adcf3ddc6682794e136a454ef9e69ddd130626a8))
+* use same table component for OIDC client list as all other lists ([2d31fc2](https://github.com/stonith404/pocket-id/commit/2d31fc2cc9201bb93d296faae622f52c6dcdfebc))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.21.0...v) (2025-01-01)
+
+
+### Features
+
+* add warning if passkeys missing ([2d0bd8d](https://github.com/stonith404/pocket-id/commit/2d0bd8dcbfb73650b7829cb66f40decb284bd73b))
+
+
+### Bug Fixes
+
+* allow first and last name of user to be between 1 and 50 characters ([1ff20ca](https://github.com/stonith404/pocket-id/commit/1ff20caa3ccd651f9fb30f958ffb807dfbbcbd8a))
+* hash in callback url is incorrectly appended ([f6f2736](https://github.com/stonith404/pocket-id/commit/f6f2736bba65eee017f2d8cdaa70621574092869))
+* make user validation consistent between pages ([333a1a1](https://github.com/stonith404/pocket-id/commit/333a1a18d59f675111f4ed106fa5614ef563c6f4))
+* passkey can't be added if `PUBLIC_APP_URL` includes a port ([0729ce9](https://github.com/stonith404/pocket-id/commit/0729ce9e1a8dab9912900a01dcd0fbd892718a1a))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.20.1...v) (2024-12-17)
+
+
+### Features
+
+* improve error state design for login page ([0716c38](https://github.com/stonith404/pocket-id/commit/0716c38fb8ce7fa719c7fe0df750bdb213786c21))
+
+
+### Bug Fixes
+
+* OIDC client logo gets removed if other properties get updated ([789d939](https://github.com/stonith404/pocket-id/commit/789d9394a533831e7e2fb8dc3f6b338787336ad8))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.20.0...v) (2024-12-13)
+
+
+### Bug Fixes
+
+* `create-one-time-access-token.sh` script not compatible with postgres ([34e3519](https://github.com/stonith404/pocket-id/commit/34e35193f9f3813f6248e60f15080d753e8da7ae))
+* wrong date time datatype used for read operations with Postgres ([bad901e](https://github.com/stonith404/pocket-id/commit/bad901ea2b661aadd286e5e4bed317e73bd8a70d))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.19.0...v) (2024-12-12)
+
+
+### Features
+
+* add support for Postgres database provider ([#79](https://github.com/stonith404/pocket-id/issues/79)) ([9d20a98](https://github.com/stonith404/pocket-id/commit/9d20a98dbbc322fa6f0644e8b31e6b97769887ce))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.18.0...v) (2024-11-29)
+
+
+### Features
+
+* **geolite:** add Tailscale IP detection with CGNAT range check  ([#77](https://github.com/stonith404/pocket-id/issues/77)) ([edce3d3](https://github.com/stonith404/pocket-id/commit/edce3d337129c9c6e8a60df2122745984ba0f3e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.17.0...v) (2024-11-28)
+
+
+### Features
+
+* add option to disable TLS for email sending ([f9fa2c6](https://github.com/stonith404/pocket-id/commit/f9fa2c6706a8bf949fe5efd6664dec8c80e18659))
+* allow empty user and password in SMTP configuration ([a9f4dad](https://github.com/stonith404/pocket-id/commit/a9f4dada321841d3611b15775307228b34e7793f))
+
+
+### Bug Fixes
+
+* email save toast shows two times ([f2bfc73](https://github.com/stonith404/pocket-id/commit/f2bfc731585ad7424eb8c4c41c18368fc0f75ffc))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.16.0...v) (2024-11-26)
+
+
+### ⚠ BREAKING CHANGES
+
+* add option to specify the Max Mind license key for the Geolite2 db
+
+### Features
+
+* add option to specify the Max Mind license key for the Geolite2 db ([fcf08a4](https://github.com/stonith404/pocket-id/commit/fcf08a4d898160426442bd80830f4431988f4313))
+
+
+### Bug Fixes
+
+* don't try to create a new user if the Docker user is not root ([#71](https://github.com/stonith404/pocket-id/issues/71)) ([0e95e9c](https://github.com/stonith404/pocket-id/commit/0e95e9c56f4c3f84982f508fdb6894ba747952b4))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.15.0...v) (2024-11-24)
+
+
+### Features
+
+* add health check ([058084e](https://github.com/stonith404/pocket-id/commit/058084ed64816b12108e25bf04af988fc97772ed))
+* improve error message for invalid callback url ([f637a89](https://github.com/stonith404/pocket-id/commit/f637a89f579aefb8dc3c3c16a27ef0bc453dfe40))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.14.0...v) (2024-11-21)
+
+
+### Features
+
+* add option to skip TLS certificate check and ability to send test email ([653d948](https://github.com/stonith404/pocket-id/commit/653d948f73b61e6d1fd3484398fef1a2a37e6d92))
+* add PKCE support ([3613ac2](https://github.com/stonith404/pocket-id/commit/3613ac261cf65a2db0620ff16dc6df239f6e5ecd))
+
+
+### Bug Fixes
+
+* mobile layout overflow on application configuration page ([e784093](https://github.com/stonith404/pocket-id/commit/e784093342f9977ea08cac65ff0c3de4d2644872))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.13.1...v) (2024-11-11)
+
+
+### Features
+
+* add audit log event for one time access token sign in ([aca2240](https://github.com/stonith404/pocket-id/commit/aca2240a50a12e849cfb6e1aa56390b000aebae0))
+
+
+### Bug Fixes
+
+* overflow of pagination control on mobile ([de45398](https://github.com/stonith404/pocket-id/commit/de4539890349153c467013c24c4d6b30feb8fed8))
+* time displayed incorrectly in audit log ([3d3fb4d](https://github.com/stonith404/pocket-id/commit/3d3fb4d855ef510f2292e98fcaaaf83debb5d3e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.13.0...v) (2024-11-01)
+
+
+### Features
+
+* add list empty indicator ([becfc00](https://github.com/stonith404/pocket-id/commit/becfc0004a87c01e18eb92ac85bf4e33f105b6a3))
+
+
+### Bug Fixes
+
+* errors in middleware do not abort the request ([376d747](https://github.com/stonith404/pocket-id/commit/376d747616b1e835f252d20832c5ae42b8b0b737))
+* typo in Self-Account Editing description ([5b9f4d7](https://github.com/stonith404/pocket-id/commit/5b9f4d732615f428c13d3317da96a86c5daebd89))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.12.0...v) (2024-10-31)
+
+
+### Features
+
+* add ability to define expiration of one time link ([2ccabf8](https://github.com/stonith404/pocket-id/commit/2ccabf835c2c923d6986d9cafb4e878f5110b91a))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.11.0...v) (2024-10-28)
+
+
+### Features
+
+* add option to disable self-account editing ([8304065](https://github.com/stonith404/pocket-id/commit/83040656525cf7b6c8f2acf416c5f8f3288f3d48))
+* add validation to custom claim input ([7bfc3f4](https://github.com/stonith404/pocket-id/commit/7bfc3f43a591287c038187ed5e782de6b9dd738b))
+* custom claims ([#53](https://github.com/stonith404/pocket-id/issues/53)) ([c056089](https://github.com/stonith404/pocket-id/commit/c056089c6043a825aaaaecf0c57454892a108f1d))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.10.0...v) (2024-10-25)
+
+
+### Features
+
+* add `email_verified` claim ([5565f60](https://github.com/stonith404/pocket-id/commit/5565f60d6d62ca24bedea337e21effc13e5853a5))
+
+
+### Bug Fixes
+
+* powered by link text color in light mode ([18c5103](https://github.com/stonith404/pocket-id/commit/18c5103c20ce79abdc0f724cdedd642c09269e78))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.9.0...v) (2024-10-23)


--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -31,8 +31,15 @@ Before you submit the pull request for review please ensure that
 - You run `npm run format` to format the code

 ## Setup project
+Pocket ID consists of a frontend, backend and a reverse proxy. There are two ways to get the development environment setup:

-Pocket ID consists of a frontend, backend and a reverse proxy.
+## 1. Using DevContainers
+1. Make sure you have [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension installed
+2. Clone and open the repo in VS Code
+3. VS Code will detect .devcontainer and will prompt you to open the folder in devcontainer
+4. If the auto prompt does not work, hit `F1` and select `Dev Containers: Open Folder in Container.`, then select the pocket-id repo root folder and it'll open in container.
+
+## 2. Manual

 ### Backend

@@ -42,7 +49,7 @@ The backend is built with [Gin](https://gin-gonic.com) and written in Go.

 1. Open the `backend` folder
 2. Copy the `.env.example` file to `.env` and change the `APP_ENV` to `development`
-3. Start the backend with `go run cmd/main.go`
+3. Start the backend with `go run -tags e2etest ./cmd`

 ### Frontend

@@ -55,19 +62,23 @@ The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in Ty
 3. Install the dependencies with `npm install`
 4. Start the frontend with `npm run dev`

-You're all set!
-
 ### Reverse Proxy
 We use [Caddy](https://caddyserver.com) as a reverse proxy. You can use any other reverse proxy if you want but you have to configure it yourself.

 #### Setup
 Run `caddy run --config reverse-proxy/Caddyfile` in the root folder.

+You're all set!
+
+## Debugging
+1. The VS Code is currently setup to auto launch caddy on opening the folder. (Defined in [tasks.json](.vscode/tasks.json))
+2. Press `F5` to start a debug session. This will launch both frontend and backend and attach debuggers to those process. (Defined in [launch.json](.vscode/launch.json))
+
 ### Testing

 We are using [Playwright](https://playwright.dev) for end-to-end testing.

 The tests can be run like this:
 1. Start the backend normally
-2. Start the frontend in production mode with `npm run build && node build/index.js`
+2. Start the frontend in production mode with `npm run build && node --env-file=.env build/index.js`
 3. Run the tests with `npm run test`
--- a/34
+++ b/34
@@ -1,5 +1,8 @@
+# Tags passed to "go build"
+ARG BUILD_TAGS=""
+
 # Stage 1: Build Frontend
-FROM node:20-alpine AS frontend-builder
+FROM node:22-alpine AS frontend-builder
 WORKDIR /app/frontend
 COPY ./frontend/package*.json ./
 RUN npm ci
@@ -8,7 +11,8 @@ RUN npm run build
 RUN npm prune --production

 # Stage 2: Build Backend
-FROM golang:1.23-alpine AS backend-builder
+FROM golang:1.24-alpine AS backend-builder
+ARG BUILD_TAGS
 WORKDIR /app/backend
 COPY ./backend/go.mod ./backend/go.sum ./
 RUN go mod download
@@ -17,11 +21,19 @@ RUN apk add --no-cache gcc musl-dev

 COPY ./backend ./
 WORKDIR /app/backend/cmd
-RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
+RUN CGO_ENABLED=1 \
+  GOOS=linux \
+  go build \
+  -tags "${BUILD_TAGS}" \
+  -o /app/backend/pocket-id-backend \
+  .

 # Stage 3: Production Image
-FROM node:20-alpine
-RUN apk add --no-cache caddy
+FROM node:22-alpine
+# Delete default node user
+RUN deluser --remove-home node
+
+RUN apk add --no-cache caddy curl su-exec
 COPY ./reverse-proxy /etc/caddy/

 WORKDIR /app
@@ -30,16 +42,12 @@ COPY --from=frontend-builder /app/frontend/node_modules ./frontend/node_modules
 COPY --from=frontend-builder /app/frontend/package.json ./frontend/package.json

 COPY --from=backend-builder /app/backend/pocket-id-backend ./backend/pocket-id-backend
-COPY --from=backend-builder /app/backend/migrations ./backend/migrations
-COPY --from=backend-builder /app/backend/GeoLite2-City.mmdb ./backend/GeoLite2-City.mmdb
-COPY --from=backend-builder /app/backend/email-templates ./backend/email-templates
-COPY --from=backend-builder /app/backend/images ./backend/images

 COPY ./scripts ./scripts
-RUN chmod +x ./scripts/*.sh
+RUN chmod +x ./scripts/**/*.sh

-EXPOSE 3000
+EXPOSE 80
 ENV APP_ENV=production

-# Use a shell form to run both the frontend and backend
-CMD ["sh", "./scripts/docker-entrypoint.sh"]
+ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -2,6 +2,8 @@

 Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.

+→ Try out the [Demo](https://demo.pocket-id.org)
+
 <img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>

 The goal of Pocket ID is to be a simple and easy-to-use. There are other self-hosted OIDC providers like [Keycloak](https://www.keycloak.org/) or [ORY Hydra](https://www.ory.sh/hydra/) but they are often too complex for simple use cases.
@@ -10,157 +12,9 @@ Additionally, what makes Pocket ID special is that it only supports [passkey](ht

 ## Setup

-> [!WARNING]  
-> Pocket ID is in its early stages and may contain bugs.
+Pocket ID can be set up in multiple ways. The easiest and recommended way is to use Docker.

-### Before you start
-
-Pocket ID requires a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts), meaning it must be served over HTTPS. This is necessary because Pocket ID uses the [WebAuthn API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API) which requires a secure context.
-
-### Installation with Docker (recommended)
-
-1. Download the `docker-compose.yml` and `.env` file:
-
-   ```bash
-    curl -O https://raw.githubusercontent.com/stonith404/pocket-id/main/docker-compose.yml
-
-    curl -o .env https://raw.githubusercontent.com/stonith404/pocket-id/main/.env.example
-   ```
-
-2. Edit the `.env` file so that it fits your needs. See the [environment variables](#environment-variables) section for more information.
-3. Run `docker compose up -d`
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Unraid
-
-Pocket ID is available as a template on the Community Apps store.
-
-### Stand-alone Installation
-
-Required tools:
-
- [Node.js](https://nodejs.org/en/download/) >= 20
- [Go](https://golang.org/doc/install) >= 1.23
- [Git](https://git-scm.com/downloads)
- [PM2](https://pm2.keymetrics.io/)
- [Caddy](https://caddyserver.com/docs/install) (optional)
-
-1. Copy the `.env.example` file in the `frontend` and `backend` folder to `.env` and change it so that it fits your needs.
-
-   ```bash
-   cp frontend/.env.example frontend/.env
-   cp backend/.env.example backend/.env
-   ```
-
-2. Run the following commands:
-
-   ```bash
-   git clone https://github.com/stonith404/pocket-id
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Optional: Download the GeoLite2 city database.
-   # If not downloaded the ip location in the audit log will be empty.
-   MAXMIND_LICENSE_KEY=<your-key> sh scripts/download-ip-database.sh
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start --name pocket-id-caddy caddy -- run --config Caddyfile
-   ```
-
-You can now sign in with the admin account on `http://localhost/login/setup`.
-
-### Add Pocket ID as an OIDC provider
-
-You can add a new OIDC client on `https://<your-domain>/settings/admin/oidc-clients`
-
-After you have added the client, you can obtain the client ID and client secret.
-
-You may need the following information:
-
- **Authorization URL**: `https://<your-domain>/authorize`
- **Token URL**: `https://<your-domain>/api/oidc/token`
- **Userinfo URL**: `https://<your-domain>/api/oidc/userinfo`
- **Certificate URL**: `https://<your-domain>/.well-known/jwks.json`
- **OIDC Discovery URL**: `https://<your-domain>/.well-known/openid-configuration`
- **Scopes**: At least `openid email`. Optionally you can add `profile` and `groups`.
-
-### Proxy Services with Pocket ID
-
-As the goal of Pocket ID is to stay simple, we don't have a built-in proxy provider. However, you can use [OAuth2 Proxy](https://oauth2-proxy.github.io/) to add authentication to your services that don't support OIDC.
-
-See the [guide](docs/proxy-services.md) for more information.
-
-### Update
-
-#### Docker
-
-```bash
-docker compose pull
-docker compose up -d
-```
-
-#### Stand-alone
-
-1. Stop the running services:
-   ```bash
-   pm2 delete pocket-id-backend pocket-id-frontend pocket-id-caddy
-   ```
-2. Run the following commands:
-
-   ```bash
-   cd pocket-id
-
-   # Checkout the latest version
-   git fetch --tags && git checkout $(git describe --tags `git rev-list --tags --max-count=1`)
-
-   # Start the backend
-   cd backend/cmd
-   go build -o ../pocket-id-backend
-   cd ..
-   pm2 start pocket-id-backend --name pocket-id-backend
-
-   # Optional: Update the GeoLite2 city database
-   MAXMIND_LICENSE_KEY=<your-key> sh scripts/download-ip-database.sh
-
-   # Start the frontend
-   cd ../frontend
-   npm install
-   npm run build
-   pm2 start build/index.js --name pocket-id-frontend
-
-   # Optional: Start Caddy (You can use any other reverse proxy)
-   cd ..
-   pm2 start caddy --name pocket-id-caddy -- run --config Caddyfile
-   ```
-
-### Environment variables
-
-| Variable               | Default Value           | Recommended to change | Description                                                                                                                                                                           |
-| ---------------------- | ----------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `PUBLIC_APP_URL`       | `http://localhost`      | yes                   | The URL where you will access the app.                                                                                                                                                |
-| `TRUST_PROXY`          | `false`                 | yes                   | Whether the app is behind a reverse proxy.                                                                                                                                            |
-| `DB_PATH`              | `data/pocket-id.db`     | no                    | The path to the SQLite database.                                                                                                                                                      |
-| `UPLOAD_PATH`          | `data/uploads`          | no                    | The path where the uploaded files are stored.                                                                                                                                         |
-| `INTERNAL_BACKEND_URL` | `http://localhost:8080` | no                    | The URL where the backend is accessible.                                                                                                                                              |
-| `CADDY_PORT`           | `80`                    | no                    | The port on which Caddy should listen. Caddy is only active inside the Docker container. If you want to change the exposed port of the container then you sould change this variable. |
-| `PORT`                 | `3000`                  | no                    | The port on which the frontend should listen.                                                                                                                                         |
-| `BACKEND_PORT`         | `8080`                  | no                    | The port on which the backend should listen.                                                                                                                                          |
+Visit the [documentation](https://docs.pocket-id.org) for the setup guide and more information.

 ## Contribute

--- a/backend/.env.example
+++ b/backend/.env.example
@@ -1,6 +1,10 @@
 APP_ENV=production
 PUBLIC_APP_URL=http://localhost
-DB_PATH=data/pocket-id.db
+# /!\ If PUBLIC_APP_URL is not a localhost address, it must be HTTPS
+DB_PROVIDER=sqlite
+# MAXMIND_LICENSE_KEY=fixme # needed for IP geolocation in the audit log
+SQLITE_DB_PATH=data/pocket-id.db
+POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id
 UPLOAD_PATH=data/uploads
 PORT=8080
-HOST=localhost
+HOST=0.0.0.0
--- a/backend/.gitignore
+++ b/backend/.gitignore
@@ -13,4 +13,5 @@

 # Dependency directories (remove the comment below to include it)
 # vendor/
-./data
+./data
+.env
--- a/backend/.golangci.yml
+++ b/backend/.golangci.yml
@@ -0,0 +1,64 @@
+version: "2"
+run:
+  tests: true
+  timeout: 5m
+linters:
+  default: none
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - copyloopvar
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errorlint
+    - exhaustive
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocognit
+    - gocritic
+    - gosec
+    - gosmopolitan
+    - govet
+    - ineffassign
+    - loggercheck
+    - makezero
+    - musttag
+    - nilerr
+    - nilnesserr
+    - noctx
+    - protogetter
+    - reassign
+    - recvcheck
+    - rowserrcheck
+    - spancheck
+    - sqlclosecheck
+    - staticcheck
+    - testifylint
+    - unused
+    - usestdlibvars
+    - zerologlint
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - internal/service/test_service.go
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -1,9 +1,13 @@
 package main

 import (
-	"github.com/stonith404/pocket-id/backend/internal/bootstrap"
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 )

+// @title Pocket ID API
+// @version 1.0
+// @description.markdown
+
 func main() {
 	bootstrap.Bootstrap()
 }
--- a/backend/email-templates/components/style_html.tmpl
+++ b/backend/email-templates/components/style_html.tmpl
@@ -1,80 +0,0 @@
-{{ define "style" }}
-<style>
-  body {
-    font-family: Arial, sans-serif;
-    background-color: #f0f0f0;
-    color: #333;
-    margin: 0;
-    padding: 0;
-  }
-  .container {
-    background-color: #fff;
-    color: #333;
-    padding: 32px;
-    border-radius: 10px;
-    max-width: 600px;
-    margin: 40px auto;
-    box-shadow: 0 4px 6px rgba(0, 0, 0, 0.1);
-  }
-  .header {
-    display: flex;
-    justify-content: space-between;
-    align-items: center;
-    margin-bottom: 24px;
-  }
-  .header .logo {
-    display: flex;
-    align-items: center;
-    gap: 8px;
-  }
-  .header .logo img {
-    width: 32px;
-    height: 32px;
-    object-fit: cover;
-  }
-  .header h1 {
-    font-size: 1.5rem;
-    font-weight: bold;
-  }
-  .warning {
-    background-color: #ffd966;
-    color: #7f6000;
-    padding: 4px 12px;
-    border-radius: 50px;
-    font-size: 0.875rem;
-  }
-  .content {
-    background-color: #fafafa;
-    color: #333;
-    padding: 24px;
-    border-radius: 10px;
-  }
-  .content h2 {
-    font-size: 1.25rem;
-    font-weight: bold;
-    margin-bottom: 16px;
-  }
-  .grid {
-    display: grid;
-    grid-template-columns: 1fr 1fr;
-    gap: 16px;
-    margin-bottom: 16px;
-  }
-  .grid div {
-    display: flex;
-    flex-direction: column;
-  }
-  .grid p {
-    margin: 0;
-  }
-  .label {
-    color: #888;
-    font-size: 0.875rem;
-    margin-bottom: 4px;
-  }
-  .message {
-    font-size: 1rem;
-    line-height: 1.5;
-  }
-</style>
-{{ end }}
--- a/backend/email-templates/login-with-new-device_html.tmpl
+++ b/backend/email-templates/login-with-new-device_html.tmpl
@@ -1,36 +0,0 @@
-{{ define "base" }}
-    <div class="header">
-        <div class="logo">
-            <img src="{{ .LogoURL }}" alt="Pocket ID"/>
-            <h1>{{ .AppName }}</h1>
-        </div>
-        <div class="warning">Warning</div>
-    </div>
-    <div class="content">
-        <h2>New Sign-In Detected</h2>
-        <div class="grid">
-            {{ if and .Data.City .Data.Country }}
-            <div>
-                <p class="label">Approximate Location</p>
-                <p>{{ .Data.City }}, {{ .Data.Country }}</p>
-            </div>
-            {{ end }}
-            <div>
-                <p class="label">IP Address</p>
-                <p>{{ .Data.IPAddress }}</p>
-            </div>
-            <div>
-                <p class="label">Device</p>
-                <p>{{ .Data.Device }}</p>
-            </div>
-            <div>
-                <p class="label">Sign-In Time</p>
-                <p>{{ .Data.DateTime.Format "2006-01-02 15:04:05 UTC" }}</p>
-            </div>
-        </div>
-        <p class="message">
-            This sign-in was detected from a new device or location. If you recognize this activity, you can
-            safely ignore this message. If not, please review your account and security settings.
-        </p>
-    </div>
-{{ end -}}
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,64 +1,88 @@
-module github.com/stonith404/pocket-id/backend
+module github.com/pocket-id/pocket-id/backend

-go 1.23.1
+go 1.24

 require (
-	github.com/caarlos0/env/v11 v11.2.2
+	github.com/caarlos0/env/v11 v11.3.1
+	github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec
+	github.com/disintegration/imaging v1.6.2
+	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
+	github.com/emersion/go-smtp v0.21.3
 	github.com/fxamacker/cbor/v2 v2.7.0
-	github.com/gin-contrib/cors v1.7.2
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-co-op/gocron/v2 v2.12.1
-	github.com/go-playground/validator/v10 v10.22.1
+	github.com/go-co-op/gocron/v2 v2.15.0
+	github.com/go-ldap/ldap/v3 v3.4.10
+	github.com/go-playground/validator/v10 v10.24.0
 	github.com/go-webauthn/webauthn v0.11.2
-	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/golang-migrate/migrate/v4 v4.18.1
+	github.com/golang-migrate/migrate/v4 v4.18.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
+	github.com/lestrrat-go/jwx/v3 v3.0.0-beta1
 	github.com/mileusna/useragent v1.3.5
-	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1
-	golang.org/x/crypto v0.27.0
-	golang.org/x/time v0.6.0
-	gorm.io/driver/sqlite v1.5.6
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
+	github.com/stretchr/testify v1.10.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/image v0.24.0
+	golang.org/x/time v0.9.0
+	gorm.io/driver/postgres v1.5.11
+	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
 )

 require (
-	github.com/bytedance/sonic v1.12.3 // indirect
-	github.com/bytedance/sonic/loader v0.2.0 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
-	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
+	github.com/bytedance/sonic v1.12.8 // indirect
+	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/disintegration/gift v1.1.2 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gin-contrib/sse v1.0.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/x v0.1.14 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/go-webauthn/x v0.1.16 // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/google/go-tpm v0.9.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.7.2 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.0-beta1 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.23 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.10.0 // indirect
-	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/net v0.29.0 // indirect
-	golang.org/x/sys v0.25.0 // indirect
-	golang.org/x/text v0.18.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	golang.org/x/arch v0.13.0 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/net v0.36.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	google.golang.org/protobuf v1.36.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -1,73 +1,137 @@
-github.com/bytedance/sonic v1.12.3 h1:W2MGa7RCU1QTeYRTPE3+88mVC0yXmsRQRChiyVocVjU=
-github.com/bytedance/sonic v1.12.3/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
+github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/bytedance/sonic v1.12.8 h1:4xYRVRlXIgvSZ4e8iVTlMF5szgpXd4AfvuWgA8I8lgs=
+github.com/bytedance/sonic v1.12.8/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
-github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/caarlos0/env/v11 v11.2.2 h1:95fApNrUyueipoZN/EhA8mMxiNxrBwDa+oAZrMWl3Kg=
-github.com/caarlos0/env/v11 v11.2.2/go.mod h1:JBfcdeQiBoI3Zh1QRAWfe+tpiNTmDtcCj/hHHHMx0vc=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
+github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
+github.com/dhui/dktest v0.4.4 h1:+I4s6JRE1yGuqflzwqG+aIaMdgXIorCf5P98JnaAWa8=
+github.com/dhui/dktest v0.4.4/go.mod h1:4+22R4lgsdAXrDyaH4Nqx2JEz2hLp49MqQmm9HLCQhM=
+github.com/disintegration/gift v1.1.2 h1:9ZyHJr+kPamiH10FX3Pynt1AxFUob812bU9Wt4GMzhs=
+github.com/disintegration/gift v1.1.2/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec h1:YrB6aVr9touOt75I9O1SiancmR2GMg45U9UYf0gtgWg=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec/go.mod h1:K0KBFIr1gWu/C1Gp10nFAcAE4hsB7JxE6OgLijrJ8Sk=
+github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
+github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
+github.com/docker/docker v27.2.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
+github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 h1:OJyUGMJTzHTd1XQp98QTaHernxMYzRaOasRir9hUlFQ=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-smtp v0.21.3 h1:7uVwagE8iPYE48WhNsng3RRpCUpFvNl39JGNSIyGVMY=
+github.com/emersion/go-smtp v0.21.3/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4=
-github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4=
-github.com/gin-contrib/cors v1.7.2 h1:oLDHxdg8W/XDoN/8zamqk/Drgt4oVZDvaV0YmvVICQw=
-github.com/gin-contrib/cors v1.7.2/go.mod h1:SUJVARKgQ40dmrzgXEVxj2m7Ig1v1qIboQkPDTQ9t2E=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
+github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
-github.com/go-co-op/gocron/v2 v2.12.1 h1:dCIIBFbzhWKdgXeEifBjHPzgQ1hoWhjS4289Hjjy1uw=
-github.com/go-co-op/gocron/v2 v2.12.1/go.mod h1:xY7bJxGazKam1cz04EebrlP4S9q4iWdiAylMGP3jY9w=
+github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
+github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-co-op/gocron/v2 v2.15.0 h1:Kpvo71VSihE+RImmpA+3ta5CcMhoRzMGw4dJawrj4zo=
+github.com/go-co-op/gocron/v2 v2.15.0/go.mod h1:ZF70ZwEqz0OO4RBXE1sNxnANy/zvwLcattWEFsqpKig=
+github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
+github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
-github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-playground/validator/v10 v10.24.0 h1:KHQckvo8G6hlWnrPX4NJJ+aBfWNAE/HH+qdL2cBpCmg=
+github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
 github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
 github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
-github.com/go-webauthn/x v0.1.14 h1:1wrB8jzXAofojJPAaRxnZhRgagvLGnLjhCAwg3kTpT0=
-github.com/go-webauthn/x v0.1.14/go.mod h1:UuVvFZ8/NbOnkDz3y1NaxtUN87pmtpC1PQ+/5BBQRdc=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.18.1 h1:JML/k+t4tpHCpQTCAD62Nu43NUFzHY4CV3uAuvHGC+Y=
-github.com/golang-migrate/migrate/v4 v4.18.1/go.mod h1:HAX6m3sQgcdO81tdjn5exv20+3Kb13cmGli1hrD6hks=
+github.com/go-webauthn/x v0.1.16 h1:EaVXZntpyHviN9ykjdRBQIw9B0Ed3LO5FW7mDiMQEa8=
+github.com/go-webauthn/x v0.1.16/go.mod h1:jhYjfwe/AVYaUs2mUXArj7vvZj+SpooQPyyQGNab+Us=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
+github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
-github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
+github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
+github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
+github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -75,26 +139,48 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
+github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc/v3 v3.0.0-beta1 h1:pzDjP9dSONCFQC/AE3mWUnHILGiYPiMKzQIS+weKJXA=
+github.com/lestrrat-go/httprc/v3 v3.0.0-beta1/go.mod h1:wdsgouffPvWPEYh8t7PRH/PidR5sfVqt0na4Nhj60Ms=
+github.com/lestrrat-go/jwx/v3 v3.0.0-beta1 h1:Iqjb8JvWjh34Jv8DeM2wQ1aG5fzFBzwQu7rlqwuJB0I=
+github.com/lestrrat-go/jwx/v3 v3.0.0-beta1/go.mod h1:ak32WoNtHE0aLowVWBcCvXngcAnW4tuC0YhFwOr/kwc=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.23 h1:gbShiuAP1W5j9UOksQ06aiiqPMxYecovVGwmTxWtuw0=
-github.com/mattn/go-sqlite3 v1.14.23/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
+github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1 h1:UihPOz+oIJ5X0JsO7wEkL50fheCODsoZ9r86mJWfNMc=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1/go.mod h1:vPpFrres6g9B5+meBwAd9xnp335KFcLEFW7EqJxBHy0=
+github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
+github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2 h1:jG+FaCBv3h6GD5F+oenTfe3+0NmX8sCKjni5k3A5Dek=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2/go.mod h1:rHaQJ5SjfCdL4sqCKa3FhklRcaXga2/qyvmQuA+ZJ6M=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
@@ -102,52 +188,140 @@ github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzG
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
+go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
+go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
+go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
+go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
+go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
+go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.10.0 h1:S3huipmSclq3PJMNe76NGwkBR504WFkQ5dhzWzP8ZW8=
-golang.org/x/arch v0.10.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA=
+golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
+golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
+golang.org/x/net v0.36.0/go.mod h1:bFmbeoIPfrw4sMHNhb4J9f6+tPziuGjq7Jk/38fxi1I=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.36.4 h1:6A3ZDJHn/eNqc1i+IdefRzy/9PokBTPvcqMySR7NNIM=
+google.golang.org/protobuf v1.36.4/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/sqlite v1.5.6 h1:fO/X46qn5NUEEOZtnjJRWRzZMe8nqJiQ9E+0hi+hKQE=
-gorm.io/driver/sqlite v1.5.6/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
+gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
+gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
+gorm.io/driver/sqlite v1.5.7 h1:8NvsrhP0ifM7LX9G4zPB97NwovUakUxc+2V2uuf3Z1I=
+gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
 gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
--- a/backend/images/logoDark.svg
+++ b/backend/images/logoDark.svg
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
-    <path fill="white" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
-</svg>
--- a/backend/images/logoLight.svg
+++ b/backend/images/logoLight.svg
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" id="a" viewBox="0 0 1015 1015">
-    <path fill="black" d="M506.6,0c209.52,0,379.98,170.45,379.98,379.96,0,82.33-25.9,160.68-74.91,226.54-48.04,64.59-113.78,111.51-190.13,135.71l-21.1,6.7-50.29-248.04,13.91-6.73c45.41-21.95,74.76-68.71,74.76-119.11,0-72.91-59.31-132.23-132.21-132.23s-132.23,59.32-132.23,132.23c0,50.4,29.36,97.16,74.77,119.11l13.65,6.61-81.01,499.24h-226.36V0h351.18Z"/>
-</svg>
--- a/backend/internal/bootstrap/application_images_bootstrap.go
+++ b/backend/internal/bootstrap/application_images_bootstrap.go
@@ -1,18 +1,21 @@
 package bootstrap

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"log"
 	"os"
+	"path"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
 )

 // initApplicationImages copies the images from the images directory to the application-images directory
 func initApplicationImages() {
 	dirPath := common.EnvConfig.UploadPath + "/application-images"

-	sourceFiles, err := os.ReadDir("./images")
+	sourceFiles, err := resources.FS.ReadDir("images")
 	if err != nil && !os.IsNotExist(err) {
 		log.Fatalf("Error reading directory: %v", err)
 	}
@@ -27,10 +30,10 @@ func initApplicationImages() {
 		if sourceFile.IsDir() || imageAlreadyExists(sourceFile.Name(), destinationFiles) {
 			continue
 		}
-		srcFilePath := "./images/" + sourceFile.Name()
-		destFilePath := dirPath + "/" + sourceFile.Name()
+		srcFilePath := path.Join("images", sourceFile.Name())
+		destFilePath := path.Join(dirPath, sourceFile.Name())

-		err := utils.CopyFile(srcFilePath, destFilePath)
+		err := utils.CopyEmbeddedFileToDisk(srcFilePath, destFilePath)
 		if err != nil {
 			log.Fatalf("Error copying file: %v", err)
 		}
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -1,16 +1,24 @@
 package bootstrap

 import (
+	"context"
+
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/stonith404/pocket-id/backend/internal/job"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func Bootstrap() {
-	db := newDatabase()
-	appConfigService := service.NewAppConfigService(db)
+	ctx := context.TODO()

 	initApplicationImages()
-	job.RegisterJobs(db)
-	initRouter(db, appConfigService)
+
+	migrateConfigDBConnstring()
+
+	db := newDatabase()
+	appConfigService := service.NewAppConfigService(ctx, db)
+
+	migrateKey()
+
+	initRouter(ctx, db, appConfigService)
 }
--- a/backend/internal/bootstrap/config_migration.go
+++ b/backend/internal/bootstrap/config_migration.go
@@ -0,0 +1,34 @@
+package bootstrap
+
+import (
+	"log"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+// Performs the migration of the database connection string
+// See: https://github.com/pocket-id/pocket-id/pull/388
+func migrateConfigDBConnstring() {
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		// Check if we're using the deprecated SqliteDBPath env var
+		if common.EnvConfig.SqliteDBPath != "" {
+			connString := "file:" + common.EnvConfig.SqliteDBPath + "?_journal_mode=WAL&_busy_timeout=2500&_txlock=immediate"
+			common.EnvConfig.DbConnectionString = connString
+			common.EnvConfig.SqliteDBPath = ""
+
+			log.Printf("[WARN] Env var 'SQLITE_DB_PATH' is deprecated - use 'DB_CONNECTION_STRING' instead with the value: '%s'", connString)
+		}
+	case common.DbProviderPostgres:
+		// Check if we're using the deprecated PostgresConnectionString alias
+		if common.EnvConfig.PostgresConnectionString != "" {
+			common.EnvConfig.DbConnectionString = common.EnvConfig.PostgresConnectionString
+			common.EnvConfig.PostgresConnectionString = ""
+
+			log.Print("[WARN] Env var 'POSTGRES_CONNECTION_STRING' is deprecated - use 'DB_CONNECTION_STRING' instead with the same value")
+		}
+	default:
+		// We don't do anything here in the default case
+		// This is an error, but will be handled later on
+	}
+}
--- a/backend/internal/bootstrap/db_bootstrap.go
+++ b/backend/internal/bootstrap/db_bootstrap.go
@@ -2,15 +2,23 @@ package bootstrap

 import (
 	"errors"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+	"time"
+
 	"github.com/golang-migrate/migrate/v4"
-	"github.com/golang-migrate/migrate/v4/database/sqlite3"
-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/golang-migrate/migrate/v4/database"
+	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
+	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
+	"github.com/golang-migrate/migrate/v4/source/iofs"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/resources"
+	"gorm.io/driver/postgres"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
-	"log"
-	"os"
-	"time"
 )

 func newDatabase() (db *gorm.DB) {
@@ -23,44 +31,85 @@ func newDatabase() (db *gorm.DB) {
 		log.Fatalf("failed to get sql.DB: %v", err)
 	}

-	driver, err := sqlite3.WithInstance(sqlDb, &sqlite3.Config{})
-	m, err := migrate.NewWithDatabaseInstance(
-		"file://migrations",
-		"postgres", driver)
+	// Choose the correct driver for the database provider
+	var driver database.Driver
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{})
+	case common.DbProviderPostgres:
+		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
+	default:
+		// Should never happen at this point
+		log.Fatalf("unsupported database provider: %s", common.EnvConfig.DbProvider)
+	}
 	if err != nil {
-		log.Fatalf("failed to create migration instance: %v", err)
+		log.Fatalf("failed to create migration driver: %v", err)
 	}

-	err = m.Up()
-	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
-		log.Fatalf("failed to apply migrations: %v", err)
+	// Run migrations
+	if err := migrateDatabase(driver); err != nil {
+		log.Fatalf("failed to run migrations: %v", err)
 	}

 	return db
 }

-func connectDatabase() (db *gorm.DB, err error) {
-	dbPath := common.EnvConfig.DBPath
+func migrateDatabase(driver database.Driver) error {
+	// Use the embedded migrations
+	source, err := iofs.New(resources.FS, "migrations/"+string(common.EnvConfig.DbProvider))
+	if err != nil {
+		return fmt.Errorf("failed to create embedded migration source: %w", err)
+	}

-	// Use in-memory database for testing
-	if common.EnvConfig.AppEnv == "test" {
-		dbPath = "file::memory:?cache=shared"
+	m, err := migrate.NewWithInstance("iofs", source, "pocket-id", driver)
+	if err != nil {
+		return fmt.Errorf("failed to create migration instance: %w", err)
+	}
+
+	err = m.Up()
+	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply migrations: %w", err)
+	}
+
+	return nil
+}
+
+func connectDatabase() (db *gorm.DB, err error) {
+	var dialector gorm.Dialector
+
+	// Choose the correct database provider
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		if common.EnvConfig.DbConnectionString == "" {
+			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for SQLite database")
+		}
+		if !strings.HasPrefix(common.EnvConfig.DbConnectionString, "file:") {
+			return nil, errors.New("invalid value for env var 'DB_CONNECTION_STRING': does not begin with 'file:'")
+		}
+		dialector = sqlite.Open(common.EnvConfig.DbConnectionString)
+	case common.DbProviderPostgres:
+		if common.EnvConfig.DbConnectionString == "" {
+			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for Postgres database")
+		}
+		dialector = postgres.Open(common.EnvConfig.DbConnectionString)
+	default:
+		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
 	}

 	for i := 1; i <= 3; i++ {
-		db, err = gorm.Open(sqlite.Open(dbPath), &gorm.Config{
+		db, err = gorm.Open(dialector, &gorm.Config{
 			TranslateError: true,
 			Logger:         getLogger(),
 		})
 		if err == nil {
-			break
-		} else {
-			log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
-			time.Sleep(3 * time.Second)
+			return db, nil
 		}
+
+		log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
+		time.Sleep(3 * time.Second)
 	}

-	return db, err
+	return nil, err
 }

 func getLogger() logger.Interface {
--- a/backend/internal/bootstrap/e2etest_router_bootstrap.go
+++ b/backend/internal/bootstrap/e2etest_router_bootstrap.go
@@ -0,0 +1,21 @@
+//go:build e2etest
+
+package bootstrap
+
+import (
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// When building for E2E tests, add the e2etest controller
+func init() {
+	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService){
+		func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService) {
+			testService := service.NewTestService(db, appConfigService, jwtService)
+			controller.NewTestController(apiGroup, testService)
+		},
+	}
+}
--- a/backend/internal/bootstrap/jwk_migration.go
+++ b/backend/internal/bootstrap/jwk_migration.go
@@ -0,0 +1,136 @@
+package bootstrap
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+
+	"github.com/lestrrat-go/jwx/v3/jwk"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+const (
+	privateKeyFilePem = "jwt_private_key.pem"
+)
+
+func migrateKey() {
+	err := migrateKeyInternal(common.EnvConfig.KeysPath)
+	if err != nil {
+		log.Fatalf("failed to perform migration of keys: %v", err)
+	}
+}
+
+func migrateKeyInternal(basePath string) error {
+	// First, check if there's already a JWK stored
+	jwkPath := filepath.Join(basePath, service.PrivateKeyFile)
+	ok, err := utils.FileExists(jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (JWK) exists at path '%s': %w", jwkPath, err)
+	}
+	if ok {
+		// There's already a key as JWK, so we don't do anything else here
+		return nil
+	}
+
+	// Check if there's a PEM file
+	pemPath := filepath.Join(basePath, privateKeyFilePem)
+	ok, err = utils.FileExists(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (PEM) exists at path '%s': %w", pemPath, err)
+	}
+	if !ok {
+		// No file to migrate, return
+		return nil
+	}
+
+	// Load and validate the key
+	key, err := loadKeyPEM(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to load private key file (PEM) at path '%s': %w", pemPath, err)
+	}
+	err = service.ValidateKey(key)
+	if err != nil {
+		return fmt.Errorf("key object is invalid: %w", err)
+	}
+
+	// Save the key as JWK
+	err = service.SaveKeyJWK(key, jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to save private key file at path '%s': %w", jwkPath, err)
+	}
+
+	// Finally, delete the PEM file
+	err = os.Remove(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to remove migrated key at path '%s': %w", pemPath, err)
+	}
+
+	return nil
+}
+
+func loadKeyPEM(path string) (jwk.Key, error) {
+	// Load the key from disk and parse it
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read key data: %w", err)
+	}
+
+	key, err := jwk.ParseKey(data, jwk.WithPEM(true))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse key: %w", err)
+	}
+
+	// Populate the key ID using the "legacy" algorithm
+	keyId, err := generateKeyID(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate key ID: %w", err)
+	}
+	err = key.Set(jwk.KeyIDKey, keyId)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set key ID: %w", err)
+	}
+
+	// Populate other required fields
+	_ = key.Set(jwk.KeyUsageKey, service.KeyUsageSigning)
+	service.EnsureAlgInKey(key)
+
+	return key, nil
+}
+
+// generateKeyID generates a Key ID for the public key using the first 8 bytes of the SHA-256 hash of the public key's PKIX-serialized structure.
+// This is used for legacy keys, imported from PEM.
+func generateKeyID(key jwk.Key) (string, error) {
+	// Export the public key and serialize it to PKIX (not in a PEM block)
+	// This is for backwards-compatibility with the algorithm used before the switch to JWK
+	pubKey, err := key.PublicKey()
+	if err != nil {
+		return "", fmt.Errorf("failed to get public key: %w", err)
+	}
+	var pubKeyRaw any
+	err = jwk.Export(pubKey, &pubKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to export public key: %w", err)
+	}
+	pubASN1, err := x509.MarshalPKIXPublicKey(pubKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal public key: %w", err)
+	}
+
+	// Compute SHA-256 hash of the public key
+	hash := sha256.New()
+	hash.Write(pubASN1)
+	hashed := hash.Sum(nil)
+
+	// Truncate the hash to the first 8 bytes for a shorter Key ID
+	shortHash := hashed[:8]
+
+	// Return Base64 encoded truncated hash as Key ID
+	return base64.RawURLEncoding.EncodeToString(shortHash), nil
+}
--- a/backend/internal/bootstrap/jwk_migration_test.go
+++ b/backend/internal/bootstrap/jwk_migration_test.go
@@ -0,0 +1,190 @@
+package bootstrap
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+func TestMigrateKey(t *testing.T) {
+	// Create a temporary directory for testing
+	tempDir := t.TempDir()
+
+	t.Run("no keys exist", func(t *testing.T) {
+		// Test when no keys exist
+		err := migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+	})
+
+	t.Run("jwk already exists", func(t *testing.T) {
+		// Create a JWK file
+		jwkPath := filepath.Join(tempDir, service.PrivateKeyFile)
+		key, err := createTestRSAKey()
+		require.NoError(t, err)
+		err = service.SaveKeyJWK(key, jwkPath)
+		require.NoError(t, err)
+
+		// Run migration - should do nothing
+		err = migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+
+		// Check the file still exists
+		exists, err := utils.FileExists(jwkPath)
+		require.NoError(t, err)
+		assert.True(t, exists)
+
+		// Delete for next test
+		err = os.Remove(jwkPath)
+		require.NoError(t, err)
+	})
+
+	t.Run("migrate pem to jwk", func(t *testing.T) {
+		// Create a PEM file
+		pemPath := filepath.Join(tempDir, privateKeyFilePem)
+		jwkPath := filepath.Join(tempDir, service.PrivateKeyFile)
+
+		// Generate RSA key and save as PEM
+		createRSAPrivateKeyPEM(t, pemPath)
+
+		// Run migration
+		err := migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+
+		// Check PEM file is gone
+		exists, err := utils.FileExists(pemPath)
+		require.NoError(t, err)
+		assert.False(t, exists)
+
+		// Check JWK file exists
+		exists, err = utils.FileExists(jwkPath)
+		require.NoError(t, err)
+		assert.True(t, exists)
+
+		// Verify the JWK can be loaded
+		data, err := os.ReadFile(jwkPath)
+		require.NoError(t, err)
+
+		_, err = jwk.ParseKey(data)
+		require.NoError(t, err)
+	})
+}
+
+func TestLoadKeyPEM(t *testing.T) {
+	// Create a temporary directory for testing
+	tempDir := t.TempDir()
+
+	t.Run("successfully load PEM key", func(t *testing.T) {
+		pemPath := filepath.Join(tempDir, "test_key.pem")
+
+		// Generate RSA key and save as PEM
+		createRSAPrivateKeyPEM(t, pemPath)
+
+		// Load the key
+		key, err := loadKeyPEM(pemPath)
+		require.NoError(t, err)
+
+		// Verify key properties
+		assert.NotEmpty(t, key)
+
+		// Check key ID is set
+		var keyID string
+		err = key.Get(jwk.KeyIDKey, &keyID)
+		require.NoError(t, err)
+		assert.NotEmpty(t, keyID)
+
+		// Check algorithm is set
+		var alg jwa.SignatureAlgorithm
+		err = key.Get(jwk.AlgorithmKey, &alg)
+		require.NoError(t, err)
+		assert.NotEmpty(t, alg)
+
+		// Check key usage is set
+		var keyUsage string
+		err = key.Get(jwk.KeyUsageKey, &keyUsage)
+		require.NoError(t, err)
+		assert.Equal(t, service.KeyUsageSigning, keyUsage)
+	})
+
+	t.Run("file not found", func(t *testing.T) {
+		key, err := loadKeyPEM(filepath.Join(tempDir, "nonexistent.pem"))
+		require.Error(t, err)
+		assert.Nil(t, key)
+	})
+
+	t.Run("invalid file content", func(t *testing.T) {
+		invalidPath := filepath.Join(tempDir, "invalid.pem")
+		err := os.WriteFile(invalidPath, []byte("not a valid PEM"), 0600)
+		require.NoError(t, err)
+
+		key, err := loadKeyPEM(invalidPath)
+		require.Error(t, err)
+		assert.Nil(t, key)
+	})
+}
+
+func TestGenerateKeyID(t *testing.T) {
+	key, err := createTestRSAKey()
+	require.NoError(t, err)
+
+	keyID, err := generateKeyID(key)
+	require.NoError(t, err)
+
+	// Key ID should be non-empty
+	assert.NotEmpty(t, keyID)
+
+	// Generate another key ID to prove it depends on the key
+	key2, err := createTestRSAKey()
+	require.NoError(t, err)
+
+	keyID2, err := generateKeyID(key2)
+	require.NoError(t, err)
+
+	// The two key IDs should be different
+	assert.NotEqual(t, keyID, keyID2)
+}
+
+// Helper functions
+
+func createTestRSAKey() (jwk.Key, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := jwk.Import(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return key, nil
+}
+
+// createRSAPrivateKeyPEM generates an RSA private key and returns its PEM-encoded form
+func createRSAPrivateKeyPEM(t *testing.T, pemPath string) ([]byte, *rsa.PrivateKey) {
+	// Generate RSA key
+	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	// Encode to PEM format
+	pemData := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privKey),
+	})
+
+	err = os.WriteFile(pemPath, pemData, 0600)
+	require.NoError(t, err)
+
+	return pemData, privKey
+}
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -1,20 +1,26 @@
 package bootstrap

 import (
+	"context"
 	"log"
-	"os"
+	"net"
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/controller"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
 )

-func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
+// This is used to register additional controllers for tests
+var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService)
+
+func initRouter(ctx context.Context, db *gorm.DB, appConfigService *service.AppConfigService) {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
 	case "production":
@@ -29,48 +35,73 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	r.Use(gin.Logger())

 	// Initialize services
-	templateDir := os.DirFS(common.EnvConfig.EmailTemplatesPath)
-	emailService, err := service.NewEmailService(appConfigService, templateDir)
+	emailService, err := service.NewEmailService(appConfigService, db)
 	if err != nil {
-		log.Fatalf("Unable to create email service: %s", err)
+		log.Fatalf("Unable to create email service: %v", err)
 	}

-	auditLogService := service.NewAuditLogService(db, appConfigService, emailService)
+	geoLiteService := service.NewGeoLiteService(ctx)
+	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
 	jwtService := service.NewJwtService(appConfigService)
 	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
-	userService := service.NewUserService(db, jwtService)
-	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService)
-	testService := service.NewTestService(db, appConfigService)
-	userGroupService := service.NewUserGroupService(db)
+	userService := service.NewUserService(db, jwtService, auditLogService, emailService, appConfigService)
+	customClaimService := service.NewCustomClaimService(db)
+	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
+	userGroupService := service.NewUserGroupService(db, appConfigService)
+	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
+	apiKeyService := service.NewApiKeyService(db)

+	rateLimitMiddleware := middleware.NewRateLimitMiddleware()
+
+	// Setup global middleware
 	r.Use(middleware.NewCorsMiddleware().Add())
-	r.Use(middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60))
-	r.Use(middleware.NewJwtAuthMiddleware(jwtService, true).Add(false))
+	r.Use(middleware.NewErrorHandlerMiddleware().Add())
+	r.Use(rateLimitMiddleware.Add(rate.Every(time.Second), 60))

-	// Initialize middleware
-	jwtAuthMiddleware := middleware.NewJwtAuthMiddleware(jwtService, false)
+	job.RegisterLdapJobs(ctx, ldapService, appConfigService)
+	job.RegisterDbCleanupJobs(ctx, db)
+	job.RegisterFileCleanupJobs(ctx, db)
+
+	// Initialize middleware for specific routes
+	authMiddleware := middleware.NewAuthMiddleware(apiKeyService, jwtService)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()

 	// Set up API routes
 	apiGroup := r.Group("/api")
-	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService)
-	controller.NewOidcController(apiGroup, jwtAuthMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
-	controller.NewUserController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), userService)
-	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService)
-	controller.NewAuditLogController(apiGroup, auditLogService, jwtAuthMiddleware)
-	controller.NewUserGroupController(apiGroup, jwtAuthMiddleware, userGroupService)
+	controller.NewApiKeyController(apiGroup, authMiddleware, apiKeyService)
+	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), webauthnService, appConfigService)
+	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), userService, appConfigService)
+	controller.NewAppConfigController(apiGroup, authMiddleware, appConfigService, emailService, ldapService)
+	controller.NewAuditLogController(apiGroup, auditLogService, authMiddleware)
+	controller.NewUserGroupController(apiGroup, authMiddleware, userGroupService)
+	controller.NewCustomClaimController(apiGroup, authMiddleware, customClaimService)

 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {
-		controller.NewTestController(apiGroup, testService)
+		for _, f := range registerTestControllers {
+			f(apiGroup, db, appConfigService, jwtService)
+		}
 	}

 	// Set up base routes
 	baseGroup := r.Group("/")
 	controller.NewWellKnownController(baseGroup, jwtService)

-	// Run the server
-	if err := r.Run(common.EnvConfig.Host + ":" + common.EnvConfig.Port); err != nil {
+	// Get the listener
+	l, err := net.Listen("tcp", common.EnvConfig.Host+":"+common.EnvConfig.Port)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Notify systemd that we are ready
+	if err := systemd.SdNotifyReady(); err != nil {
+		log.Println("Unable to notify systemd that the service is ready: ", err)
+		// continue to serve anyway since it's not that important
+	}
+
+	// Serve requests
+	if err := r.RunListener(l); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -1,33 +1,79 @@
 package common

 import (
+	"log"
+	"net/url"
+
 	"github.com/caarlos0/env/v11"
 	_ "github.com/joho/godotenv/autoload"
-	"log"
+)
+
+type DbProvider string
+
+const (
+	DbProviderSqlite      DbProvider = "sqlite"
+	DbProviderPostgres    DbProvider = "postgres"
+	MaxMindGeoLiteCityUrl string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
 )

 type EnvConfigSchema struct {
-	AppEnv             string `env:"APP_ENV"`
-	AppURL             string `env:"PUBLIC_APP_URL"`
-	DBPath             string `env:"DB_PATH"`
-	UploadPath         string `env:"UPLOAD_PATH"`
-	Port               string `env:"BACKEND_PORT"`
-	Host               string `env:"HOST"`
-	EmailTemplatesPath string `env:"EMAIL_TEMPLATES_PATH"`
+	AppEnv                   string     `env:"APP_ENV"`
+	AppURL                   string     `env:"PUBLIC_APP_URL"`
+	DbProvider               DbProvider `env:"DB_PROVIDER"`
+	DbConnectionString       string     `env:"DB_CONNECTION_STRING"`
+	SqliteDBPath             string     `env:"SQLITE_DB_PATH"`             // Deprecated: use "DB_CONNECTION_STRING" instead
+	PostgresConnectionString string     `env:"POSTGRES_CONNECTION_STRING"` // Deprecated: use "DB_CONNECTION_STRING" instead
+	UploadPath               string     `env:"UPLOAD_PATH"`
+	KeysPath                 string     `env:"KEYS_PATH"`
+	Port                     string     `env:"BACKEND_PORT"`
+	Host                     string     `env:"HOST"`
+	MaxMindLicenseKey        string     `env:"MAXMIND_LICENSE_KEY"`
+	GeoLiteDBPath            string     `env:"GEOLITE_DB_PATH"`
+	GeoLiteDBUrl             string     `env:"GEOLITE_DB_URL"`
+	UiConfigDisabled         bool       `env:"PUBLIC_UI_CONFIG_DISABLED"`
 }

 var EnvConfig = &EnvConfigSchema{
-	AppEnv:             "production",
-	DBPath:             "data/pocket-id.db",
-	UploadPath:         "data/uploads",
-	AppURL:             "http://localhost",
-	Port:               "8080",
-	Host:               "localhost",
-	EmailTemplatesPath: "./email-templates",
+	AppEnv:                   "production",
+	DbProvider:               "sqlite",
+	DbConnectionString:       "file:data/pocket-id.db?_journal_mode=WAL&_busy_timeout=2500&_txlock=immediate",
+	SqliteDBPath:             "",
+	PostgresConnectionString: "",
+	UploadPath:               "data/uploads",
+	KeysPath:                 "data/keys",
+	AppURL:                   "http://localhost",
+	Port:                     "8080",
+	Host:                     "0.0.0.0",
+	MaxMindLicenseKey:        "",
+	GeoLiteDBPath:            "data/GeoLite2-City.mmdb",
+	GeoLiteDBUrl:             MaxMindGeoLiteCityUrl,
+	UiConfigDisabled:         false,
 }

 func init() {
 	if err := env.ParseWithOptions(EnvConfig, env.Options{}); err != nil {
 		log.Fatal(err)
 	}
+
+	// Validate the environment variables
+	switch EnvConfig.DbProvider {
+	case DbProviderSqlite:
+		if EnvConfig.DbConnectionString == "" {
+			log.Fatal("Missing required env var 'DB_CONNECTION_STRING' for SQLite database")
+		}
+	case DbProviderPostgres:
+		if EnvConfig.DbConnectionString == "" {
+			log.Fatal("Missing required env var 'DB_CONNECTION_STRING' for Postgres database")
+		}
+	default:
+		log.Fatal("Invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
+	}
+
+	parsedAppUrl, err := url.Parse(EnvConfig.AppURL)
+	if err != nil {
+		log.Fatal("PUBLIC_APP_URL is not a valid URL")
+	}
+	if parsedAppUrl.Path != "" {
+		log.Fatal("PUBLIC_APP_URL must not contain a path")
+	}
 }
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -1,19 +1,294 @@
 package common

-import "errors"
-
-var (
-	ErrUsernameTaken                = errors.New("username is already taken")
-	ErrEmailTaken                   = errors.New("email is already taken")
-	ErrSetupAlreadyCompleted        = errors.New("setup already completed")
-	ErrTokenInvalidOrExpired        = errors.New("token is invalid or expired")
-	ErrOidcMissingAuthorization     = errors.New("missing authorization")
-	ErrOidcGrantTypeNotSupported    = errors.New("grant type not supported")
-	ErrOidcMissingClientCredentials = errors.New("client id or secret not provided")
-	ErrOidcClientSecretInvalid      = errors.New("invalid client secret")
-	ErrOidcInvalidAuthorizationCode = errors.New("invalid authorization code")
-	ErrOidcInvalidCallbackURL       = errors.New("invalid callback URL")
-	ErrFileTypeNotSupported         = errors.New("file type not supported")
-	ErrInvalidCredentials           = errors.New("no user found with provided credentials")
-	ErrNameAlreadyInUse             = errors.New("name is already in use")
+import (
+	"errors"
+	"fmt"
+	"net/http"
 )
+
+type AppError interface {
+	error
+	HttpStatusCode() int
+}
+
+// Custom error types for various conditions
+
+type AlreadyInUseError struct {
+	Property string
+}
+
+func (e *AlreadyInUseError) Error() string {
+	return e.Property + " is already in use"
+}
+func (e *AlreadyInUseError) HttpStatusCode() int { return 400 }
+
+func (e *AlreadyInUseError) Is(target error) bool {
+	// Ignore the field property when checking if an error is of the type AlreadyInUseError
+	x := &AlreadyInUseError{}
+	return errors.As(target, &x)
+}
+
+type SetupAlreadyCompletedError struct{}
+
+func (e *SetupAlreadyCompletedError) Error() string       { return "setup already completed" }
+func (e *SetupAlreadyCompletedError) HttpStatusCode() int { return 400 }
+
+type TokenInvalidOrExpiredError struct{}
+
+func (e *TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
+func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 }
+
+type TokenInvalidError struct{}
+
+func (e *TokenInvalidError) Error() string {
+	return "Token is invalid"
+}
+func (e *TokenInvalidError) HttpStatusCode() int { return 400 }
+
+type OidcMissingAuthorizationError struct{}
+
+func (e *OidcMissingAuthorizationError) Error() string       { return "missing authorization" }
+func (e *OidcMissingAuthorizationError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcGrantTypeNotSupportedError struct{}
+
+func (e *OidcGrantTypeNotSupportedError) Error() string       { return "grant type not supported" }
+func (e *OidcGrantTypeNotSupportedError) HttpStatusCode() int { return 400 }
+
+type OidcMissingClientCredentialsError struct{}
+
+func (e *OidcMissingClientCredentialsError) Error() string       { return "client id or secret not provided" }
+func (e *OidcMissingClientCredentialsError) HttpStatusCode() int { return 400 }
+
+type OidcClientSecretInvalidError struct{}
+
+func (e *OidcClientSecretInvalidError) Error() string       { return "invalid client secret" }
+func (e *OidcClientSecretInvalidError) HttpStatusCode() int { return 400 }
+
+type OidcInvalidAuthorizationCodeError struct{}
+
+func (e *OidcInvalidAuthorizationCodeError) Error() string       { return "invalid authorization code" }
+func (e *OidcInvalidAuthorizationCodeError) HttpStatusCode() int { return 400 }
+
+type OidcInvalidCallbackURLError struct{}
+
+func (e *OidcInvalidCallbackURLError) Error() string {
+	return "invalid callback URL, it might be necessary for an admin to fix this"
+}
+func (e *OidcInvalidCallbackURLError) HttpStatusCode() int { return 400 }
+
+type FileTypeNotSupportedError struct{}
+
+func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
+func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }
+
+type InvalidCredentialsError struct{}
+
+func (e *InvalidCredentialsError) Error() string       { return "no user found with provided credentials" }
+func (e *InvalidCredentialsError) HttpStatusCode() int { return 400 }
+
+type FileTooLargeError struct {
+	MaxSize string
+}
+
+func (e *FileTooLargeError) Error() string {
+	return fmt.Sprintf("The file can't be larger than %s", e.MaxSize)
+}
+func (e *FileTooLargeError) HttpStatusCode() int { return http.StatusRequestEntityTooLarge }
+
+type NotSignedInError struct{}
+
+func (e *NotSignedInError) Error() string       { return "You are not signed in" }
+func (e *NotSignedInError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type MissingAccessToken struct{}
+
+func (e *MissingAccessToken) Error() string       { return "Missing access token" }
+func (e *MissingAccessToken) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type MissingPermissionError struct{}
+
+func (e *MissingPermissionError) Error() string {
+	return "You don't have permission to perform this action"
+}
+func (e *MissingPermissionError) HttpStatusCode() int { return http.StatusForbidden }
+
+type TooManyRequestsError struct{}
+
+func (e *TooManyRequestsError) Error() string {
+	return "Too many requests"
+}
+func (e *TooManyRequestsError) HttpStatusCode() int { return http.StatusTooManyRequests }
+
+type ClientIdOrSecretNotProvidedError struct{}
+
+func (e *ClientIdOrSecretNotProvidedError) Error() string {
+	return "Client id or secret not provided"
+}
+func (e *ClientIdOrSecretNotProvidedError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type WrongFileTypeError struct {
+	ExpectedFileType string
+}
+
+func (e *WrongFileTypeError) Error() string {
+	return fmt.Sprintf("File must be of type %s", e.ExpectedFileType)
+}
+func (e *WrongFileTypeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type MissingSessionIdError struct{}
+
+func (e *MissingSessionIdError) Error() string {
+	return "Missing session id"
+}
+func (e *MissingSessionIdError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type ReservedClaimError struct {
+	Key string
+}
+
+func (e *ReservedClaimError) Error() string {
+	return fmt.Sprintf("Claim %s is reserved and can't be used", e.Key)
+}
+func (e *ReservedClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type DuplicateClaimError struct {
+	Key string
+}
+
+func (e *DuplicateClaimError) Error() string {
+	return fmt.Sprintf("Claim %s is already defined", e.Key)
+}
+func (e *DuplicateClaimError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type AccountEditNotAllowedError struct{}
+
+func (e *AccountEditNotAllowedError) Error() string {
+	return "You are not allowed to edit your account"
+}
+func (e *AccountEditNotAllowedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcInvalidCodeVerifierError struct{}
+
+func (e *OidcInvalidCodeVerifierError) Error() string {
+	return "Invalid code verifier"
+}
+func (e *OidcInvalidCodeVerifierError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcMissingCodeChallengeError struct{}
+
+func (e *OidcMissingCodeChallengeError) Error() string {
+	return "Missing code challenge"
+}
+func (e *OidcMissingCodeChallengeError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type LdapUserUpdateError struct{}
+
+func (e *LdapUserUpdateError) Error() string {
+	return "LDAP users can't be updated"
+}
+func (e *LdapUserUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type LdapUserGroupUpdateError struct{}
+
+func (e *LdapUserGroupUpdateError) Error() string {
+	return "LDAP user groups can't be updated"
+}
+func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcAccessDeniedError struct{}
+
+func (e *OidcAccessDeniedError) Error() string {
+	return "You're not allowed to access this service"
+}
+func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcClientIdNotMatchingError struct{}
+
+func (e *OidcClientIdNotMatchingError) Error() string {
+	return "Client id in request doesn't match client id in token"
+}
+func (e *OidcClientIdNotMatchingError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcNoCallbackURLError struct{}
+
+func (e *OidcNoCallbackURLError) Error() string {
+	return "No callback URL provided"
+}
+func (e *OidcNoCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type UiConfigDisabledError struct{}
+
+func (e *UiConfigDisabledError) Error() string {
+	return "The configuration can't be changed since the UI configuration is disabled"
+}
+func (e *UiConfigDisabledError) HttpStatusCode() int { return http.StatusForbidden }
+
+type InvalidUUIDError struct{}
+
+func (e *InvalidUUIDError) Error() string {
+	return "Invalid UUID"
+}
+
+type InvalidEmailError struct{}
+
+type OneTimeAccessDisabledError struct{}
+
+func (e *OneTimeAccessDisabledError) Error() string {
+	return "One-time access is disabled"
+}
+func (e *OneTimeAccessDisabledError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type InvalidAPIKeyError struct{}
+
+func (e *InvalidAPIKeyError) Error() string {
+	return "Invalid Api Key"
+}
+
+type NoAPIKeyProvidedError struct{}
+
+func (e *NoAPIKeyProvidedError) Error() string {
+	return "No API Key Provided"
+}
+
+type APIKeyNotFoundError struct{}
+
+func (e *APIKeyNotFoundError) Error() string {
+	return "API Key Not Found"
+}
+
+type APIKeyExpirationDateError struct{}
+
+func (e *APIKeyExpirationDateError) Error() string {
+	return "API Key expiration time must be in the future"
+}
+
+type OidcInvalidRefreshTokenError struct{}
+
+func (e *OidcInvalidRefreshTokenError) Error() string {
+	return "refresh token is invalid or expired"
+}
+
+func (e *OidcInvalidRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingRefreshTokenError struct{}
+
+func (e *OidcMissingRefreshTokenError) Error() string {
+	return "refresh token is required"
+}
+
+func (e *OidcMissingRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingAuthorizationCodeError struct{}
+
+func (e *OidcMissingAuthorizationCodeError) Error() string {
+	return "authorization code is required"
+}
+
+func (e *OidcMissingAuthorizationCodeError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
--- a/backend/internal/controller/api_key_controller.go
+++ b/backend/internal/controller/api_key_controller.go
@@ -0,0 +1,125 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// swag init -g cmd/main.go -o ./docs/swagger --parseDependency
+
+// ApiKeyController manages API keys for authenticated users
+type ApiKeyController struct {
+	apiKeyService *service.ApiKeyService
+}
+
+// NewApiKeyController creates a new controller for API key management
+// @Summary API key management controller
+// @Description Initializes API endpoints for managing API keys
+// @Tags API Keys
+func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, apiKeyService *service.ApiKeyService) {
+	uc := &ApiKeyController{apiKeyService: apiKeyService}
+
+	apiKeyGroup := group.Group("/api-keys")
+	apiKeyGroup.Use(authMiddleware.WithAdminNotRequired().Add())
+	{
+		apiKeyGroup.GET("", uc.listApiKeysHandler)
+		apiKeyGroup.POST("", uc.createApiKeyHandler)
+		apiKeyGroup.DELETE("/:id", uc.revokeApiKeyHandler)
+	}
+}
+
+// listApiKeysHandler godoc
+// @Summary List API keys
+// @Description Get a paginated list of API keys belonging to the current user
+// @Tags API Keys
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.ApiKeyDto]
+// @Router /api/api-keys [get]
+func (c *ApiKeyController) listApiKeysHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := ctx.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(ctx.Request.Context(), userID, sortedPaginationRequest)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	var apiKeysDto []dto.ApiKeyDto
+	if err := dto.MapStructList(apiKeys, &apiKeysDto); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, dto.Paginated[dto.ApiKeyDto]{
+		Data:       apiKeysDto,
+		Pagination: pagination,
+	})
+}
+
+// createApiKeyHandler godoc
+// @Summary Create API key
+// @Description Create a new API key for the current user
+// @Tags API Keys
+// @Param api_key body dto.ApiKeyCreateDto true "API key information"
+// @Success 201 {object} dto.ApiKeyResponseDto "Created API key with token"
+// @Router /api/api-keys [post]
+func (c *ApiKeyController) createApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+
+	var input dto.ApiKeyCreateDto
+	if err := ctx.ShouldBindJSON(&input); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	apiKey, token, err := c.apiKeyService.CreateApiKey(ctx.Request.Context(), userID, input)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	var apiKeyDto dto.ApiKeyDto
+	if err := dto.MapStruct(apiKey, &apiKeyDto); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusCreated, dto.ApiKeyResponseDto{
+		ApiKey: apiKeyDto,
+		Token:  token,
+	})
+}
+
+// revokeApiKeyHandler godoc
+// @Summary Revoke API key
+// @Description Revoke (delete) an existing API key by ID
+// @Tags API Keys
+// @Param id path string true "API Key ID"
+// @Success 204 "No Content"
+// @Router /api/api-keys/{id} [delete]
+func (c *ApiKeyController) revokeApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+	apiKeyID := ctx.Param("id")
+
+	if err := c.apiKeyService.RevokeApiKey(ctx.Request.Context(), userID, apiKeyID); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/app_config_controller.go
+++ b/backend/internal/controller/app_config_controller.go
@@ -1,180 +1,303 @@
 package controller

 import (
-	"errors"
-	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

+// NewAppConfigController creates a new controller for application configuration endpoints
+// @Summary Create a new application configuration controller
+// @Description Initialize routes for application configuration
+// @Tags Application Configuration
 func NewAppConfigController(
 	group *gin.RouterGroup,
-	jwtAuthMiddleware *middleware.JwtAuthMiddleware,
-	appConfigService *service.AppConfigService) {
+	authMiddleware *middleware.AuthMiddleware,
+	appConfigService *service.AppConfigService,
+	emailService *service.EmailService,
+	ldapService *service.LdapService,
+) {

 	acc := &AppConfigController{
 		appConfigService: appConfigService,
+		emailService:     emailService,
+		ldapService:      ldapService,
 	}
 	group.GET("/application-configuration", acc.listAppConfigHandler)
-	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllAppConfigHandler)
-	group.PUT("/application-configuration", acc.updateAppConfigHandler)
+	group.GET("/application-configuration/all", authMiddleware.Add(), acc.listAllAppConfigHandler)
+	group.PUT("/application-configuration", authMiddleware.Add(), acc.updateAppConfigHandler)

 	group.GET("/application-configuration/logo", acc.getLogoHandler)
 	group.GET("/application-configuration/background-image", acc.getBackgroundImageHandler)
 	group.GET("/application-configuration/favicon", acc.getFaviconHandler)
-	group.PUT("/application-configuration/logo", jwtAuthMiddleware.Add(true), acc.updateLogoHandler)
-	group.PUT("/application-configuration/favicon", jwtAuthMiddleware.Add(true), acc.updateFaviconHandler)
-	group.PUT("/application-configuration/background-image", jwtAuthMiddleware.Add(true), acc.updateBackgroundImageHandler)
+	group.PUT("/application-configuration/logo", authMiddleware.Add(), acc.updateLogoHandler)
+	group.PUT("/application-configuration/favicon", authMiddleware.Add(), acc.updateFaviconHandler)
+	group.PUT("/application-configuration/background-image", authMiddleware.Add(), acc.updateBackgroundImageHandler)
+
+	group.POST("/application-configuration/test-email", authMiddleware.Add(), acc.testEmailHandler)
+	group.POST("/application-configuration/sync-ldap", authMiddleware.Add(), acc.syncLdapHandler)
 }

 type AppConfigController struct {
 	appConfigService *service.AppConfigService
+	emailService     *service.EmailService
+	ldapService      *service.LdapService
 }

+// listAppConfigHandler godoc
+// @Summary List public application configurations
+// @Description Get all public application configurations
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.PublicAppConfigVariableDto
+// @Failure 500 {object} object "{"error": "error message"}"
+// @Router /application-configuration [get]
 func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(false)
-	if err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
+	configuration := acc.appConfigService.ListAppConfig(false)

 	var configVariablesDto []dto.PublicAppConfigVariableDto
 	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	c.JSON(200, configVariablesDto)
-}
-
-func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(true)
-	if err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	var configVariablesDto []dto.AppConfigVariableDto
-	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	c.JSON(200, configVariablesDto)
-}
-
-func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
-	var input dto.AppConfigUpdateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(input)
-	if err != nil {
-		utils.ControllerError(c, err)
-		return
-	}
-
-	var configVariablesDto []dto.AppConfigVariableDto
-	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, configVariablesDto)
 }

+// listAllAppConfigHandler godoc
+// @Summary List all application configurations
+// @Description Get all application configurations including private ones
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Security BearerAuth
+// @Router /application-configuration/all [get]
+func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
+	configuration := acc.appConfigService.ListAppConfig(true)
+
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, configVariablesDto)
+}
+
+// updateAppConfigHandler godoc
+// @Summary Update application configurations
+// @Description Update application configuration settings
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Param body body dto.AppConfigUpdateDto true "Application Configuration"
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Security BearerAuth
+// @Router /api/application-configuration [put]
+func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
+	var input dto.AppConfigUpdateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(c.Request.Context(), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, configVariablesDto)
+}
+
+// getLogoHandler godoc
+// @Summary Get logo image
+// @Description Get the logo image for the application
+// @Tags Application Configuration
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Produce image/png
+// @Produce image/jpeg
+// @Produce image/svg+xml
+// @Success 200 {file} binary "Logo image"
+// @Router /api/application-configuration/logo [get]
 func (acc *AppConfigController) getLogoHandler(c *gin.Context) {
-	lightLogo := c.DefaultQuery("light", "true") == "true"
+	dbConfig := acc.appConfigService.GetDbConfig()

-	var imageName string
-	var imageType string
+	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))

+	var imageName, imageType string
 	if lightLogo {
 		imageName = "logoLight"
-		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+		imageType = dbConfig.LogoLightImageType.Value
 	} else {
 		imageName = "logoDark"
-		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+		imageType = dbConfig.LogoDarkImageType.Value
 	}

 	acc.getImage(c, imageName, imageType)
 }

+// getFaviconHandler godoc
+// @Summary Get favicon
+// @Description Get the favicon for the application
+// @Tags Application Configuration
+// @Produce image/x-icon
+// @Success 200 {file} binary "Favicon image"
+// @Failure 404 {object} object "{"error": "File not found"}"
+// @Router /api/application-configuration/favicon [get]
 func (acc *AppConfigController) getFaviconHandler(c *gin.Context) {
 	acc.getImage(c, "favicon", "ico")
 }

+// getBackgroundImageHandler godoc
+// @Summary Get background image
+// @Description Get the background image for the application
+// @Tags Application Configuration
+// @Produce image/png
+// @Produce image/jpeg
+// @Success 200 {file} binary "Background image"
+// @Failure 404 {object} object "{"error": "File not found"}"
+// @Router /api/application-configuration/background-image [get]
 func (acc *AppConfigController) getBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	imageType := acc.appConfigService.GetDbConfig().BackgroundImageType.Value
 	acc.getImage(c, "background", imageType)
 }

+// updateLogoHandler godoc
+// @Summary Update logo
+// @Description Update the application logo
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Param file formData file true "Logo image file"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/logo [put]
 func (acc *AppConfigController) updateLogoHandler(c *gin.Context) {
-	lightLogo := c.DefaultQuery("light", "true") == "true"
+	dbConfig := acc.appConfigService.GetDbConfig()

-	var imageName string
-	var imageType string
+	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))

+	var imageName, imageType string
 	if lightLogo {
 		imageName = "logoLight"
-		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+		imageType = dbConfig.LogoLightImageType.Value
 	} else {
 		imageName = "logoDark"
-		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+		imageType = dbConfig.LogoDarkImageType.Value
 	}

 	acc.updateImage(c, imageName, imageType)
 }

+// updateFaviconHandler godoc
+// @Summary Update favicon
+// @Description Update the application favicon
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param file formData file true "Favicon file (.ico)"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/favicon [put]
 func (acc *AppConfigController) updateFaviconHandler(c *gin.Context) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	fileType := utils.GetFileExtension(file.Filename)
 	if fileType != "ico" {
-		utils.CustomControllerError(c, http.StatusBadRequest, "File must be of type .ico")
+		_ = c.Error(&common.WrongFileTypeError{ExpectedFileType: ".ico"})
 		return
 	}
 	acc.updateImage(c, "favicon", "ico")
 }

+// updateBackgroundImageHandler godoc
+// @Summary Update background image
+// @Description Update the application background image
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param file formData file true "Background image file"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/background-image [put]
 func (acc *AppConfigController) updateBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	imageType := acc.appConfigService.GetDbConfig().BackgroundImageType.Value
 	acc.updateImage(c, "background", imageType)
 }

+// getImage is a helper function to serve image files
 func (acc *AppConfigController) getImage(c *gin.Context, name string, imageType string) {
-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
+	imagePath := common.EnvConfig.UploadPath + "/application-images/" + name + "." + imageType
 	mimeType := utils.GetImageMimeType(imageType)

 	c.Header("Content-Type", mimeType)
 	c.File(imagePath)
 }

+// updateImage is a helper function to update image files
 func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, oldImageType string) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	err = acc.appConfigService.UpdateImage(file, imageName, oldImageType)
+	err = acc.appConfigService.UpdateImage(c.Request.Context(), file, imageName, oldImageType)
 	if err != nil {
-		if errors.Is(err, common.ErrFileTypeNotSupported) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// syncLdapHandler godoc
+// @Summary Synchronize LDAP
+// @Description Manually trigger LDAP synchronization
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/sync-ldap [post]
+func (acc *AppConfigController) syncLdapHandler(c *gin.Context) {
+	err := acc.ldapService.SyncAll(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// testEmailHandler godoc
+// @Summary Send test email
+// @Description Send a test email to verify email configuration
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/test-email [post]
+func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	err := acc.emailService.SendTestEmail(c.Request.Context(), userID)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}

--- a/backend/internal/controller/audit_log_controller.go
+++ b/backend/internal/controller/audit_log_controller.go
@@ -1,37 +1,60 @@
 package controller

 import (
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"net/http"
-	"strconv"
+
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"

 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

-func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, jwtAuthMiddleware *middleware.JwtAuthMiddleware) {
+// NewAuditLogController creates a new controller for audit log management
+// @Summary Audit log controller
+// @Description Initializes API endpoints for accessing audit logs
+// @Tags Audit Logs
+func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, authMiddleware *middleware.AuthMiddleware) {
 	alc := AuditLogController{
 		auditLogService: auditLogService,
 	}

-	group.GET("/audit-logs", jwtAuthMiddleware.Add(false), alc.listAuditLogsForUserHandler)
+	group.GET("/audit-logs/all", authMiddleware.Add(), alc.listAllAuditLogsHandler)
+	group.GET("/audit-logs", authMiddleware.WithAdminNotRequired().Add(), alc.listAuditLogsForUserHandler)
+	group.GET("/audit-logs/filters/client-names", authMiddleware.Add(), alc.listClientNamesHandler)
+	group.GET("/audit-logs/filters/users", authMiddleware.Add(), alc.listUserNamesWithIdsHandler)
 }

 type AuditLogController struct {
 	auditLogService *service.AuditLogService
 }

+// listAuditLogsForUserHandler godoc
+// @Summary List audit logs
+// @Description Get a paginated list of audit logs for the current user
+// @Tags Audit Logs
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.AuditLogDto]
+// @Router /api/audit-logs [get]
 func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
+	var sortedPaginationRequest utils.SortedPaginationRequest
+
+	err := c.ShouldBindQuery(&sortedPaginationRequest)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
 	userID := c.GetString("userID")
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))

 	// Fetch audit logs for the user
-	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, page, pageSize)
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(c.Request.Context(), userID, sortedPaginationRequest)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -39,7 +62,7 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	var logsDtos []dto.AuditLogDto
 	err = dto.MapStructList(logs, &logsDtos)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -49,8 +72,91 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 		logsDtos[i] = logsDto
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       logsDtos,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
+		Data:       logsDtos,
+		Pagination: pagination,
 	})
 }
+
+// listAllAuditLogsHandler godoc
+// @Summary List all audit logs
+// @Description Get a paginated list of all audit logs (admin only)
+// @Tags Audit Logs
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Param user_id query string false "Filter by user ID"
+// @Param event query string false "Filter by event type"
+// @Param client_name query string false "Filter by client name"
+// @Success 200 {object} dto.Paginated[dto.AuditLogDto]
+// @Router /api/audit-logs/all [get]
+func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var filters dto.AuditLogFilterDto
+	if err := c.ShouldBindQuery(&filters); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	logs, pagination, err := alc.auditLogService.ListAllAuditLogs(c.Request.Context(), sortedPaginationRequest, filters)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var logsDtos []dto.AuditLogDto
+	err = dto.MapStructList(logs, &logsDtos)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	for i, logsDto := range logsDtos {
+		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
+		logsDto.Username = logs[i].User.Username
+		logsDtos[i] = logsDto
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
+		Data:       logsDtos,
+		Pagination: pagination,
+	})
+}
+
+// listClientNamesHandler godoc
+// @Summary List client names
+// @Description Get a list of all client names for audit log filtering
+// @Tags Audit Logs
+// @Success 200 {array} string "List of client names"
+// @Router /api/audit-logs/filters/client-names [get]
+func (alc *AuditLogController) listClientNamesHandler(c *gin.Context) {
+	names, err := alc.auditLogService.ListClientNames(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, names)
+}
+
+// listUserNamesWithIdsHandler godoc
+// @Summary List users with IDs
+// @Description Get a list of all usernames with their IDs for audit log filtering
+// @Tags Audit Logs
+// @Success 200 {object} map[string]string "Map of user IDs to usernames"
+// @Router /api/audit-logs/filters/users [get]
+func (alc *AuditLogController) listUserNamesWithIdsHandler(c *gin.Context) {
+	users, err := alc.auditLogService.ListUsernamesWithIds(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, users)
+}
--- a/backend/internal/controller/custom_claim_controller.go
+++ b/backend/internal/controller/custom_claim_controller.go
@@ -0,0 +1,120 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// NewCustomClaimController creates a new controller for custom claim management
+// @Summary Custom claim management controller
+// @Description Initializes all custom claim-related API endpoints
+// @Tags Custom Claims
+func NewCustomClaimController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, customClaimService *service.CustomClaimService) {
+	wkc := &CustomClaimController{customClaimService: customClaimService}
+
+	customClaimsGroup := group.Group("/custom-claims")
+	customClaimsGroup.Use(authMiddleware.Add())
+	{
+		customClaimsGroup.GET("/suggestions", wkc.getSuggestionsHandler)
+		customClaimsGroup.PUT("/user/:userId", wkc.UpdateCustomClaimsForUserHandler)
+		customClaimsGroup.PUT("/user-group/:userGroupId", wkc.UpdateCustomClaimsForUserGroupHandler)
+	}
+}
+
+type CustomClaimController struct {
+	customClaimService *service.CustomClaimService
+}
+
+// getSuggestionsHandler godoc
+// @Summary Get custom claim suggestions
+// @Description Get a list of suggested custom claim names
+// @Tags Custom Claims
+// @Produce json
+// @Success 200 {array} string "List of suggested custom claim names"
+// @Failure 401 {object} object "Unauthorized"
+// @Failure 403 {object} object "Forbidden"
+// @Failure 500 {object} object "Internal server error"
+// @Security BearerAuth
+// @Router /api/custom-claims/suggestions [get]
+func (ccc *CustomClaimController) getSuggestionsHandler(c *gin.Context) {
+	claims, err := ccc.customClaimService.GetSuggestions(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, claims)
+}
+
+// UpdateCustomClaimsForUserHandler godoc
+// @Summary Update custom claims for a user
+// @Description Update or create custom claims for a specific user
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userId path string true "User ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Router /api/custom-claims/user/{userId} [put]
+func (ccc *CustomClaimController) UpdateCustomClaimsForUserHandler(c *gin.Context) {
+	var input []dto.CustomClaimCreateDto
+
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userId := c.Param("userId")
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUser(c.Request.Context(), userId, input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var customClaimsDto []dto.CustomClaimDto
+	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, customClaimsDto)
+}
+
+// UpdateCustomClaimsForUserGroupHandler godoc
+// @Summary Update custom claims for a user group
+// @Description Update or create custom claims for a specific user group
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userGroupId path string true "User Group ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user group"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Security BearerAuth
+// @Router /api/custom-claims/user-group/{userGroupId} [put]
+func (ccc *CustomClaimController) UpdateCustomClaimsForUserGroupHandler(c *gin.Context) {
+	var input []dto.CustomClaimCreateDto
+
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userGroupId := c.Param("userGroupId")
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUserGroup(c.Request.Context(), userGroupId, input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var customClaimsDto []dto.CustomClaimDto
+	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, customClaimsDto)
+}
--- a/backend/internal/controller/e2etest_controller.go
+++ b/backend/internal/controller/e2etest_controller.go
@@ -1,10 +1,13 @@
+//go:build e2etest
+
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
@@ -19,19 +22,26 @@ type TestController struct {

 func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 	if err := tc.TestService.ResetDatabase(); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	if err := tc.TestService.ResetApplicationImages(); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	if err := tc.TestService.SeedDatabase(); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

+	if err := tc.TestService.ResetAppConfig(c.Request.Context()); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	tc.TestService.SetJWTKeys()
+
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -1,37 +1,50 @@
 package controller

 import (
-	"errors"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"log"
 	"net/http"
-	"strconv"
+	"net/url"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
 )

-func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
+// NewOidcController creates a new controller for OIDC related endpoints
+// @Summary OIDC controller
+// @Description Initializes all OIDC-related API endpoints for authentication and client management
+// @Tags OIDC
+func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
 	oc := &OidcController{oidcService: oidcService, jwtService: jwtService}

-	group.POST("/oidc/authorize", jwtAuthMiddleware.Add(false), oc.authorizeHandler)
-	group.POST("/oidc/authorize/new-client", jwtAuthMiddleware.Add(false), oc.authorizeNewClientHandler)
+	group.POST("/oidc/authorize", authMiddleware.WithAdminNotRequired().Add(), oc.authorizeHandler)
+	group.POST("/oidc/authorization-required", authMiddleware.WithAdminNotRequired().Add(), oc.authorizationConfirmationRequiredHandler)
+
 	group.POST("/oidc/token", oc.createTokensHandler)
 	group.GET("/oidc/userinfo", oc.userInfoHandler)
+	group.POST("/oidc/userinfo", oc.userInfoHandler)
+	group.POST("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.GET("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.POST("/oidc/introspect", oc.introspectTokenHandler)

-	group.GET("/oidc/clients", jwtAuthMiddleware.Add(true), oc.listClientsHandler)
-	group.POST("/oidc/clients", jwtAuthMiddleware.Add(true), oc.createClientHandler)
-	group.GET("/oidc/clients/:id", oc.getClientHandler)
-	group.PUT("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.updateClientHandler)
-	group.DELETE("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.deleteClientHandler)
+	group.GET("/oidc/clients", authMiddleware.Add(), oc.listClientsHandler)
+	group.POST("/oidc/clients", authMiddleware.Add(), oc.createClientHandler)
+	group.GET("/oidc/clients/:id", authMiddleware.Add(), oc.getClientHandler)
+	group.GET("/oidc/clients/:id/meta", oc.getClientMetaDataHandler)
+	group.PUT("/oidc/clients/:id", authMiddleware.Add(), oc.updateClientHandler)
+	group.DELETE("/oidc/clients/:id", authMiddleware.Add(), oc.deleteClientHandler)

-	group.POST("/oidc/clients/:id/secret", jwtAuthMiddleware.Add(true), oc.createClientSecretHandler)
+	group.PUT("/oidc/clients/:id/allowed-user-groups", authMiddleware.Add(), oc.updateAllowedUserGroupsHandler)
+	group.POST("/oidc/clients/:id/secret", authMiddleware.Add(), oc.createClientSecretHandler)

 	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
 	group.DELETE("/oidc/clients/:id/logo", oc.deleteClientLogoHandler)
-	group.POST("/oidc/clients/:id/logo", jwtAuthMiddleware.Add(true), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
+	group.POST("/oidc/clients/:id/logo", authMiddleware.Add(), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
 }

 type OidcController struct {
@@ -39,22 +52,26 @@ type OidcController struct {
 	jwtService  *service.JwtService
 }

+// authorizeHandler godoc
+// @Summary Authorize OIDC client
+// @Description Start the OIDC authorization process for a client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param request body dto.AuthorizeOidcClientRequestDto true "Authorization request parameters"
+// @Success 200 {object} dto.AuthorizeOidcClientResponseDto "Authorization code and callback URL"
+// @Security BearerAuth
+// @Router /api/oidc/authorize [post]
 func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	var input dto.AuthorizeOidcClientRequestDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	code, callbackURL, err := oc.oidcService.Authorize(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		if errors.Is(err, common.ErrOidcMissingAuthorization) {
-			utils.CustomControllerError(c, http.StatusForbidden, err.Error())
-		} else if errors.Is(err, common.ErrOidcInvalidCallbackURL) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

@@ -66,36 +83,64 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }

-func (oc *OidcController) authorizeNewClientHandler(c *gin.Context) {
-	var input dto.AuthorizeOidcClientRequestDto
+// authorizationConfirmationRequiredHandler godoc
+// @Summary Check if authorization confirmation is required
+// @Description Check if the user needs to confirm authorization for the client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param request body dto.AuthorizationRequiredDto true "Authorization check parameters"
+// @Success 200 {object} object "{ \"authorizationRequired\": true/false }"
+// @Security BearerAuth
+// @Router /api/oidc/authorization-required [post]
+func (oc *OidcController) authorizationConfirmationRequiredHandler(c *gin.Context) {
+	var input dto.AuthorizationRequiredDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	code, callbackURL, err := oc.oidcService.AuthorizeNewClient(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	hasAuthorizedClient, err := oc.oidcService.HasAuthorizedClient(c.Request.Context(), input.ClientID, c.GetString("userID"), input.Scope)
 	if err != nil {
-		if errors.Is(err, common.ErrOidcInvalidCallbackURL) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

-	response := dto.AuthorizeOidcClientResponseDto{
-		Code:        code,
-		CallbackURL: callbackURL,
-	}
-
-	c.JSON(http.StatusOK, response)
+	c.JSON(http.StatusOK, gin.H{"authorizationRequired": !hasAuthorizedClient})
 }

+// createTokensHandler godoc
+// @Summary Create OIDC tokens
+// @Description Exchange authorization code or refresh token for access tokens
+// @Tags OIDC
+// @Produce json
+// @Param client_id formData string false "Client ID (if not using Basic Auth)"
+// @Param client_secret formData string false "Client secret (if not using Basic Auth)"
+// @Param code formData string false "Authorization code (required for 'authorization_code' grant)"
+// @Param grant_type formData string true "Grant type ('authorization_code' or 'refresh_token')"
+// @Param code_verifier formData string false "PKCE code verifier (for authorization_code with PKCE)"
+// @Param refresh_token formData string false "Refresh token (required for 'refresh_token' grant)"
+// @Success 200 {object} dto.OidcTokenResponseDto "Token response with access_token and optional id_token and refresh_token"
+// @Router /api/oidc/token [post]
 func (oc *OidcController) createTokensHandler(c *gin.Context) {
-	var input dto.OidcIdTokenDto
+	// Disable cors for this endpoint
+	c.Writer.Header().Set("Access-Control-Allow-Origin", "*")

+	var input dto.OidcCreateTokensDto
 	if err := c.ShouldBind(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
+		return
+	}
+
+	// Validate that code is provided for authorization_code grant type
+	if input.GrantType == "authorization_code" && input.Code == "" {
+		_ = c.Error(&common.OidcMissingAuthorizationCodeError{})
+		return
+	}
+
+	// Validate that refresh_token is provided for refresh_token grant type
+	if input.GrantType == "refresh_token" && input.RefreshToken == "" {
+		_ = c.Error(&common.OidcMissingRefreshTokenError{})
 		return
 	}

@@ -103,168 +148,388 @@ func (oc *OidcController) createTokensHandler(c *gin.Context) {
 	clientSecret := input.ClientSecret

 	// Client id and secret can also be passed over the Authorization header
-	if clientID == "" || clientSecret == "" {
-		var ok bool
-		clientID, clientSecret, ok = c.Request.BasicAuth()
-		if !ok {
-			utils.CustomControllerError(c, http.StatusBadRequest, "Client id and secret not provided")
-			return
-		}
+	if clientID == "" && clientSecret == "" {
+		clientID, clientSecret, _ = c.Request.BasicAuth()
 	}

-	idToken, accessToken, err := oc.oidcService.CreateTokens(input.Code, input.GrantType, clientID, clientSecret)
+	idToken, accessToken, refreshToken, expiresIn, err := oc.oidcService.CreateTokens(
+		c.Request.Context(),
+		input.Code,
+		input.GrantType,
+		clientID,
+		clientSecret,
+		input.CodeVerifier,
+		input.RefreshToken,
+	)
+
 	if err != nil {
-		if errors.Is(err, common.ErrOidcGrantTypeNotSupported) ||
-			errors.Is(err, common.ErrOidcMissingClientCredentials) ||
-			errors.Is(err, common.ErrOidcClientSecretInvalid) ||
-			errors.Is(err, common.ErrOidcInvalidAuthorizationCode) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{"id_token": idToken, "access_token": accessToken, "token_type": "Bearer"})
+	response := dto.OidcTokenResponseDto{
+		AccessToken: accessToken,
+		TokenType:   "Bearer",
+		ExpiresIn:   expiresIn,
+	}
+
+	// Include ID token only for authorization_code grant
+	if idToken != "" {
+		response.IdToken = idToken
+	}
+
+	// Include refresh token if generated
+	if refreshToken != "" {
+		response.RefreshToken = refreshToken
+	}
+
+	c.JSON(http.StatusOK, response)
 }

+// userInfoHandler godoc
+// @Summary Get user information
+// @Description Get user information based on the access token
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Success 200 {object} object "User claims based on requested scopes"
+// @Security OAuth2AccessToken
+// @Router /api/oidc/userinfo [get]
 func (oc *OidcController) userInfoHandler(c *gin.Context) {
-	token := strings.Split(c.GetHeader("Authorization"), " ")[1]
-	jwtClaims, err := oc.jwtService.VerifyOauthAccessToken(token)
-	if err != nil {
-		utils.CustomControllerError(c, http.StatusUnauthorized, common.ErrTokenInvalidOrExpired.Error())
+	_, authToken, ok := strings.Cut(c.GetHeader("Authorization"), " ")
+	if !ok || authToken == "" {
+		_ = c.Error(&common.MissingAccessToken{})
 		return
 	}
-	userID := jwtClaims.Subject
-	clientId := jwtClaims.Audience[0]
-	claims, err := oc.oidcService.GetUserClaimsForClient(userID, clientId)
+
+	token, err := oc.jwtService.VerifyOauthAccessToken(authToken)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
+		return
+	}
+	userID, ok := token.Subject()
+	if !ok {
+		_ = c.Error(&common.TokenInvalidError{})
+		return
+	}
+	clientID, ok := token.Audience()
+	if !ok || len(clientID) != 1 {
+		_ = c.Error(&common.TokenInvalidError{})
+		return
+	}
+	claims, err := oc.oidcService.GetUserClaimsForClient(c.Request.Context(), userID, clientID[0])
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, claims)
 }

-func (oc *OidcController) getClientHandler(c *gin.Context) {
-	clientId := c.Param("id")
-	client, err := oc.oidcService.GetClient(clientId)
+// EndSessionHandler godoc
+// @Summary End OIDC session
+// @Description End user session and handle OIDC logout
+// @Tags OIDC
+// @Accept application/x-www-form-urlencoded
+// @Produce html
+// @Param id_token_hint query string false "ID token"
+// @Param post_logout_redirect_uri query string false "URL to redirect to after logout"
+// @Param state query string false "State parameter to include in the redirect"
+// @Success 302 "Redirect to post-logout URL or application logout page"
+// @Router /api/oidc/end-session [get]
+func (oc *OidcController) EndSessionHandler(c *gin.Context) {
+	var input dto.OidcLogoutDto
+
+	// Bind query parameters to the struct
+	switch c.Request.Method {
+	case http.MethodGet:
+		if err := c.ShouldBindQuery(&input); err != nil {
+			_ = c.Error(err)
+			return
+		}
+	case http.MethodPost:
+		// Bind form parameters to the struct
+		if err := c.ShouldBind(&input); err != nil {
+			_ = c.Error(err)
+			return
+		}
+	}
+
+	callbackURL, err := oc.oidcService.ValidateEndSession(c.Request.Context(), input, c.GetString("userID"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		// If the validation fails, the user has to confirm the logout manually and doesn't get redirected
+		log.Printf("Error getting logout callback URL, the user has to confirm the logout manually: %v", err)
+		c.Redirect(http.StatusFound, common.EnvConfig.AppURL+"/logout")
 		return
 	}

-	// Return a different DTO based on the user's role
-	if c.GetBool("userIsAdmin") {
-		clientDto := dto.OidcClientDto{}
-		err = dto.MapStruct(client, &clientDto)
-		if err == nil {
-			c.JSON(http.StatusOK, clientDto)
-			return
-		}
-	} else {
-		clientDto := dto.PublicOidcClientDto{}
-		err = dto.MapStruct(client, &clientDto)
-		if err == nil {
-			c.JSON(http.StatusOK, clientDto)
-			return
-		}
+	// The validation was successful, so we can log out and redirect the user to the callback URL without confirmation
+	cookie.AddAccessTokenCookie(c, 0, "")
+
+	logoutCallbackURL, _ := url.Parse(callbackURL)
+	if input.State != "" {
+		q := logoutCallbackURL.Query()
+		q.Set("state", input.State)
+		logoutCallbackURL.RawQuery = q.Encode()
 	}

-	utils.ControllerError(c, err)
+	c.Redirect(http.StatusFound, logoutCallbackURL.String())
 }

-func (oc *OidcController) listClientsHandler(c *gin.Context) {
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
-	searchTerm := c.Query("search")
+// EndSessionHandler godoc (POST method)
+// @Summary End OIDC session (POST method)
+// @Description End user session and handle OIDC logout using POST
+// @Tags OIDC
+// @Accept application/x-www-form-urlencoded
+// @Produce html
+// @Param id_token_hint formData string false "ID token"
+// @Param post_logout_redirect_uri formData string false "URL to redirect to after logout"
+// @Param state formData string false "State parameter to include in the redirect"
+// @Success 302 "Redirect to post-logout URL or application logout page"
+// @Router /api/oidc/end-session [post]
+func (oc *OidcController) EndSessionHandlerPost(c *gin.Context) {
+	// Implementation is the same as GET
+}

-	clients, pagination, err := oc.oidcService.ListClients(searchTerm, page, pageSize)
+// introspectToken godoc
+// @Summary Introspect OIDC tokens
+// @Description Pass an access_token to verify if it is considered valid.
+// @Tags OIDC
+// @Produce json
+// @Param token formData string true "The token to be introspected."
+// @Success 200 {object} dto.OidcIntrospectionResponseDto "Response with the introspection result."
+// @Router /api/oidc/introspect [post]
+func (oc *OidcController) introspectTokenHandler(c *gin.Context) {
+
+	var input dto.OidcIntrospectDto
+	if err := c.ShouldBind(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	// Client id and secret have to be passed over the Authorization header. This kind of
+	// authentication allows us to keep the endpoint protected (since it could be used to
+	// find valid tokens) while still allowing it to be used by an application that is
+	// supposed to interact with our IdP (since that needs to have a client_id
+	// and client_secret anyway).
+	clientID, clientSecret, _ := c.Request.BasicAuth()
+
+	response, err := oc.oidcService.IntrospectToken(clientID, clientSecret, input.Token)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// getClientMetaDataHandler godoc
+// @Summary Get client metadata
+// @Description Get OIDC client metadata for discovery and configuration
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} dto.OidcClientMetaDataDto "Client metadata"
+// @Router /api/oidc/clients/{id}/meta [get]
+func (oc *OidcController) getClientMetaDataHandler(c *gin.Context) {
+	clientId := c.Param("id")
+	client, err := oc.oidcService.GetClient(c.Request.Context(), clientId)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	clientDto := dto.OidcClientMetaDataDto{}
+	err = dto.MapStruct(client, &clientDto)
+	if err == nil {
+		c.JSON(http.StatusOK, clientDto)
+		return
+	}
+
+	_ = c.Error(err)
+}
+
+// getClientHandler godoc
+// @Summary Get OIDC client
+// @Description Get detailed information about an OIDC client
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} dto.OidcClientWithAllowedUserGroupsDto "Client information"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [get]
+func (oc *OidcController) getClientHandler(c *gin.Context) {
+	clientId := c.Param("id")
+	client, err := oc.oidcService.GetClient(c.Request.Context(), clientId)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	clientDto := dto.OidcClientWithAllowedUserGroupsDto{}
+	err = dto.MapStruct(client, &clientDto)
+	if err == nil {
+		c.JSON(http.StatusOK, clientDto)
+		return
+	}
+
+	_ = c.Error(err)
+}
+
+// listClientsHandler godoc
+// @Summary List OIDC clients
+// @Description Get a paginated list of OIDC clients with optional search and sorting
+// @Tags OIDC
+// @Param search query string false "Search term to filter clients by name"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("name")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.OidcClientDto]
+// @Security BearerAuth
+// @Router /api/oidc/clients [get]
+func (oc *OidcController) listClientsHandler(c *gin.Context) {
+	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	clients, pagination, err := oc.oidcService.ListClients(c.Request.Context(), searchTerm, sortedPaginationRequest)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}

 	var clientsDto []dto.OidcClientDto
 	if err := dto.MapStructList(clients, &clientsDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       clientsDto,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.OidcClientDto]{
+		Data:       clientsDto,
+		Pagination: pagination,
 	})
 }

+// createClientHandler godoc
+// @Summary Create OIDC client
+// @Description Create a new OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param client body dto.OidcClientCreateDto true "Client information"
+// @Success 201 {object} dto.OidcClientWithAllowedUserGroupsDto "Created client"
+// @Security BearerAuth
+// @Router /api/oidc/clients [post]
 func (oc *OidcController) createClientHandler(c *gin.Context) {
 	var input dto.OidcClientCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	client, err := oc.oidcService.CreateClient(input, c.GetString("userID"))
+	client, err := oc.oidcService.CreateClient(c.Request.Context(), input, c.GetString("userID"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusCreated, clientDto)
 }

+// deleteClientHandler godoc
+// @Summary Delete OIDC client
+// @Description Delete an OIDC client by ID
+// @Tags OIDC
+// @Param id path string true "Client ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [delete]
 func (oc *OidcController) deleteClientHandler(c *gin.Context) {
-	err := oc.oidcService.DeleteClient(c.Param("id"))
+	err := oc.oidcService.DeleteClient(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// updateClientHandler godoc
+// @Summary Update OIDC client
+// @Description Update an existing OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param id path string true "Client ID"
+// @Param client body dto.OidcClientCreateDto true "Client information"
+// @Success 200 {object} dto.OidcClientWithAllowedUserGroupsDto "Updated client"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [put]
 func (oc *OidcController) updateClientHandler(c *gin.Context) {
 	var input dto.OidcClientCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	client, err := oc.oidcService.UpdateClient(c.Param("id"), input)
+	client, err := oc.oidcService.UpdateClient(c.Request.Context(), c.Param("id"), input)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, clientDto)
 }

+// createClientSecretHandler godoc
+// @Summary Create client secret
+// @Description Generate a new secret for an OIDC client
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} object "{ \"secret\": \"string\" }"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/secret [post]
 func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
-	secret, err := oc.oidcService.CreateClientSecret(c.Param("id"))
+	secret, err := oc.oidcService.CreateClientSecret(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, gin.H{"secret": secret})
 }

+// getClientLogoHandler godoc
+// @Summary Get client logo
+// @Description Get the logo image for an OIDC client
+// @Tags OIDC
+// @Produce image/png
+// @Produce image/jpeg
+// @Produce image/svg+xml
+// @Param id path string true "Client ID"
+// @Success 200 {file} binary "Logo image"
+// @Router /api/oidc/clients/{id}/logo [get]
 func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
-	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Param("id"))
+	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -272,32 +537,79 @@ func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
 	c.File(imagePath)
 }

+// updateClientLogoHandler godoc
+// @Summary Update client logo
+// @Description Upload or update the logo for an OIDC client
+// @Tags OIDC
+// @Accept multipart/form-data
+// @Param id path string true "Client ID"
+// @Param file formData file true "Logo image file (PNG, JPG, or SVG, max 2MB)"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/logo [post]
 func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	err = oc.oidcService.UpdateClientLogo(c.Param("id"), file)
+	err = oc.oidcService.UpdateClientLogo(c.Request.Context(), c.Param("id"), file)
 	if err != nil {
-		if errors.Is(err, common.ErrFileTypeNotSupported) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// deleteClientLogoHandler godoc
+// @Summary Delete client logo
+// @Description Delete the logo for an OIDC client
+// @Tags OIDC
+// @Param id path string true "Client ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/logo [delete]
 func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
-	err := oc.oidcService.DeleteClientLogo(c.Param("id"))
+	err := oc.oidcService.DeleteClientLogo(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }
+
+// updateAllowedUserGroupsHandler godoc
+// @Summary Update allowed user groups
+// @Description Update the user groups allowed to access an OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param id path string true "Client ID"
+// @Param groups body dto.OidcUpdateAllowedUserGroupsDto true "User group IDs"
+// @Success 200 {object} dto.OidcClientDto "Updated client"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/allowed-user-groups [put]
+func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
+	var input dto.OidcUpdateAllowedUserGroupsDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	oidcClient, err := oc.oidcService.UpdateAllowedUserGroups(c.Request.Context(), c.Param("id"), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var oidcClientDto dto.OidcClientDto
+	if err := dto.MapStruct(oidcClient, &oidcClientDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, oidcClientDto)
+}
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -1,201 +1,467 @@
 package controller

 import (
-	"errors"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"golang.org/x/time/rate"
 	"net/http"
-	"strconv"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"golang.org/x/time/rate"
 )

-func NewUserController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService) {
+// NewUserController creates a new controller for user management endpoints
+// @Summary User management controller
+// @Description Initializes all user-related API endpoints
+// @Tags Users
+func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, appConfigService *service.AppConfigService) {
 	uc := UserController{
-		UserService: userService,
+		userService:      userService,
+		appConfigService: appConfigService,
 	}

-	group.GET("/users", jwtAuthMiddleware.Add(true), uc.listUsersHandler)
-	group.GET("/users/me", jwtAuthMiddleware.Add(false), uc.getCurrentUserHandler)
-	group.GET("/users/:id", jwtAuthMiddleware.Add(true), uc.getUserHandler)
-	group.POST("/users", jwtAuthMiddleware.Add(true), uc.createUserHandler)
-	group.PUT("/users/:id", jwtAuthMiddleware.Add(true), uc.updateUserHandler)
-	group.PUT("/users/me", jwtAuthMiddleware.Add(false), uc.updateCurrentUserHandler)
-	group.DELETE("/users/:id", jwtAuthMiddleware.Add(true), uc.deleteUserHandler)
+	group.GET("/users", authMiddleware.Add(), uc.listUsersHandler)
+	group.GET("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.getCurrentUserHandler)
+	group.GET("/users/:id", authMiddleware.Add(), uc.getUserHandler)
+	group.POST("/users", authMiddleware.Add(), uc.createUserHandler)
+	group.PUT("/users/:id", authMiddleware.Add(), uc.updateUserHandler)
+	group.GET("/users/:id/groups", authMiddleware.Add(), uc.getUserGroupsHandler)
+	group.PUT("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserHandler)
+	group.DELETE("/users/:id", authMiddleware.Add(), uc.deleteUserHandler)

-	group.POST("/users/:id/one-time-access-token", jwtAuthMiddleware.Add(true), uc.createOneTimeAccessTokenHandler)
+	group.PUT("/users/:id/user-groups", authMiddleware.Add(), uc.updateUserGroups)
+
+	group.GET("/users/:id/profile-picture.png", uc.getUserProfilePictureHandler)
+
+	group.PUT("/users/:id/profile-picture", authMiddleware.Add(), uc.updateUserProfilePictureHandler)
+	group.PUT("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserProfilePictureHandler)
+
+	group.POST("/users/me/one-time-access-token", authMiddleware.WithAdminNotRequired().Add(), uc.createOwnOneTimeAccessTokenHandler)
+	group.POST("/users/:id/one-time-access-token", authMiddleware.Add(), uc.createAdminOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
+	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.requestOneTimeAccessEmailHandler)
+
+	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
+	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
 }

 type UserController struct {
-	UserService *service.UserService
+	userService      *service.UserService
+	appConfigService *service.AppConfigService
 }

-func (uc *UserController) listUsersHandler(c *gin.Context) {
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
-	searchTerm := c.Query("search")
-
-	users, pagination, err := uc.UserService.ListUsers(searchTerm, page, pageSize)
+// getUserGroupsHandler godoc
+// @Summary Get user groups
+// @Description Retrieve all groups a specific user belongs to
+// @Tags Users,User Groups
+// @Param id path string true "User ID"
+// @Success 200 {array} dto.UserGroupDtoWithUsers
+// @Router /api/users/{id}/groups [get]
+func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
+	userID := c.Param("id")
+	groups, err := uc.userService.GetUserGroups(c.Request.Context(), userID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
+		return
+	}
+
+	var groupsDto []dto.UserGroupDtoWithUsers
+	if err := dto.MapStructList(groups, &groupsDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupsDto)
+}
+
+// listUsersHandler godoc
+// @Summary List users
+// @Description Get a paginated list of users with optional search and sorting
+// @Tags Users
+// @Param search query string false "Search term to filter users"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.UserDto]
+// @Router /api/users [get]
+func (uc *UserController) listUsersHandler(c *gin.Context) {
+	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	users, pagination, err := uc.userService.ListUsers(c.Request.Context(), searchTerm, sortedPaginationRequest)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}

 	var usersDto []dto.UserDto
 	if err := dto.MapStructList(users, &usersDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       usersDto,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserDto]{
+		Data:       usersDto,
+		Pagination: pagination,
 	})
 }

+// getUserHandler godoc
+// @Summary Get user by ID
+// @Description Retrieve detailed information about a specific user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [get]
 func (uc *UserController) getUserHandler(c *gin.Context) {
-	user, err := uc.UserService.GetUser(c.Param("id"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, userDto)
 }

+// getCurrentUserHandler godoc
+// @Summary Get current user
+// @Description Retrieve information about the currently authenticated user
+// @Tags Users
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [get]
 func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
-	user, err := uc.UserService.GetUser(c.GetString("userID"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.GetString("userID"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, userDto)
 }

+// deleteUserHandler godoc
+// @Summary Delete user
+// @Description Delete a specific user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id} [delete]
 func (uc *UserController) deleteUserHandler(c *gin.Context) {
-	if err := uc.UserService.DeleteUser(c.Param("id")); err != nil {
-		utils.ControllerError(c, err)
+	if err := uc.userService.DeleteUser(c.Request.Context(), c.Param("id"), false); err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// createUserHandler godoc
+// @Summary Create user
+// @Description Create a new user
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 201 {object} dto.UserDto
+// @Router /api/users [post]
 func (uc *UserController) createUserHandler(c *gin.Context) {
 	var input dto.UserCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	user, err := uc.UserService.CreateUser(input)
+	user, err := uc.userService.CreateUser(c.Request.Context(), input)
 	if err != nil {
-		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
-			utils.CustomControllerError(c, http.StatusConflict, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusCreated, userDto)
 }

+// updateUserHandler godoc
+// @Summary Update user
+// @Description Update an existing user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [put]
 func (uc *UserController) updateUserHandler(c *gin.Context) {
 	uc.updateUser(c, false)
 }

+// updateCurrentUserHandler godoc
+// @Summary Update current user
+// @Description Update the currently authenticated user's information
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [put]
 func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
+	if !uc.appConfigService.GetDbConfig().AllowOwnAccountEdit.IsTrue() {
+		_ = c.Error(&common.AccountEditNotAllowedError{})
+		return
+	}
 	uc.updateUser(c, true)
 }

-func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
-	var input dto.OneTimeAccessTokenCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+// getUserProfilePictureHandler godoc
+// @Summary Get user profile picture
+// @Description Retrieve a specific user's profile picture
+// @Tags Users
+// @Produce image/png
+// @Param id path string true "User ID"
+// @Success 200 {file} binary "PNG image"
+// @Router /api/users/{id}/profile-picture.png [get]
+func (uc *UserController) getUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	picture, size, err := uc.userService.GetProfilePicture(c.Request.Context(), userID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	if picture != nil {
+		defer picture.Close()
+	}
+
+	_, ok := c.GetQuery("skipCache")
+	if !ok {
+		c.Header("Cache-Control", "public, max-age=900")
+	}
+
+	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
+}
+
+// updateUserProfilePictureHandler godoc
+// @Summary Update user profile picture
+// @Description Update a specific user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param id path string true "User ID"
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [put]
+func (uc *UserController) updateUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		_ = c.Error(err)
 		return
 	}

-	token, err := uc.UserService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
+	c.Status(http.StatusNoContent)
+}
+
+// updateCurrentUserProfilePictureHandler godoc
+// @Summary Update current user's profile picture
+// @Description Update the currently authenticated user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [put]
+func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	fileHeader, err := c.FormFile("file")
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bool) {
+	var input dto.OneTimeAccessTokenCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	if own {
+		input.UserID = c.GetString("userID")
+	}
+	token, err := uc.userService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, input.ExpiresAt)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusCreated, gin.H{"token": token})
 }

+// createOwnOneTimeAccessTokenHandler godoc
+// @Summary Create one-time access token for current user
+// @Description Generate a one-time access token for the currently authenticated user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
+// @Success 201 {object} object "{ \"token\": \"string\" }"
+// @Router /api/users/{id}/one-time-access-token [post]
+func (uc *UserController) createOwnOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, true)
+}
+
+func (uc *UserController) createAdminOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, false)
+}
+
+func (uc *UserController) requestOneTimeAccessEmailHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	err := uc.userService.RequestOneTimeAccessEmail(c.Request.Context(), input.Email, input.RedirectPath)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// exchangeOneTimeAccessTokenHandler godoc
+// @Summary Exchange one-time access token
+// @Description Exchange a one-time access token for a session token
+// @Tags Users
+// @Param token path string true "One-time access token"
+// @Success 200 {object} dto.UserDto
+// @Router /api/one-time-access-token/{token} [post]
 func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.UserService.ExchangeOneTimeAccessToken(c.Param("token"))
+	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Request.Context(), c.Param("token"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		if errors.Is(err, common.ErrTokenInvalidOrExpired) {
-			utils.CustomControllerError(c, http.StatusUnauthorized, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

+// getSetupAccessTokenHandler godoc
+// @Summary Setup initial admin
+// @Description Generate setup access token for initial admin user configuration
+// @Tags Users
+// @Success 200 {object} dto.UserDto
+// @Router /api/one-time-access-token/setup [post]
 func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.UserService.SetupInitialAdmin()
+	user, token, err := uc.userService.SetupInitialAdmin(c.Request.Context())
 	if err != nil {
-		if errors.Is(err, common.ErrSetupAlreadyCompleted) {
-			utils.CustomControllerError(c, http.StatusBadRequest, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

+// updateUserGroups godoc
+// @Summary Update user groups
+// @Description Update the groups a specific user belongs to
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param groups body dto.UserUpdateUserGroupDto true "User group IDs"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id}/user-groups [put]
+func (uc *UserController) updateUserGroups(c *gin.Context) {
+	var input dto.UserUpdateUserGroupDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	user, err := uc.userService.UpdateUserGroups(c.Request.Context(), c.Param("id"), input.UserGroupIds)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// updateUser is an internal helper method, not exposed as an API endpoint
 func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 	var input dto.UserCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -206,21 +472,54 @@ func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 		userID = c.Param("id")
 	}

-	user, err := uc.UserService.UpdateUser(userID, input, updateOwnUser)
+	user, err := uc.userService.UpdateUser(c.Request.Context(), userID, input, updateOwnUser, false)
 	if err != nil {
-		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
-			utils.CustomControllerError(c, http.StatusConflict, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, userDto)
 }
+
+// resetUserProfilePictureHandler godoc
+// @Summary Reset user profile picture
+// @Description Reset a specific user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [delete]
+func (uc *UserController) resetUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// resetCurrentUserProfilePictureHandler godoc
+// @Summary Reset current user's profile picture
+// @Description Reset the currently authenticated user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [delete]
+func (uc *UserController) resetCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/user_group_controller.go
+++ b/backend/internal/controller/user_group_controller.go
@@ -1,160 +1,226 @@
 package controller

 import (
-	"errors"
 	"net/http"
-	"strconv"

 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

-func NewUserGroupController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, userGroupService *service.UserGroupService) {
+// NewUserGroupController creates a new controller for user group management
+// @Summary User group management controller
+// @Description Initializes all user group-related API endpoints
+// @Tags User Groups
+func NewUserGroupController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, userGroupService *service.UserGroupService) {
 	ugc := UserGroupController{
 		UserGroupService: userGroupService,
 	}

-	group.GET("/user-groups", jwtAuthMiddleware.Add(true), ugc.list)
-	group.GET("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.get)
-	group.POST("/user-groups", jwtAuthMiddleware.Add(true), ugc.create)
-	group.PUT("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.update)
-	group.DELETE("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.delete)
-	group.PUT("/user-groups/:id/users", jwtAuthMiddleware.Add(true), ugc.updateUsers)
+	userGroupsGroup := group.Group("/user-groups")
+	userGroupsGroup.Use(authMiddleware.Add())
+	{
+		userGroupsGroup.GET("", ugc.list)
+		userGroupsGroup.GET("/:id", ugc.get)
+		userGroupsGroup.POST("", ugc.create)
+		userGroupsGroup.PUT("/:id", ugc.update)
+		userGroupsGroup.DELETE("/:id", ugc.delete)
+		userGroupsGroup.PUT("/:id/users", ugc.updateUsers)
+	}
 }

 type UserGroupController struct {
 	UserGroupService *service.UserGroupService
 }

+// list godoc
+// @Summary List user groups
+// @Description Get a paginated list of user groups with optional search and sorting
+// @Tags User Groups
+// @Param search query string false "Search term to filter user groups by name"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("name")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.UserGroupDtoWithUserCount]
+// @Router /api/user-groups [get]
 func (ugc *UserGroupController) list(c *gin.Context) {
-	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
-	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
-	searchTerm := c.Query("search")
+	ctx := c.Request.Context()

-	groups, pagination, err := ugc.UserGroupService.List(searchTerm, page, pageSize)
-	if err != nil {
-		utils.ControllerError(c, err)
+	searchTerm := c.Query("search")
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		_ = c.Error(err)
 		return
 	}

+	groups, pagination, err := ugc.UserGroupService.List(ctx, searchTerm, sortedPaginationRequest)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	// Map the user groups to DTOs
 	var groupsDto = make([]dto.UserGroupDtoWithUserCount, len(groups))
 	for i, group := range groups {
 		var groupDto dto.UserGroupDtoWithUserCount
 		if err := dto.MapStruct(group, &groupDto); err != nil {
-			utils.ControllerError(c, err)
+			_ = c.Error(err)
 			return
 		}
-		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(group.ID)
+		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(ctx, group.ID)
 		if err != nil {
-			utils.ControllerError(c, err)
+			_ = c.Error(err)
 			return
 		}
 		groupsDto[i] = groupDto
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       groupsDto,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserGroupDtoWithUserCount]{
+		Data:       groupsDto,
+		Pagination: pagination,
 	})
 }

+// get godoc
+// @Summary Get user group by ID
+// @Description Retrieve detailed information about a specific user group including its users
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [get]
 func (ugc *UserGroupController) get(c *gin.Context) {
-	group, err := ugc.UserGroupService.Get(c.Param("id"))
+	group, err := ugc.UserGroupService.Get(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, groupDto)
 }

+// create godoc
+// @Summary Create user group
+// @Description Create a new user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 201 {object} dto.UserGroupDtoWithUsers "Created user group"
+// @Security BearerAuth
+// @Router /api/user-groups [post]
 func (ugc *UserGroupController) create(c *gin.Context) {
 	var input dto.UserGroupCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	group, err := ugc.UserGroupService.Create(input)
+	group, err := ugc.UserGroupService.Create(c.Request.Context(), input)
 	if err != nil {
-		if errors.Is(err, common.ErrNameAlreadyInUse) {
-			utils.CustomControllerError(c, http.StatusConflict, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusCreated, groupDto)
 }

+// update godoc
+// @Summary Update user group
+// @Description Update an existing user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 200 {object} dto.UserGroupDtoWithUsers "Updated user group"
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [put]
 func (ugc *UserGroupController) update(c *gin.Context) {
 	var input dto.UserGroupCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	group, err := ugc.UserGroupService.Update(c.Param("id"), input)
+	group, err := ugc.UserGroupService.Update(c.Request.Context(), c.Param("id"), input)
 	if err != nil {
-		if errors.Is(err, common.ErrNameAlreadyInUse) {
-			utils.CustomControllerError(c, http.StatusConflict, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, groupDto)
 }

+// delete godoc
+// @Summary Delete user group
+// @Description Delete a specific user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [delete]
 func (ugc *UserGroupController) delete(c *gin.Context) {
-	if err := ugc.UserGroupService.Delete(c.Param("id")); err != nil {
-		utils.ControllerError(c, err)
+	if err := ugc.UserGroupService.Delete(c.Request.Context(), c.Param("id")); err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// updateUsers godoc
+// @Summary Update users in a group
+// @Description Update the list of users belonging to a specific user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param users body dto.UserGroupUpdateUsersDto true "List of user IDs to assign to this group"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Security BearerAuth
+// @Router /api/user-groups/{id}/users [put]
 func (ugc *UserGroupController) updateUsers(c *gin.Context) {
 	var input dto.UserGroupUpdateUsersDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	group, err := ugc.UserGroupService.UpdateUsers(c.Param("id"), input)
+	group, err := ugc.UserGroupService.UpdateUsers(c.Request.Context(), c.Param("id"), input.UserIDs)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -1,68 +1,69 @@
 package controller

 import (
-	"errors"
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
 	"net/http"
 	"time"

+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
 )

-func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService) {
-	wc := &WebauthnController{webAuthnService: webauthnService}
-	group.GET("/webauthn/register/start", jwtAuthMiddleware.Add(false), wc.beginRegistrationHandler)
-	group.POST("/webauthn/register/finish", jwtAuthMiddleware.Add(false), wc.verifyRegistrationHandler)
+func NewWebauthnController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
+	wc := &WebauthnController{webAuthnService: webauthnService, appConfigService: appConfigService}
+	group.GET("/webauthn/register/start", authMiddleware.WithAdminNotRequired().Add(), wc.beginRegistrationHandler)
+	group.POST("/webauthn/register/finish", authMiddleware.WithAdminNotRequired().Add(), wc.verifyRegistrationHandler)

 	group.GET("/webauthn/login/start", wc.beginLoginHandler)
 	group.POST("/webauthn/login/finish", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), wc.verifyLoginHandler)

-	group.POST("/webauthn/logout", jwtAuthMiddleware.Add(false), wc.logoutHandler)
+	group.POST("/webauthn/logout", authMiddleware.WithAdminNotRequired().Add(), wc.logoutHandler)

-	group.GET("/webauthn/credentials", jwtAuthMiddleware.Add(false), wc.listCredentialsHandler)
-	group.PATCH("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.updateCredentialHandler)
-	group.DELETE("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.deleteCredentialHandler)
+	group.GET("/webauthn/credentials", authMiddleware.WithAdminNotRequired().Add(), wc.listCredentialsHandler)
+	group.PATCH("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.updateCredentialHandler)
+	group.DELETE("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.deleteCredentialHandler)
 }

 type WebauthnController struct {
-	webAuthnService *service.WebAuthnService
+	webAuthnService  *service.WebAuthnService
+	appConfigService *service.AppConfigService
 }

 func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	options, err := wc.webAuthnService.BeginRegistration(userID)
+	options, err := wc.webAuthnService.BeginRegistration(c.Request.Context(), userID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }

 func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
-		utils.CustomControllerError(c, http.StatusBadRequest, "Session ID missing")
+		_ = c.Error(&common.MissingSessionIdError{})
 		return
 	}

 	userID := c.GetString("userID")
-	credential, err := wc.webAuthnService.VerifyRegistration(sessionID, userID, c.Request)
+	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	var credentialDto dto.WebauthnCredentialDto
 	if err := dto.MapStruct(credential, &credentialDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -70,62 +71,58 @@ func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 }

 func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
-	options, err := wc.webAuthnService.BeginLogin()
+	options, err := wc.webAuthnService.BeginLogin(c.Request.Context())
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }

 func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
-		utils.CustomControllerError(c, http.StatusBadRequest, "Session ID missing")
+		_ = c.Error(&common.MissingSessionIdError{})
 		return
 	}

 	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	userID := c.GetString("userID")
-
-	user, token, err := wc.webAuthnService.VerifyLogin(sessionID, userID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
+	user, token, err := wc.webAuthnService.VerifyLogin(c.Request.Context(), sessionID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		if errors.Is(err, common.ErrInvalidCredentials) {
-			utils.CustomControllerError(c, http.StatusUnauthorized, err.Error())
-		} else {
-			utils.ControllerError(c, err)
-		}
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	maxAge := int(wc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

 func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	credentials, err := wc.webAuthnService.ListCredentials(userID)
+	credentials, err := wc.webAuthnService.ListCredentials(c.Request.Context(), userID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	var credentialDtos []dto.WebauthnCredentialDto
 	if err := dto.MapStructList(credentials, &credentialDtos); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -136,9 +133,9 @@ func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentialID := c.Param("id")

-	err := wc.webAuthnService.DeleteCredential(userID, credentialID)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -151,19 +148,19 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {

 	var input dto.WebauthnCredentialUpdateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	credential, err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
+	credential, err := wc.webAuthnService.UpdateCredential(c.Request.Context(), userID, credentialID, input.Name)
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

 	var credentialDto dto.WebauthnCredentialDto
 	if err := dto.MapStruct(credential, &credentialDto); err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

@@ -171,6 +168,6 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 }

 func (wc *WebauthnController) logoutHandler(c *gin.Context) {
-	c.SetCookie("access_token", "", 0, "/", "", false, true)
+	cookie.AddAccessTokenCookie(c, 0, "")
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -1,46 +1,87 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"encoding/json"
+	"fmt"
+	"log"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

+// NewWellKnownController creates a new controller for OIDC discovery endpoints
+// @Summary OIDC Discovery controller
+// @Description Initializes OIDC discovery and JWKS endpoints
+// @Tags Well Known
 func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtService) {
 	wkc := &WellKnownController{jwtService: jwtService}
+
+	// Pre-compute the OIDC configuration document, which is static
+	var err error
+	wkc.oidcConfig, err = wkc.computeOIDCConfiguration()
+	if err != nil {
+		log.Fatalf("Failed to pre-compute OpenID Connect configuration document: %v", err)
+	}
+
 	group.GET("/.well-known/jwks.json", wkc.jwksHandler)
 	group.GET("/.well-known/openid-configuration", wkc.openIDConfigurationHandler)
 }

 type WellKnownController struct {
 	jwtService *service.JwtService
+	oidcConfig []byte
 }

+// jwksHandler godoc
+// @Summary Get JSON Web Key Set (JWKS)
+// @Description Returns the JSON Web Key Set used for token verification
+// @Tags Well Known
+// @Produce json
+// @Success 200 {object} object "{ \"keys\": []interface{} }"
+// @Router /.well-known/jwks.json [get]
 func (wkc *WellKnownController) jwksHandler(c *gin.Context) {
-	jwk, err := wkc.jwtService.GetJWK()
+	jwks, err := wkc.jwtService.GetPublicJWKSAsJSON()
 	if err != nil {
-		utils.ControllerError(c, err)
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{"keys": []interface{}{jwk}})
+	c.Data(http.StatusOK, "application/json; charset=utf-8", jwks)
 }

+// openIDConfigurationHandler godoc
+// @Summary Get OpenID Connect discovery configuration
+// @Description Returns the OpenID Connect discovery document with endpoints and capabilities
+// @Tags Well Known
+// @Success 200 {object} object "OpenID Connect configuration"
+// @Router /.well-known/openid-configuration [get]
 func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {
+	c.Data(http.StatusOK, "application/json; charset=utf-8", wkc.oidcConfig)
+}
+
+func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 	appUrl := common.EnvConfig.AppURL
-	config := map[string]interface{}{
+	alg, err := wkc.jwtService.GetKeyAlg()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get key algorithm: %w", err)
+	}
+	config := map[string]any{
 		"issuer":                                appUrl,
 		"authorization_endpoint":                appUrl + "/authorize",
 		"token_endpoint":                        appUrl + "/api/oidc/token",
 		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
+		"end_session_endpoint":                  appUrl + "/api/oidc/end-session",
+		"introspection_endpoint":                appUrl + "/api/oidc/introspect",
 		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
-		"scopes_supported":                      []string{"openid", "profile", "email"},
-		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "preferred_username"},
+		"grant_types_supported":                 []string{"authorization_code", "refresh_token"},
+		"scopes_supported":                      []string{"openid", "profile", "email", "groups"},
+		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
 		"response_types_supported":              []string{"code", "id_token"},
 		"subject_types_supported":               []string{"public"},
-		"id_token_signing_alg_values_supported": []string{"RS256"},
+		"id_token_signing_alg_values_supported": []string{alg.String()},
 	}
-	c.JSON(http.StatusOK, config)
+	return json.Marshal(config)
 }
--- a/backend/internal/dto/api_key_dto.go
+++ b/backend/internal/dto/api_key_dto.go
@@ -0,0 +1,25 @@
+package dto
+
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type ApiKeyCreateDto struct {
+	Name        string            `json:"name" binding:"required,min=3,max=50"`
+	Description string            `json:"description"`
+	ExpiresAt   datatype.DateTime `json:"expiresAt" binding:"required"`
+}
+
+type ApiKeyDto struct {
+	ID          string             `json:"id"`
+	Name        string             `json:"name"`
+	Description string             `json:"description"`
+	ExpiresAt   datatype.DateTime  `json:"expiresAt"`
+	LastUsedAt  *datatype.DateTime `json:"lastUsedAt"`
+	CreatedAt   datatype.DateTime  `json:"createdAt"`
+}
+
+type ApiKeyResponseDto struct {
+	ApiKey ApiKeyDto `json:"apiKey"`
+	Token  string    `json:"token"`
+}
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -12,12 +12,36 @@ type AppConfigVariableDto struct {
 }

 type AppConfigUpdateDto struct {
-	AppName         string `json:"appName" binding:"required,min=1,max=30"`
-	SessionDuration string `json:"sessionDuration" binding:"required"`
-	EmailEnabled    string `json:"emailEnabled" binding:"required"`
-	SmtHost         string `json:"smtpHost"`
-	SmtpPort        string `json:"smtpPort"`
-	SmtpFrom        string `json:"smtpFrom" binding:"omitempty,email"`
-	SmtpUser        string `json:"smtpUser"`
-	SmtpPassword    string `json:"smtpPassword"`
+	AppName                            string `json:"appName" binding:"required,min=1,max=30"`
+	SessionDuration                    string `json:"sessionDuration" binding:"required"`
+	EmailsVerified                     string `json:"emailsVerified" binding:"required"`
+	DisableAnimations                  string `json:"disableAnimations" binding:"required"`
+	AllowOwnAccountEdit                string `json:"allowOwnAccountEdit" binding:"required"`
+	SmtpHost                           string `json:"smtpHost"`
+	SmtpPort                           string `json:"smtpPort"`
+	SmtpFrom                           string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpUser                           string `json:"smtpUser"`
+	SmtpPassword                       string `json:"smtpPassword"`
+	SmtpTls                            string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
+	SmtpSkipCertVerify                 string `json:"smtpSkipCertVerify"`
+	LdapEnabled                        string `json:"ldapEnabled" binding:"required"`
+	LdapUrl                            string `json:"ldapUrl"`
+	LdapBindDn                         string `json:"ldapBindDn"`
+	LdapBindPassword                   string `json:"ldapBindPassword"`
+	LdapBase                           string `json:"ldapBase"`
+	LdapUserSearchFilter               string `json:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter          string `json:"ldapUserGroupSearchFilter"`
+	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserProfilePicture    string `json:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember           string `json:"ldapAttributeGroupMember"`
+	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
+	EmailOneTimeAccessEnabled          string `json:"emailOneTimeAccessEnabled" binding:"required"`
+	EmailLoginNotificationEnabled      string `json:"emailLoginNotificationEnabled" binding:"required"`
 }
--- a/backend/internal/dto/audit_log_dto.go
+++ b/backend/internal/dto/audit_log_dto.go
@@ -1,13 +1,13 @@
 package dto

 import (
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"time"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type AuditLogDto struct {
-	ID        string    `json:"id"`
-	CreatedAt time.Time `json:"createdAt"`
+	ID        string            `json:"id"`
+	CreatedAt datatype.DateTime `json:"createdAt"`

 	Event     model.AuditLogEvent `json:"event"`
 	IpAddress string              `json:"ipAddress"`
@@ -15,5 +15,12 @@ type AuditLogDto struct {
 	City      string              `json:"city"`
 	Device    string              `json:"device"`
 	UserID    string              `json:"userID"`
+	Username  string              `json:"username"`
 	Data      model.AuditLogData  `json:"data"`
 }
+
+type AuditLogFilterDto struct {
+	UserID     string `form:"filters[userId]"`
+	Event      string `form:"filters[event]"`
+	ClientName string `form:"filters[clientName]"`
+}
--- a/backend/internal/dto/custom_claim_dto.go
+++ b/backend/internal/dto/custom_claim_dto.go
@@ -0,0 +1,11 @@
+package dto
+
+type CustomClaimDto struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
+type CustomClaimCreateDto struct {
+	Key   string `json:"key" binding:"required"`
+	Value string `json:"value" binding:"required"`
+}
--- a/backend/internal/dto/dto_mapper.go
+++ b/backend/internal/dto/dto_mapper.go
@@ -2,9 +2,10 @@ package dto

 import (
 	"errors"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
 	"reflect"
 	"time"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 // MapStructList maps a list of source structs to a list of destination structs
@@ -39,13 +40,11 @@ func MapStruct[S any, D any](source S, destination *D) error {
 }

 func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {
-	// Loop through the fields of the destination struct
 	for i := 0; i < destVal.NumField(); i++ {
 		destField := destVal.Field(i)
 		destFieldType := destVal.Type().Field(i)

 		if destFieldType.Anonymous {
-			// Recursively handle embedded structs
 			if err := mapStructInternal(sourceVal, destField); err != nil {
 				return err
 			}
@@ -54,63 +53,57 @@ func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {

 		sourceField := sourceVal.FieldByName(destFieldType.Name)

-		// If the source field is valid and can be assigned to the destination field
 		if sourceField.IsValid() && destField.CanSet() {
-			// Handle direct assignment for simple types
-			if sourceField.Type() == destField.Type() {
-				destField.Set(sourceField)
-
-			} else if sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice {
-				// Handle slices
-				if sourceField.Type().Elem() == destField.Type().Elem() {
-					// Direct assignment for slices of primitive types or non-struct elements
-					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
-
-					for j := 0; j < sourceField.Len(); j++ {
-						newSlice.Index(j).Set(sourceField.Index(j))
-					}
-
-					destField.Set(newSlice)
-
-				} else if sourceField.Type().Elem().Kind() == reflect.Struct && destField.Type().Elem().Kind() == reflect.Struct {
-					// Recursively map slices of structs
-					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
-
-					for j := 0; j < sourceField.Len(); j++ {
-						// Get the element from both source and destination slice
-						sourceElem := sourceField.Index(j)
-						destElem := reflect.New(destField.Type().Elem()).Elem()
-
-						// Recursively map the struct elements
-						if err := mapStructInternal(sourceElem, destElem); err != nil {
-							return err
-						}
-
-						// Set the mapped element in the new slice
-						newSlice.Index(j).Set(destElem)
-					}
-
-					destField.Set(newSlice)
-				}
-			} else if sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct {
-				// Recursively map nested structs
-				if err := mapStructInternal(sourceField, destField); err != nil {
-					return err
-				}
-			} else {
-				// Type switch for specific type conversions
-				switch sourceField.Interface().(type) {
-				case datatype.DateTime:
-					// Convert datatype.DateTime to time.Time
-					if sourceField.Type() == reflect.TypeOf(datatype.DateTime{}) && destField.Type() == reflect.TypeOf(time.Time{}) {
-						dateValue := sourceField.Interface().(datatype.DateTime)
-						destField.Set(reflect.ValueOf(dateValue.ToTime()))
-					}
-				}
+			if err := mapField(sourceField, destField); err != nil {
+				return err
 			}
-
 		}
 	}
-
+	return nil
+}
+
+func mapField(sourceField reflect.Value, destField reflect.Value) error {
+	switch {
+	case sourceField.Type() == destField.Type():
+		destField.Set(sourceField)
+	case sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice:
+		return mapSlice(sourceField, destField)
+	case sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct:
+		return mapStructInternal(sourceField, destField)
+	default:
+		return mapSpecialTypes(sourceField, destField)
+	}
+	return nil
+}
+
+func mapSlice(sourceField reflect.Value, destField reflect.Value) error {
+	if sourceField.Type().Elem() == destField.Type().Elem() {
+		newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+		for j := 0; j < sourceField.Len(); j++ {
+			newSlice.Index(j).Set(sourceField.Index(j))
+		}
+		destField.Set(newSlice)
+	} else if sourceField.Type().Elem().Kind() == reflect.Struct && destField.Type().Elem().Kind() == reflect.Struct {
+		newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+		for j := 0; j < sourceField.Len(); j++ {
+			sourceElem := sourceField.Index(j)
+			destElem := reflect.New(destField.Type().Elem()).Elem()
+			if err := mapStructInternal(sourceElem, destElem); err != nil {
+				return err
+			}
+			newSlice.Index(j).Set(destElem)
+		}
+		destField.Set(newSlice)
+	}
+	return nil
+}
+
+func mapSpecialTypes(sourceField reflect.Value, destField reflect.Value) error {
+	if _, ok := sourceField.Interface().(datatype.DateTime); ok {
+		if sourceField.Type() == reflect.TypeOf(datatype.DateTime{}) && destField.Type() == reflect.TypeOf(time.Time{}) {
+			dateValue := sourceField.Interface().(datatype.DateTime)
+			destField.Set(reflect.ValueOf(dateValue.ToTime()))
+		}
+	}
 	return nil
 }
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -1,27 +1,39 @@
 package dto

-type PublicOidcClientDto struct {
+type OidcClientMetaDataDto struct {
 	ID      string `json:"id"`
 	Name    string `json:"name"`
 	HasLogo bool   `json:"hasLogo"`
 }

 type OidcClientDto struct {
-	PublicOidcClientDto
-	CallbackURLs []string `json:"callbackURLs"`
-	CreatedBy    UserDto  `json:"createdBy"`
+	OidcClientMetaDataDto
+	CallbackURLs       []string `json:"callbackURLs"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
+}
+
+type OidcClientWithAllowedUserGroupsDto struct {
+	OidcClientDto
+	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
 }

 type OidcClientCreateDto struct {
-	Name         string   `json:"name" binding:"required,max=50"`
-	CallbackURLs []string `json:"callbackURLs" binding:"required,urlList"`
+	Name               string   `json:"name" binding:"required,max=50"`
+	CallbackURLs       []string `json:"callbackURLs" binding:"required"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
 }

 type AuthorizeOidcClientRequestDto struct {
-	ClientID    string `json:"clientID" binding:"required"`
-	Scope       string `json:"scope" binding:"required"`
-	CallbackURL string `json:"callbackURL"`
-	Nonce       string `json:"nonce"`
+	ClientID            string `json:"clientID" binding:"required"`
+	Scope               string `json:"scope" binding:"required"`
+	CallbackURL         string `json:"callbackURL"`
+	Nonce               string `json:"nonce"`
+	CodeChallenge       string `json:"codeChallenge"`
+	CodeChallengeMethod string `json:"codeChallengeMethod"`
 }

 type AuthorizeOidcClientResponseDto struct {
@@ -29,9 +41,52 @@ type AuthorizeOidcClientResponseDto struct {
 	CallbackURL string `json:"callbackURL"`
 }

-type OidcIdTokenDto struct {
+type AuthorizationRequiredDto struct {
+	ClientID string `json:"clientID" binding:"required"`
+	Scope    string `json:"scope" binding:"required"`
+}
+
+type OidcCreateTokensDto struct {
 	GrantType    string `form:"grant_type" binding:"required"`
-	Code         string `form:"code" binding:"required"`
+	Code         string `form:"code"`
 	ClientID     string `form:"client_id"`
 	ClientSecret string `form:"client_secret"`
+	CodeVerifier string `form:"code_verifier"`
+	RefreshToken string `form:"refresh_token"`
+}
+
+type OidcIntrospectDto struct {
+	Token string `form:"token" binding:"required"`
+}
+
+type OidcUpdateAllowedUserGroupsDto struct {
+	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
+}
+
+type OidcLogoutDto struct {
+	IdTokenHint           string `form:"id_token_hint"`
+	ClientId              string `form:"client_id"`
+	PostLogoutRedirectUri string `form:"post_logout_redirect_uri"`
+	State                 string `form:"state"`
+}
+
+type OidcTokenResponseDto struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	IdToken      string `json:"id_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+type OidcIntrospectionResponseDto struct {
+	Active     bool     `json:"active"`
+	TokenType  string   `json:"token_type,omitempty"`
+	Scope      string   `json:"scope,omitempty"`
+	Expiration int64    `json:"exp,omitempty"`
+	IssuedAt   int64    `json:"iat,omitempty"`
+	NotBefore  int64    `json:"nbf,omitempty"`
+	Subject    string   `json:"sub,omitempty"`
+	Audience   []string `json:"aud,omitempty"`
+	Issuer     string   `json:"iss,omitempty"`
+	Identifier string   `json:"jti,omitempty"`
 }
--- a/backend/internal/dto/pagination_dto.go
+++ b/backend/internal/dto/pagination_dto.go
@@ -0,0 +1,10 @@
+package dto
+
+import "github.com/pocket-id/pocket-id/backend/internal/utils"
+
+type Pagination = utils.PaginationResponse
+
+type Paginated[T any] struct {
+	Data       []T        `json:"data"`
+	Pagination Pagination `json:"pagination"`
+}
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -3,23 +3,38 @@ package dto
 import "time"

 type UserDto struct {
-	ID        string `json:"id"`
-	Username  string `json:"username"`
-	Email     string `json:"email" `
-	FirstName string `json:"firstName"`
-	LastName  string `json:"lastName"`
-	IsAdmin   bool   `json:"isAdmin"`
+	ID           string           `json:"id"`
+	Username     string           `json:"username"`
+	Email        string           `json:"email" `
+	FirstName    string           `json:"firstName"`
+	LastName     string           `json:"lastName"`
+	IsAdmin      bool             `json:"isAdmin"`
+	Locale       *string          `json:"locale"`
+	CustomClaims []CustomClaimDto `json:"customClaims"`
+	UserGroups   []UserGroupDto   `json:"userGroups"`
+	LdapID       *string          `json:"ldapId"`
 }

 type UserCreateDto struct {
-	Username  string `json:"username" binding:"required,username,min=3,max=20"`
-	Email     string `json:"email" binding:"required,email"`
-	FirstName string `json:"firstName" binding:"required,min=3,max=30"`
-	LastName  string `json:"lastName" binding:"required,min=3,max=30"`
-	IsAdmin   bool   `json:"isAdmin"`
+	Username  string  `json:"username" binding:"required,username,min=2,max=50"`
+	Email     string  `json:"email" binding:"required,email"`
+	FirstName string  `json:"firstName" binding:"required,min=1,max=50"`
+	LastName  string  `json:"lastName" binding:"required,min=1,max=50"`
+	IsAdmin   bool    `json:"isAdmin"`
+	Locale    *string `json:"locale"`
+	LdapID    string  `json:"-"`
 }

 type OneTimeAccessTokenCreateDto struct {
-	UserID    string    `json:"userId" binding:"required"`
+	UserID    string    `json:"userId"`
 	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
 }
+
+type OneTimeAccessEmailDto struct {
+	Email        string `json:"email" binding:"required,email"`
+	RedirectPath string `json:"redirectPath"`
+}
+
+type UserUpdateUserGroupDto struct {
+	UserGroupIds []string `json:"userGroupIds" binding:"required"`
+}
--- a/backend/internal/dto/user_group_dto.go
+++ b/backend/internal/dto/user_group_dto.go
@@ -1,32 +1,44 @@
 package dto

-import "time"
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type UserGroupDto struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}

 type UserGroupDtoWithUsers struct {
-	ID           string    `json:"id"`
-	FriendlyName string    `json:"friendlyName"`
-	Name         string    `json:"name"`
-	Users        []UserDto `json:"users"`
-	CreatedAt    time.Time `json:"createdAt"`
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	Users        []UserDto         `json:"users"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
 }

 type UserGroupDtoWithUserCount struct {
-	ID           string    `json:"id"`
-	FriendlyName string    `json:"friendlyName"`
-	Name         string    `json:"name"`
-	UserCount    int64     `json:"userCount"`
-	CreatedAt    time.Time `json:"createdAt"`
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	UserCount    int64             `json:"userCount"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
 }

 type UserGroupCreateDto struct {
-	FriendlyName string `json:"friendlyName" binding:"required,min=3,max=30"`
-	Name         string `json:"name" binding:"required,min=3,max=30,userGroupName"`
+	FriendlyName string `json:"friendlyName" binding:"required,min=2,max=50"`
+	Name         string `json:"name" binding:"required,min=2,max=255"`
+	LdapID       string `json:"-"`
 }

 type UserGroupUpdateUsersDto struct {
 	UserIDs []string `json:"userIds" binding:"required"`
 }
-
-type AssignUserToGroupDto struct {
-	UserID string `json:"userId" binding:"required"`
-}
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -1,24 +1,13 @@
 package dto

 import (
+	"log"
+	"regexp"
+
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
-	"log"
-	"net/url"
-	"regexp"
 )

-var validateUrlList validator.Func = func(fl validator.FieldLevel) bool {
-	urls := fl.Field().Interface().([]string)
-	for _, u := range urls {
-		_, err := url.ParseRequestURI(u)
-		if err != nil {
-			return false
-		}
-	}
-	return true
-}
-
 var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
 	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
 	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
@@ -28,28 +17,10 @@ var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
 	return matched
 }

-var validateUserGroupName validator.Func = func(fl validator.FieldLevel) bool {
-	// [a-z0-9_] : The group name can only contain lowercase letters, numbers, and underscores
-	regex := "^[a-z0-9_]+$"
-	matched, _ := regexp.MatchString(regex, fl.Field().String())
-	return matched
-}
-
 func init() {
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("urlList", validateUrlList); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
-		}
-	}
 	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
 		if err := v.RegisterValidation("username", validateUsername); err != nil {
 			log.Fatalf("Failed to register custom validation: %v", err)
 		}
 	}
-
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("userGroupName", validateUserGroupName); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
-		}
-	}
 }
--- a/backend/internal/dto/webauthn_dto.go
+++ b/backend/internal/dto/webauthn_dto.go
@@ -2,7 +2,7 @@ package dto

 import (
 	"github.com/go-webauthn/webauthn/protocol"
-	"time"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type WebauthnCredentialDto struct {
@@ -15,7 +15,7 @@ type WebauthnCredentialDto struct {
 	BackupEligible bool `json:"backupEligible"`
 	BackupState    bool `json:"backupState"`

-	CreatedAt time.Time `json:"createdAt"`
+	CreatedAt datatype.DateTime `json:"createdAt"`
 }

 type WebauthnCredentialUpdateDto struct {
--- a/backend/internal/job/db_cleanup.go
+++ b/backend/internal/job/db_cleanup.go
@@ -1,67 +0,0 @@
-package job
-
-import (
-	"github.com/go-co-op/gocron/v2"
-	"github.com/google/uuid"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"gorm.io/gorm"
-	"log"
-	"time"
-)
-
-func RegisterJobs(db *gorm.DB) {
-	scheduler, err := gocron.NewScheduler()
-	if err != nil {
-		log.Fatalf("Failed to create a new scheduler: %s", err)
-	}
-
-	jobs := &Jobs{db: db}
-
-	registerJob(scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
-	registerJob(scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
-	registerJob(scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
-	scheduler.Start()
-}
-
-type Jobs struct {
-	db *gorm.DB
-}
-
-// ClearWebauthnSessions deletes WebAuthn sessions that have expired
-func (j *Jobs) clearWebauthnSessions() error {
-	return j.db.Delete(&model.WebauthnSession{}, "expires_at < ?", time.Now().Unix()).Error
-}
-
-// ClearOneTimeAccessTokens deletes one-time access tokens that have expired
-func (j *Jobs) clearOneTimeAccessTokens() error {
-	return j.db.Debug().Delete(&model.OneTimeAccessToken{}, "expires_at < ?", time.Now().Unix()).Error
-}
-
-// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
-func (j *Jobs) clearOidcAuthorizationCodes() error {
-	return j.db.Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", time.Now().Unix()).Error
-}
-
-// ClearAuditLogs deletes audit logs older than 90 days
-func (j *Jobs) clearAuditLogs() error {
-	return j.db.Delete(&model.AuditLog{}, "created_at < ?", time.Now().AddDate(0, 0, -90).Unix()).Error
-}
-
-func registerJob(scheduler gocron.Scheduler, name string, interval string, job func() error) {
-	_, err := scheduler.NewJob(
-		gocron.CronJob(interval, false),
-		gocron.NewTask(job),
-		gocron.WithEventListeners(
-			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
-				log.Printf("Job %q run successfully", name)
-			}),
-			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
-				log.Printf("Job %q failed with error: %v", name, err)
-			}),
-		),
-	)
-
-	if err != nil {
-		log.Fatalf("Failed to register job %q: %v", name, err)
-	}
-}
--- a/backend/internal/job/db_cleanup_job.go
+++ b/backend/internal/job/db_cleanup_job.go
@@ -0,0 +1,73 @@
+package job
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/go-co-op/gocron/v2"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+func RegisterDbCleanupJobs(ctx context.Context, db *gorm.DB) {
+	scheduler, err := gocron.NewScheduler()
+	if err != nil {
+		log.Fatalf("Failed to create a new scheduler: %s", err)
+	}
+
+	jobs := &DbCleanupJobs{db: db}
+
+	registerJob(ctx, scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
+	registerJob(ctx, scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
+	registerJob(ctx, scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
+	registerJob(ctx, scheduler, "ClearOidcRefreshTokens", "0 3 * * *", jobs.clearOidcRefreshTokens)
+	registerJob(ctx, scheduler, "ClearAuditLogs", "0 3 * * *", jobs.clearAuditLogs)
+	scheduler.Start()
+}
+
+type DbCleanupJobs struct {
+	db *gorm.DB
+}
+
+// ClearWebauthnSessions deletes WebAuthn sessions that have expired
+func (j *DbCleanupJobs) clearWebauthnSessions(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.WebauthnSession{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearOneTimeAccessTokens deletes one-time access tokens that have expired
+func (j *DbCleanupJobs) clearOneTimeAccessTokens(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.OneTimeAccessToken{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
+func (j *DbCleanupJobs) clearOidcAuthorizationCodes(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
+func (j *DbCleanupJobs) clearOidcRefreshTokens(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.OidcRefreshToken{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearAuditLogs deletes audit logs older than 90 days
+func (j *DbCleanupJobs) clearAuditLogs(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(time.Now().AddDate(0, 0, -90))).
+		Error
+}
--- a/backend/internal/job/file_cleanup_job.go
+++ b/backend/internal/job/file_cleanup_job.go
@@ -0,0 +1,84 @@
+package job
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/go-co-op/gocron/v2"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+)
+
+func RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB) {
+	scheduler, err := gocron.NewScheduler()
+	if err != nil {
+		log.Fatalf("Failed to create a new scheduler: %s", err)
+	}
+
+	jobs := &FileCleanupJobs{db: db}
+
+	registerJob(ctx, scheduler, "ClearUnusedDefaultProfilePictures", "0 2 * * 0", jobs.clearUnusedDefaultProfilePictures)
+
+	scheduler.Start()
+}
+
+type FileCleanupJobs struct {
+	db *gorm.DB
+}
+
+// ClearUnusedDefaultProfilePictures deletes default profile pictures that don't match any user's initials
+func (j *FileCleanupJobs) clearUnusedDefaultProfilePictures(ctx context.Context) error {
+	var users []model.User
+	err := j.db.
+		WithContext(ctx).
+		Find(&users).
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to fetch users: %w", err)
+	}
+
+	// Create a map to track which initials are in use
+	initialsInUse := make(map[string]struct{})
+	for _, user := range users {
+		initialsInUse[user.Initials()] = struct{}{}
+	}
+
+	defaultPicturesDir := common.EnvConfig.UploadPath + "/profile-pictures/defaults"
+	if _, err := os.Stat(defaultPicturesDir); os.IsNotExist(err) {
+		return nil
+	}
+
+	files, err := os.ReadDir(defaultPicturesDir)
+	if err != nil {
+		return fmt.Errorf("failed to read default profile pictures directory: %w", err)
+	}
+
+	filesDeleted := 0
+	for _, file := range files {
+		if file.IsDir() {
+			continue // Skip directories
+		}
+
+		filename := file.Name()
+		initials := strings.TrimSuffix(filename, ".png")
+
+		// If these initials aren't used by any user, delete the file
+		if _, ok := initialsInUse[initials]; !ok {
+			filePath := filepath.Join(defaultPicturesDir, filename)
+			if err := os.Remove(filePath); err != nil {
+				log.Printf("Failed to delete unused default profile picture %s: %v", filePath, err)
+			} else {
+				filesDeleted++
+			}
+		}
+	}
+
+	log.Printf("Deleted %d unused default profile pictures", filesDeleted)
+	return nil
+}
--- a/backend/internal/job/job.go
+++ b/backend/internal/job/job.go
@@ -0,0 +1,29 @@
+package job
+
+import (
+	"context"
+	"log"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/google/uuid"
+)
+
+func registerJob(ctx context.Context, scheduler gocron.Scheduler, name string, interval string, job func(ctx context.Context) error) {
+	_, err := scheduler.NewJob(
+		gocron.CronJob(interval, false),
+		gocron.NewTask(job),
+		gocron.WithContext(ctx),
+		gocron.WithEventListeners(
+			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
+				log.Printf("Job %q run successfully", name)
+			}),
+			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
+				log.Printf("Job %q failed with error: %v", name, err)
+			}),
+		),
+	)
+
+	if err != nil {
+		log.Fatalf("Failed to register job %q: %v", name, err)
+	}
+}
--- a/backend/internal/job/ldap_job.go
+++ b/backend/internal/job/ldap_job.go
@@ -0,0 +1,42 @@
+package job
+
+import (
+	"context"
+	"log"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type LdapJobs struct {
+	ldapService      *service.LdapService
+	appConfigService *service.AppConfigService
+}
+
+func RegisterLdapJobs(ctx context.Context, ldapService *service.LdapService, appConfigService *service.AppConfigService) {
+	jobs := &LdapJobs{ldapService: ldapService, appConfigService: appConfigService}
+
+	scheduler, err := gocron.NewScheduler()
+	if err != nil {
+		log.Fatalf("Failed to create a new scheduler: %v", err)
+	}
+
+	// Register the job to run every hour
+	registerJob(ctx, scheduler, "SyncLdap", "0 * * * *", jobs.syncLdap)
+
+	// Run the job immediately on startup
+	err = jobs.syncLdap(ctx)
+	if err != nil {
+		log.Printf("Failed to sync LDAP: %v", err)
+	}
+
+	scheduler.Start()
+}
+
+func (j *LdapJobs) syncLdap(ctx context.Context) error {
+	if !j.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
+		return nil
+	}
+
+	return j.ldapService.SyncAll(ctx)
+}
--- a/backend/internal/middleware/api_key_auth.go
+++ b/backend/internal/middleware/api_key_auth.go
@@ -0,0 +1,50 @@
+package middleware
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type ApiKeyAuthMiddleware struct {
+	apiKeyService *service.ApiKeyService
+	jwtService    *service.JwtService
+}
+
+func NewApiKeyAuthMiddleware(apiKeyService *service.ApiKeyService, jwtService *service.JwtService) *ApiKeyAuthMiddleware {
+	return &ApiKeyAuthMiddleware{
+		apiKeyService: apiKeyService,
+		jwtService:    jwtService,
+	}
+}
+
+func (m *ApiKeyAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		userID, isAdmin, err := m.Verify(c, adminRequired)
+		if err != nil {
+			c.Abort()
+			_ = c.Error(err)
+			return
+		}
+
+		c.Set("userID", userID)
+		c.Set("userIsAdmin", isAdmin)
+		c.Next()
+	}
+}
+
+func (m *ApiKeyAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (userID string, isAdmin bool, err error) {
+	apiKey := c.GetHeader("X-API-KEY")
+
+	user, err := m.apiKeyService.ValidateApiKey(c.Request.Context(), apiKey)
+	if err != nil {
+		return "", false, &common.NotSignedInError{}
+	}
+
+	// Check if the user is an admin
+	if adminRequired && !user.IsAdmin {
+		return "", false, &common.MissingPermissionError{}
+	}
+
+	return user.ID, user.IsAdmin, nil
+}
--- a/backend/internal/middleware/auth_middleware.go
+++ b/backend/internal/middleware/auth_middleware.go
@@ -0,0 +1,89 @@
+package middleware
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// AuthMiddleware is a wrapper middleware that delegates to either API key or JWT authentication
+type AuthMiddleware struct {
+	apiKeyMiddleware *ApiKeyAuthMiddleware
+	jwtMiddleware    *JwtAuthMiddleware
+	options          AuthOptions
+}
+
+type AuthOptions struct {
+	AdminRequired   bool
+	SuccessOptional bool
+}
+
+func NewAuthMiddleware(
+	apiKeyService *service.ApiKeyService,
+	jwtService *service.JwtService,
+) *AuthMiddleware {
+	return &AuthMiddleware{
+		apiKeyMiddleware: NewApiKeyAuthMiddleware(apiKeyService, jwtService),
+		jwtMiddleware:    NewJwtAuthMiddleware(jwtService),
+		options: AuthOptions{
+			AdminRequired:   true,
+			SuccessOptional: false,
+		},
+	}
+}
+
+// WithAdminNotRequired allows the middleware to continue with the request even if the user is not an admin
+func (m *AuthMiddleware) WithAdminNotRequired() *AuthMiddleware {
+	// Create a new instance to avoid modifying the original
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.AdminRequired = false
+	return clone
+}
+
+// WithSuccessOptional allows the middleware to continue with the request even if authentication fails
+func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {
+	// Create a new instance to avoid modifying the original
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.SuccessOptional = true
+	return clone
+}
+
+func (m *AuthMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// First try JWT auth
+		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
+		if err == nil {
+			// JWT auth succeeded, continue with the request
+			c.Set("userID", userID)
+			c.Set("userIsAdmin", isAdmin)
+			c.Next()
+			return
+		}
+
+		// JWT auth failed, try API key auth
+		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
+		if err == nil {
+			// API key auth succeeded, continue with the request
+			c.Set("userID", userID)
+			c.Set("userIsAdmin", isAdmin)
+			c.Next()
+			return
+		}
+
+		if m.options.SuccessOptional {
+			c.Next()
+			return
+		}
+
+		// Both JWT and API key auth failed
+		c.Abort()
+		_ = c.Error(err)
+	}
+}
--- a/backend/internal/middleware/cors.go
+++ b/backend/internal/middleware/cors.go
@@ -1,11 +1,10 @@
 package middleware

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"time"
+	"net/http"

-	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 type CorsMiddleware struct{}
@@ -15,10 +14,23 @@ func NewCorsMiddleware() *CorsMiddleware {
 }

 func (m *CorsMiddleware) Add() gin.HandlerFunc {
-	return cors.New(cors.Config{
-		AllowOrigins: []string{common.EnvConfig.AppURL},
-		AllowMethods: []string{"*"},
-		AllowHeaders: []string{"*"},
-		MaxAge:       12 * time.Hour,
-	})
+	return func(c *gin.Context) {
+		// Allow all origins for the token endpoint
+		switch c.FullPath() {
+		case "/api/oidc/token", "/api/oidc/introspect":
+			c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		default:
+			c.Writer.Header().Set("Access-Control-Allow-Origin", common.EnvConfig.AppURL)
+		}
+
+		c.Writer.Header().Set("Access-Control-Allow-Headers", "*")
+		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT")
+
+		if c.Request.Method == http.MethodOptions {
+			c.AbortWithStatus(204)
+			return
+		}
+
+		c.Next()
+	}
 }
--- a/backend/internal/utils/controller_error_util.go
+++ b/backend/internal/utils/controller_error_util.go
@@ -1,37 +1,68 @@
-package utils
+package middleware

 import (
 	"errors"
-	"github.com/gin-gonic/gin"
-	"github.com/go-playground/validator/v10"
-	"gorm.io/gorm"
-	"log"
+	"fmt"
 	"net/http"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"gorm.io/gorm"
 )

-import (
-	"fmt"
-)
+type ErrorHandlerMiddleware struct{}

-func ControllerError(c *gin.Context, err error) {
-	// Check for record not found errors
-	if errors.Is(err, gorm.ErrRecordNotFound) {
-		CustomControllerError(c, http.StatusNotFound, "Record not found")
-		return
+func NewErrorHandlerMiddleware() *ErrorHandlerMiddleware {
+	return &ErrorHandlerMiddleware{}
+}
+
+func (m *ErrorHandlerMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Next()
+		for _, err := range c.Errors {
+
+			// Check for record not found errors
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				errorResponse(c, http.StatusNotFound, "Record not found")
+				return
+			}
+
+			// Check for validation errors
+			var validationErrors validator.ValidationErrors
+			if errors.As(err, &validationErrors) {
+				message := handleValidationError(validationErrors)
+				errorResponse(c, http.StatusBadRequest, message)
+				return
+			}
+
+			// Check for slice validation errors
+			var sliceValidationErrors binding.SliceValidationError
+			if errors.As(err, &sliceValidationErrors) {
+				if errors.As(sliceValidationErrors[0], &validationErrors) {
+					message := handleValidationError(validationErrors)
+					errorResponse(c, http.StatusBadRequest, message)
+					return
+				}
+			}
+
+			var appErr common.AppError
+			if errors.As(err, &appErr) {
+				errorResponse(c, appErr.HttpStatusCode(), appErr.Error())
+				return
+			}
+
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "Something went wrong"})
+		}
 	}
+}

-	// Check for validation errors
-	var validationErrors validator.ValidationErrors
-	if errors.As(err, &validationErrors) {
-		message := handleValidationError(validationErrors)
-		CustomControllerError(c, http.StatusBadRequest, message)
-		return
-
-	}
-
-	log.Println(err)
-	c.JSON(http.StatusInternalServerError, gin.H{"error": "Something went wrong"})
+func errorResponse(c *gin.Context, statusCode int, message string) {
+	// Capitalize the first letter of the message
+	message = strings.ToUpper(message[:1]) + message[1:]
+	c.JSON(statusCode, gin.H{"error": message})
 }

 func handleValidationError(validationErrors validator.ValidationErrors) string {
@@ -53,8 +84,6 @@ func handleValidationError(validationErrors validator.ValidationErrors) string {
 			errorMessage = fmt.Sprintf("%s must be at least %s characters long", fieldName, ve.Param())
 		case "max":
 			errorMessage = fmt.Sprintf("%s must be at most %s characters long", fieldName, ve.Param())
-		case "urlList":
-			errorMessage = fmt.Sprintf("%s must be a list of valid URLs", fieldName)
 		default:
 			errorMessage = fmt.Sprintf("%s is invalid", fieldName)
 		}
@@ -67,9 +96,3 @@ func handleValidationError(validationErrors validator.ValidationErrors) string {

 	return combinedErrors
 }
-
-func CustomControllerError(c *gin.Context, statusCode int, message string) {
-	// Capitalize the first letter of the message
-	message = strings.ToUpper(message[:1]) + message[1:]
-	c.JSON(statusCode, gin.H{"error": message})
-}
--- a/backend/internal/middleware/file_size_limit.go
+++ b/backend/internal/middleware/file_size_limit.go
@@ -2,9 +2,10 @@ package middleware

 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 type FileSizeLimitMiddleware struct{}
@@ -17,7 +18,8 @@ func (m *FileSizeLimitMiddleware) Add(maxSize int64) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, maxSize)
 		if err := c.Request.ParseMultipartForm(maxSize); err != nil {
-			utils.CustomControllerError(c, http.StatusRequestEntityTooLarge, fmt.Sprintf("The file can't be larger than %s bytes", formatFileSize(maxSize)))
+			err = &common.FileTooLargeError{MaxSize: formatFileSize(maxSize)}
+			_ = c.Error(err)
 			c.Abort()
 			return
 		}
--- a/backend/internal/middleware/jwt_auth.go
+++ b/backend/internal/middleware/jwt_auth.go
@@ -1,59 +1,68 @@
 package middleware

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"net/http"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
 )

 type JwtAuthMiddleware struct {
-	jwtService            *service.JwtService
-	ignoreUnauthenticated bool
+	jwtService *service.JwtService
 }

-func NewJwtAuthMiddleware(jwtService *service.JwtService, ignoreUnauthenticated bool) *JwtAuthMiddleware {
-	return &JwtAuthMiddleware{jwtService: jwtService, ignoreUnauthenticated: ignoreUnauthenticated}
+func NewJwtAuthMiddleware(jwtService *service.JwtService) *JwtAuthMiddleware {
+	return &JwtAuthMiddleware{jwtService: jwtService}
 }

-func (m *JwtAuthMiddleware) Add(adminOnly bool) gin.HandlerFunc {
+func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// Extract the token from the cookie or the Authorization header
-		token, err := c.Cookie("access_token")
+		userID, isAdmin, err := m.Verify(c, adminRequired)
 		if err != nil {
-			authorizationHeaderSplitted := strings.Split(c.GetHeader("Authorization"), " ")
-			if len(authorizationHeaderSplitted) == 2 {
-				token = authorizationHeaderSplitted[1]
-			} else if m.ignoreUnauthenticated {
-				c.Next()
-				return
-			} else {
-				utils.CustomControllerError(c, http.StatusUnauthorized, "You're not signed in")
-				c.Abort()
-				return
-			}
-		}
-
-		claims, err := m.jwtService.VerifyAccessToken(token)
-		if err != nil && m.ignoreUnauthenticated {
-			c.Next()
-			return
-		} else if err != nil {
-			utils.CustomControllerError(c, http.StatusUnauthorized, "You're not signed in")
 			c.Abort()
+			_ = c.Error(err)
 			return
 		}

-		// Check if the user is an admin
-		if adminOnly && !claims.IsAdmin {
-			utils.CustomControllerError(c, http.StatusForbidden, "You don't have permission to access this resource")
-			c.Abort()
-			return
-		}
-
-		c.Set("userID", claims.Subject)
-		c.Set("userIsAdmin", claims.IsAdmin)
+		c.Set("userID", userID)
+		c.Set("userIsAdmin", isAdmin)
 		c.Next()
 	}
 }
+
+func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject string, isAdmin bool, err error) {
+	// Extract the token from the cookie
+	accessToken, err := c.Cookie(cookie.AccessTokenCookieName)
+	if err != nil {
+		// Try to extract the token from the Authorization header if it's not in the cookie
+		var ok bool
+		_, accessToken, ok = strings.Cut(c.GetHeader("Authorization"), " ")
+		if !ok || accessToken == "" {
+			return "", false, &common.NotSignedInError{}
+		}
+	}
+
+	token, err := m.jwtService.VerifyAccessToken(accessToken)
+	if err != nil {
+		return "", false, &common.NotSignedInError{}
+	}
+
+	subject, ok := token.Subject()
+	if !ok {
+		_ = c.Error(&common.TokenInvalidError{})
+		return
+	}
+
+	// Check if the user is an admin
+	isAdmin, err = service.GetIsAdmin(token)
+	if err != nil {
+		return "", false, &common.TokenInvalidError{}
+	}
+	if adminRequired && !isAdmin {
+		return "", false, &common.MissingPermissionError{}
+	}
+
+	return subject, isAdmin, nil
+}
--- a/backend/internal/middleware/rate_limit.go
+++ b/backend/internal/middleware/rate_limit.go
@@ -1,12 +1,11 @@
 package middleware

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"net/http"
 	"sync"
 	"time"

+	"github.com/pocket-id/pocket-id/backend/internal/common"
+
 	"github.com/gin-gonic/gin"
 	"golang.org/x/time/rate"
 )
@@ -18,8 +17,12 @@ func NewRateLimitMiddleware() *RateLimitMiddleware {
 }

 func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
+	// Map to store the rate limiters per IP
+	var clients = make(map[string]*client)
+	var mu sync.Mutex
+
 	// Start the cleanup routine
-	go cleanupClients()
+	go cleanupClients(&mu, clients)

 	return func(c *gin.Context) {
 		ip := c.ClientIP()
@@ -31,9 +34,9 @@ func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
 			return
 		}

-		limiter := getLimiter(ip, limit, burst)
+		limiter := getLimiter(ip, limit, burst, &mu, clients)
 		if !limiter.Allow() {
-			utils.CustomControllerError(c, http.StatusTooManyRequests, "Too many requests. Please wait a while before trying again.")
+			_ = c.Error(&common.TooManyRequestsError{})
 			c.Abort()
 			return
 		}
@@ -47,12 +50,8 @@ type client struct {
 	lastSeen time.Time
 }

-// Map to store the rate limiters per IP
-var clients = make(map[string]*client)
-var mu sync.Mutex
-
 // Cleanup routine to remove stale clients that haven't been seen for a while
-func cleanupClients() {
+func cleanupClients(mu *sync.Mutex, clients map[string]*client) {
 	for {
 		time.Sleep(time.Minute)
 		mu.Lock()
@@ -66,7 +65,7 @@ func cleanupClients() {
 }

 // getLimiter retrieves the rate limiter for a given IP address, creating one if it doesn't exist
-func getLimiter(ip string, limit rate.Limit, burst int) *rate.Limiter {
+func getLimiter(ip string, limit rate.Limit, burst int, mu *sync.Mutex, clients map[string]*client) *rate.Limiter {
 	mu.Lock()
 	defer mu.Unlock()

--- a/backend/internal/model/api_key.go
+++ b/backend/internal/model/api_key.go
@@ -0,0 +1,16 @@
+package model
+
+import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
+type ApiKey struct {
+	Base
+
+	Name        string `sortable:"true"`
+	Key         string
+	Description *string
+	ExpiresAt   datatype.DateTime  `sortable:"true"`
+	LastUsedAt  *datatype.DateTime `sortable:"true"`
+
+	UserID string
+	User   User
+}
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -1,24 +1,184 @@
 package model

+import (
+	"errors"
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+)
+
 type AppConfigVariable struct {
-	Key        string `gorm:"primaryKey;not null"`
-	Type       string
-	IsPublic   bool
-	IsInternal bool
-	Value      string
+	Key   string `gorm:"primaryKey;not null"`
+	Value string
+}
+
+// IsTrue returns true if the value is a truthy string, such as "true", "t", "yes", "1", etc.
+func (a *AppConfigVariable) IsTrue() bool {
+	ok, _ := strconv.ParseBool(a.Value)
+	return ok
+}
+
+// AsDurationMinutes returns the value as a time.Duration, interpreting the string as a whole number of minutes.
+func (a *AppConfigVariable) AsDurationMinutes() time.Duration {
+	val, err := strconv.Atoi(a.Value)
+	if err != nil {
+		return 0
+	}
+	return time.Duration(val) * time.Minute
 }

 type AppConfig struct {
-	AppName             AppConfigVariable
-	BackgroundImageType AppConfigVariable
-	LogoLightImageType  AppConfigVariable
-	LogoDarkImageType   AppConfigVariable
-	SessionDuration     AppConfigVariable
-
-	EmailEnabled AppConfigVariable
-	SmtpHost     AppConfigVariable
-	SmtpPort     AppConfigVariable
-	SmtpFrom     AppConfigVariable
-	SmtpUser     AppConfigVariable
-	SmtpPassword AppConfigVariable
+	// General
+	AppName             AppConfigVariable `key:"appName,public"` // Public
+	SessionDuration     AppConfigVariable `key:"sessionDuration"`
+	EmailsVerified      AppConfigVariable `key:"emailsVerified"`
+	DisableAnimations   AppConfigVariable `key:"disableAnimations,public"`   // Public
+	AllowOwnAccountEdit AppConfigVariable `key:"allowOwnAccountEdit,public"` // Public
+	// Internal
+	BackgroundImageType AppConfigVariable `key:"backgroundImageType,internal"` // Internal
+	LogoLightImageType  AppConfigVariable `key:"logoLightImageType,internal"`  // Internal
+	LogoDarkImageType   AppConfigVariable `key:"logoDarkImageType,internal"`   // Internal
+	// Email
+	SmtpHost                      AppConfigVariable `key:"smtpHost"`
+	SmtpPort                      AppConfigVariable `key:"smtpPort"`
+	SmtpFrom                      AppConfigVariable `key:"smtpFrom"`
+	SmtpUser                      AppConfigVariable `key:"smtpUser"`
+	SmtpPassword                  AppConfigVariable `key:"smtpPassword"`
+	SmtpTls                       AppConfigVariable `key:"smtpTls"`
+	SmtpSkipCertVerify            AppConfigVariable `key:"smtpSkipCertVerify"`
+	EmailLoginNotificationEnabled AppConfigVariable `key:"emailLoginNotificationEnabled"`
+	EmailOneTimeAccessEnabled     AppConfigVariable `key:"emailOneTimeAccessEnabled,public"` // Public
+	// LDAP
+	LdapEnabled                        AppConfigVariable `key:"ldapEnabled,public"` // Public
+	LdapUrl                            AppConfigVariable `key:"ldapUrl"`
+	LdapBindDn                         AppConfigVariable `key:"ldapBindDn"`
+	LdapBindPassword                   AppConfigVariable `key:"ldapBindPassword"`
+	LdapBase                           AppConfigVariable `key:"ldapBase"`
+	LdapUserSearchFilter               AppConfigVariable `key:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter          AppConfigVariable `key:"ldapUserGroupSearchFilter"`
+	LdapSkipCertVerify                 AppConfigVariable `key:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier  AppConfigVariable `key:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername          AppConfigVariable `key:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail             AppConfigVariable `key:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName         AppConfigVariable `key:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName          AppConfigVariable `key:"ldapAttributeUserLastName"`
+	LdapAttributeUserProfilePicture    AppConfigVariable `key:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember           AppConfigVariable `key:"ldapAttributeGroupMember"`
+	LdapAttributeGroupUniqueIdentifier AppConfigVariable `key:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName             AppConfigVariable `key:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup            AppConfigVariable `key:"ldapAttributeAdminGroup"`
+}
+
+func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {
+	// Use reflection to iterate through all fields
+	cfgValue := reflect.ValueOf(c).Elem()
+	cfgType := cfgValue.Type()
+
+	res := make([]AppConfigVariable, cfgType.NumField())
+
+	for i := range cfgType.NumField() {
+		field := cfgType.Field(i)
+
+		key, attrs, _ := strings.Cut(field.Tag.Get("key"), ",")
+		if key == "" {
+			continue
+		}
+
+		// If we're only showing public variables and this is not public, skip it
+		if !showAll && attrs != "public" {
+			continue
+		}
+
+		fieldValue := cfgValue.Field(i)
+
+		res[i] = AppConfigVariable{
+			Key:   key,
+			Value: fieldValue.FieldByName("Value").String(),
+		}
+	}
+
+	return res
+}
+
+func (c *AppConfig) FieldByKey(key string) (string, error) {
+	rv := reflect.ValueOf(c).Elem()
+	rt := rv.Type()
+
+	// Find the field in the struct whose "key" tag matches
+	for i := range rt.NumField() {
+		// Grab only the first part of the key, if there's a comma with additional properties
+		tagValue, _, _ := strings.Cut(rt.Field(i).Tag.Get("key"), ",")
+		if tagValue != key {
+			continue
+		}
+
+		valueField := rv.Field(i).FieldByName("Value")
+		return valueField.String(), nil
+	}
+
+	// If we are here, the config key was not found
+	return "", AppConfigKeyNotFoundError{field: key}
+}
+
+func (c *AppConfig) UpdateField(key string, value string, noInternal bool) error {
+	rv := reflect.ValueOf(c).Elem()
+	rt := rv.Type()
+
+	// Find the field in the struct whose "key" tag matches, then update that
+	for i := range rt.NumField() {
+		// Separate the key (before the comma) from any optional attributes after
+		tagValue, attrs, _ := strings.Cut(rt.Field(i).Tag.Get("key"), ",")
+		if tagValue != key {
+			continue
+		}
+
+		// If the field is internal and noInternal is true, we skip that
+		if noInternal && attrs == "internal" {
+			return AppConfigInternalForbiddenError{field: key}
+		}
+
+		valueField := rv.Field(i).FieldByName("Value")
+		if !valueField.CanSet() {
+			return fmt.Errorf("field Value in AppConfigVariable is not settable for config key '%s'", key)
+		}
+
+		// Update the value
+		valueField.SetString(value)
+
+		// Return once updated
+		return nil
+	}
+
+	// If we're here, we have not found the right field to update
+	return AppConfigKeyNotFoundError{field: key}
+}
+
+type AppConfigKeyNotFoundError struct {
+	field string
+}
+
+func (e AppConfigKeyNotFoundError) Error() string {
+	return fmt.Sprintf("cannot find config key '%s'", e.field)
+}
+
+func (e AppConfigKeyNotFoundError) Is(target error) bool {
+	// Ignore the field property when checking if an error is of the type AppConfigKeyNotFoundError
+	x := AppConfigKeyNotFoundError{}
+	return errors.As(target, &x)
+}
+
+type AppConfigInternalForbiddenError struct {
+	field string
+}
+
+func (e AppConfigInternalForbiddenError) Error() string {
+	return fmt.Sprintf("field '%s' is internal and can't be updated", e.field)
+}
+
+func (e AppConfigInternalForbiddenError) Is(target error) bool {
+	// Ignore the field property when checking if an error is of the type AppConfigInternalForbiddenError
+	x := AppConfigInternalForbiddenError{}
+	return errors.As(target, &x)
 }
--- a/backend/internal/model/app_config_test.go
+++ b/backend/internal/model/app_config_test.go
@@ -0,0 +1,129 @@
+// We use model_test here to avoid an import cycle
+package model_test
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+)
+
+func TestAppConfigVariable_AsMinutesDuration(t *testing.T) {
+	tests := []struct {
+		name            string
+		value           string
+		expected        time.Duration
+		expectedSeconds int
+	}{
+		{
+			name:            "valid positive integer",
+			value:           "60",
+			expected:        60 * time.Minute,
+			expectedSeconds: 3600,
+		},
+		{
+			name:            "valid zero integer",
+			value:           "0",
+			expected:        0,
+			expectedSeconds: 0,
+		},
+		{
+			name:            "negative integer",
+			value:           "-30",
+			expected:        -30 * time.Minute,
+			expectedSeconds: -1800,
+		},
+		{
+			name:            "invalid non-integer",
+			value:           "not-a-number",
+			expected:        0,
+			expectedSeconds: 0,
+		},
+		{
+			name:            "empty string",
+			value:           "",
+			expected:        0,
+			expectedSeconds: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			configVar := model.AppConfigVariable{
+				Value: tt.value,
+			}
+
+			result := configVar.AsDurationMinutes()
+			assert.Equal(t, tt.expected, result)
+			assert.Equal(t, tt.expectedSeconds, int(result.Seconds()))
+		})
+	}
+}
+
+// This test ensures that the model.AppConfig and dto.AppConfigUpdateDto structs match:
+// - They should have the same properties, where the "json" tag of dto.AppConfigUpdateDto should match the "key" tag in model.AppConfig
+// - dto.AppConfigDto should not include "internal" fields from model.AppConfig
+// This test is primarily meant to catch discrepancies between the two structs as fields are added or removed over time
+func TestAppConfigStructMatchesUpdateDto(t *testing.T) {
+	appConfigType := reflect.TypeOf(model.AppConfig{})
+	updateDtoType := reflect.TypeOf(dto.AppConfigUpdateDto{})
+
+	// Process AppConfig fields
+	appConfigFields := make(map[string]string)
+	for i := 0; i < appConfigType.NumField(); i++ {
+		field := appConfigType.Field(i)
+		if field.Tag.Get("key") == "" {
+			// Skip internal fields
+			continue
+		}
+
+		// Extract the key name from the tag (takes the part before any comma)
+		keyTag := field.Tag.Get("key")
+		keyName, _, _ := strings.Cut(keyTag, ",")
+
+		appConfigFields[field.Name] = keyName
+	}
+
+	// Process AppConfigUpdateDto fields
+	dtoFields := make(map[string]string)
+	for i := 0; i < updateDtoType.NumField(); i++ {
+		field := updateDtoType.Field(i)
+
+		// Extract the json name from the tag (takes the part before any binding constraints)
+		jsonTag := field.Tag.Get("json")
+		jsonName, _, _ := strings.Cut(jsonTag, ",")
+
+		dtoFields[jsonName] = field.Name
+	}
+
+	// Verify every AppConfig field has a matching DTO field with the same name
+	for fieldName, keyName := range appConfigFields {
+		if strings.HasSuffix(fieldName, "ImageType") {
+			// Skip internal fields that shouldn't be in the DTO
+			continue
+		}
+
+		// Check if there's a DTO field with a matching JSON tag
+		_, exists := dtoFields[keyName]
+		assert.True(t, exists, "Field %s with key '%s' in AppConfig has no matching field in AppConfigUpdateDto", fieldName, keyName)
+	}
+
+	// Verify every DTO field has a matching AppConfig field
+	for jsonName, fieldName := range dtoFields {
+		// Find a matching field in AppConfig by key tag
+		found := false
+		for _, keyName := range appConfigFields {
+			if keyName == jsonName {
+				found = true
+				break
+			}
+		}
+
+		assert.True(t, found, "Field %s with json tag '%s' in AppConfigUpdateDto has no matching field in AppConfig", fieldName, jsonName)
+	}
+}
--- a/backend/internal/model/audit_log.go
+++ b/backend/internal/model/audit_log.go
@@ -3,34 +3,38 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
+	"fmt"
 )

 type AuditLog struct {
 	Base

-	Event     AuditLogEvent
-	IpAddress string
-	Country   string
-	City      string
-	UserAgent string
-	UserID    string
+	Event     AuditLogEvent `sortable:"true"`
+	IpAddress string        `sortable:"true"`
+	Country   string        `sortable:"true"`
+	City      string        `sortable:"true"`
+	UserAgent string        `sortable:"true"`
+	Username  string        `gorm:"-"`
 	Data      AuditLogData
+
+	UserID string
+	User   User
 }

-type AuditLogData map[string]string
+type AuditLogData map[string]string //nolint:recvcheck

-type AuditLogEvent string
+type AuditLogEvent string //nolint:recvcheck

 const (
-	AuditLogEventSignIn                 AuditLogEvent = "SIGN_IN"
-	AuditLogEventClientAuthorization    AuditLogEvent = "CLIENT_AUTHORIZATION"
-	AuditLogEventNewClientAuthorization AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
+	AuditLogEventSignIn                   AuditLogEvent = "SIGN_IN"
+	AuditLogEventOneTimeAccessTokenSignIn AuditLogEvent = "TOKEN_SIGN_IN"
+	AuditLogEventClientAuthorization      AuditLogEvent = "CLIENT_AUTHORIZATION"
+	AuditLogEventNewClientAuthorization   AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
 )

 // Scan and Value methods for GORM to handle the custom type

-func (e *AuditLogEvent) Scan(value interface{}) error {
+func (e *AuditLogEvent) Scan(value any) error {
 	*e = AuditLogEvent(value.(string))
 	return nil
 }
@@ -39,11 +43,14 @@ func (e AuditLogEvent) Value() (driver.Value, error) {
 	return string(e), nil
 }

-func (d *AuditLogData) Scan(value interface{}) error {
-	if v, ok := value.([]byte); ok {
+func (d *AuditLogData) Scan(value any) error {
+	switch v := value.(type) {
+	case []byte:
 		return json.Unmarshal(v, d)
-	} else {
-		return errors.New("type assertion to []byte failed")
+	case string:
+		return json.Unmarshal([]byte(v), d)
+	default:
+		return fmt.Errorf("unsupported type: %T", value)
 	}
 }

--- a/backend/internal/model/base.go
+++ b/backend/internal/model/base.go
@@ -1,22 +1,23 @@
 package model

 import (
-	"github.com/google/uuid"
-	model "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"gorm.io/gorm"
 	"time"
+
+	"github.com/google/uuid"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )

 // Base contains common columns for all tables.
 type Base struct {
-	ID        string `gorm:"primaryKey;not null"`
-	CreatedAt model.DateTime
+	ID        string            `gorm:"primaryKey;not null"`
+	CreatedAt datatype.DateTime `sortable:"true"`
 }

 func (b *Base) BeforeCreate(_ *gorm.DB) (err error) {
 	if b.ID == "" {
 		b.ID = uuid.New().String()
 	}
-	b.CreatedAt = model.DateTime(time.Now())
+	b.CreatedAt = datatype.DateTime(time.Now())
 	return
 }
--- a/backend/internal/model/custom_claim.go
+++ b/backend/internal/model/custom_claim.go
@@ -0,0 +1,11 @@
+package model
+
+type CustomClaim struct {
+	Base
+
+	Key   string
+	Value string
+
+	UserID      *string
+	UserGroupID *string
+}
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -3,8 +3,9 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	"fmt"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
 )

@@ -20,10 +21,12 @@ type UserAuthorizedOidcClient struct {
 type OidcAuthorizationCode struct {
 	Base

-	Code      string
-	Scope     string
-	Nonce     string
-	ExpiresAt datatype.DateTime
+	Code                      string
+	Scope                     string
+	Nonce                     string
+	CodeChallenge             *string
+	CodeChallengeMethodSha256 *bool
+	ExpiresAt                 datatype.DateTime

 	UserID string
 	User   User
@@ -34,14 +37,32 @@ type OidcAuthorizationCode struct {
 type OidcClient struct {
 	Base

-	Name         string
-	Secret       string
-	CallbackURLs CallbackURLs
-	ImageType    *string
-	HasLogo      bool `gorm:"-"`
+	Name               string `sortable:"true"`
+	Secret             string
+	CallbackURLs       UrlList
+	LogoutCallbackURLs UrlList
+	ImageType          *string
+	HasLogo            bool `gorm:"-"`
+	IsPublic           bool
+	PkceEnabled        bool

-	CreatedByID string
-	CreatedBy   User
+	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
+	CreatedByID       string
+	CreatedBy         User
+}
+
+type OidcRefreshToken struct {
+	Base
+
+	Token     string
+	ExpiresAt datatype.DateTime
+	Scope     string
+
+	UserID string
+	User   User
+
+	ClientID string
+	Client   OidcClient
 }

 func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
@@ -50,16 +71,19 @@ func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
 	return nil
 }

-type CallbackURLs []string
+type UrlList []string //nolint:recvcheck

-func (cu *CallbackURLs) Scan(value interface{}) error {
-	if v, ok := value.([]byte); ok {
+func (cu *UrlList) Scan(value interface{}) error {
+	switch v := value.(type) {
+	case []byte:
 		return json.Unmarshal(v, cu)
-	} else {
-		return errors.New("type assertion to []byte failed")
+	case string:
+		return json.Unmarshal([]byte(v), cu)
+	default:
+		return fmt.Errorf("unsupported type: %T", value)
 	}
 }

-func (cu CallbackURLs) Value() (driver.Value, error) {
+func (cu UrlList) Value() (driver.Value, error) {
 	return json.Marshal(cu)
 }
--- a/backend/internal/model/types/date_time.go
+++ b/backend/internal/model/types/date_time.go
@@ -3,10 +3,12 @@ package datatype
 import (
 	"database/sql/driver"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

-// DateTime custom type for time.Time to store date as unix timestamp in the database
-type DateTime time.Time
+// DateTime custom type for time.Time to store date as unix timestamp for sqlite and as date for postgres
+type DateTime time.Time //nolint:recvcheck

 func (date *DateTime) Scan(value interface{}) (err error) {
 	*date = DateTime(value.(time.Time))
@@ -14,7 +16,11 @@ func (date *DateTime) Scan(value interface{}) (err error) {
 }

 func (date DateTime) Value() (driver.Value, error) {
-	return time.Time(date).Unix(), nil
+	if common.EnvConfig.DbProvider == common.DbProviderSqlite {
+		return time.Time(date).Unix(), nil
+	} else {
+		return time.Time(date), nil
+	}
 }

 func (date DateTime) UTC() time.Time {
--- a/backend/internal/model/user.go
+++ b/backend/internal/model/user.go
@@ -1,22 +1,28 @@
 package model

 import (
+	"strings"
+
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type User struct {
 	Base

-	Username  string
-	Email     string
-	FirstName string
-	LastName  string
-	IsAdmin   bool
+	Username  string `sortable:"true"`
+	Email     string `sortable:"true"`
+	FirstName string `sortable:"true"`
+	LastName  string `sortable:"true"`
+	IsAdmin   bool   `sortable:"true"`
+	Locale    *string
+	LdapID    *string

-	UserGroups  []UserGroup `gorm:"many2many:user_groups_users;"`
-	Credentials []WebauthnCredential
+	CustomClaims []CustomClaim
+	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
+	Credentials  []WebauthnCredential
 }

 func (u User) WebAuthnID() []byte { return []byte(u.ID) }
@@ -32,7 +38,7 @@ func (u User) WebAuthnCredentials() []webauthn.Credential {

 	for i, credential := range u.Credentials {
 		credentials[i] = webauthn.Credential{
-			ID:              []byte(credential.CredentialID),
+			ID:              credential.CredentialID,
 			AttestationType: credential.AttestationType,
 			PublicKey:       credential.PublicKey,
 			Transport:       credential.Transport,
@@ -58,6 +64,14 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential
 	return descriptors
 }

+func (u User) FullName() string { return u.FirstName + " " + u.LastName }
+
+func (u User) Initials() string {
+	return strings.ToUpper(
+		utils.GetFirstCharacter(u.FirstName) + utils.GetFirstCharacter(u.LastName),
+	)
+}
+
 type OneTimeAccessToken struct {
 	Base
 	Token     string
--- a/backend/internal/model/user_group.go
+++ b/backend/internal/model/user_group.go
@@ -2,7 +2,9 @@ package model

 type UserGroup struct {
 	Base
-	FriendlyName string
-	Name         string `gorm:"unique"`
+	FriendlyName string `sortable:"true"`
+	Name         string `sortable:"true"`
+	LdapID       *string
 	Users        []User `gorm:"many2many:user_groups_users;"`
+	CustomClaims []CustomClaim
 }
--- a/backend/internal/model/webauthn.go
+++ b/backend/internal/model/webauthn.go
@@ -3,16 +3,18 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
-	"github.com/go-webauthn/webauthn/protocol"
+	"fmt"
 	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type WebauthnSession struct {
 	Base

 	Challenge        string
-	ExpiresAt        time.Time
+	ExpiresAt        datatype.DateTime
 	UserVerification string
 }

@@ -20,7 +22,7 @@ type WebauthnCredential struct {
 	Base

 	Name            string
-	CredentialID    string
+	CredentialID    []byte
 	PublicKey       []byte
 	AttestationType string
 	Transport       AuthenticatorTransportList
@@ -43,15 +45,17 @@ type PublicKeyCredentialRequestOptions struct {
 	Timeout   time.Duration
 }

-type AuthenticatorTransportList []protocol.AuthenticatorTransport
+type AuthenticatorTransportList []protocol.AuthenticatorTransport //nolint:recvcheck

 // Scan and Value methods for GORM to handle the custom type
 func (atl *AuthenticatorTransportList) Scan(value interface{}) error {
-
-	if v, ok := value.([]byte); ok {
+	switch v := value.(type) {
+	case []byte:
 		return json.Unmarshal(v, atl)
-	} else {
-		return errors.New("type assertion to []byte failed")
+	case string:
+		return json.Unmarshal([]byte(v), atl)
+	default:
+		return fmt.Errorf("unsupported type: %T", value)
 	}
 }

--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -0,0 +1,119 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+type ApiKeyService struct {
+	db *gorm.DB
+}
+
+func NewApiKeyService(db *gorm.DB) *ApiKeyService {
+	return &ApiKeyService{db: db}
+}
+
+func (s *ApiKeyService) ListApiKeys(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.ApiKey, utils.PaginationResponse, error) {
+	query := s.db.
+		WithContext(ctx).
+		Where("user_id = ?", userID).
+		Model(&model.ApiKey{})
+
+	var apiKeys []model.ApiKey
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &apiKeys)
+	if err != nil {
+		return nil, utils.PaginationResponse{}, err
+	}
+
+	return apiKeys, pagination, nil
+}
+
+func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input dto.ApiKeyCreateDto) (model.ApiKey, string, error) {
+	// Check if expiration is in the future
+	if !input.ExpiresAt.ToTime().After(time.Now()) {
+		return model.ApiKey{}, "", &common.APIKeyExpirationDateError{}
+	}
+
+	// Generate a secure random API key
+	token, err := utils.GenerateRandomAlphanumericString(32)
+	if err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	apiKey := model.ApiKey{
+		Name:        input.Name,
+		Key:         utils.CreateSha256Hash(token), // Hash the token for storage
+		Description: &input.Description,
+		ExpiresAt:   datatype.DateTime(input.ExpiresAt),
+		UserID:      userID,
+	}
+
+	err = s.db.
+		WithContext(ctx).
+		Create(&apiKey).
+		Error
+	if err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	// Return the raw token only once - it cannot be retrieved later
+	return apiKey, token, nil
+}
+
+func (s *ApiKeyService) RevokeApiKey(ctx context.Context, userID, apiKeyID string) error {
+	var apiKey model.ApiKey
+	err := s.db.
+		WithContext(ctx).
+		Where("id = ? AND user_id = ?", apiKeyID, userID).
+		Delete(&apiKey).
+		Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return &common.APIKeyNotFoundError{}
+		}
+		return err
+	}
+
+	return nil
+}
+
+func (s *ApiKeyService) ValidateApiKey(ctx context.Context, apiKey string) (model.User, error) {
+	if apiKey == "" {
+		return model.User{}, &common.NoAPIKeyProvidedError{}
+	}
+
+	now := time.Now()
+	hashedKey := utils.CreateSha256Hash(apiKey)
+
+	var key model.ApiKey
+	err := s.db.
+		WithContext(ctx).
+		Model(&model.ApiKey{}).
+		Clauses(clause.Returning{}).
+		Where("key = ? AND expires_at > ?", hashedKey, datatype.DateTime(now)).
+		Updates(&model.ApiKey{
+			LastUsedAt: utils.Ptr(datatype.DateTime(now)),
+		}).
+		Preload("User").
+		First(&key).
+		Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return model.User{}, &common.InvalidAPIKeyError{}
+		}
+
+		return model.User{}, err
+	}
+
+	return key.User, nil
+}
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -1,245 +1,428 @@
 package service

 import (
+	"context"
+	"errors"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"gorm.io/gorm"
 	"log"
 	"mime/multipart"
 	"os"
 	"reflect"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type AppConfigService struct {
-	DbConfig *model.AppConfig
+	dbConfig atomic.Pointer[model.AppConfig]
 	db       *gorm.DB
 }

-func NewAppConfigService(db *gorm.DB) *AppConfigService {
+func NewAppConfigService(ctx context.Context, db *gorm.DB) *AppConfigService {
 	service := &AppConfigService{
-		DbConfig: &defaultDbConfig,
-		db:       db,
+		db: db,
 	}
-	if err := service.InitDbConfig(); err != nil {
+
+	err := service.LoadDbConfig(ctx)
+	if err != nil {
 		log.Fatalf("Failed to initialize app config service: %v", err)
 	}
+
 	return service
 }

-var defaultDbConfig = model.AppConfig{
-	AppName: model.AppConfigVariable{
-		Key:      "appName",
-		Type:     "string",
-		IsPublic: true,
-		Value:    "Pocket ID",
-	},
-	SessionDuration: model.AppConfigVariable{
-		Key:   "sessionDuration",
-		Type:  "number",
-		Value: "60",
-	},
-	BackgroundImageType: model.AppConfigVariable{
-		Key:        "backgroundImageType",
-		Type:       "string",
-		IsInternal: true,
-		Value:      "jpg",
-	},
-	LogoLightImageType: model.AppConfigVariable{
-		Key:        "logoLightImageType",
-		Type:       "string",
-		IsInternal: true,
-		Value:      "svg",
-	},
-	LogoDarkImageType: model.AppConfigVariable{
-		Key:        "logoDarkImageType",
-		Type:       "string",
-		IsInternal: true,
-		Value:      "svg",
-	},
-	EmailEnabled: model.AppConfigVariable{
-		Key:   "emailEnabled",
-		Type:  "bool",
-		Value: "false",
-	},
-	SmtpHost: model.AppConfigVariable{
-		Key:  "smtpHost",
-		Type: "string",
-	},
-	SmtpPort: model.AppConfigVariable{
-		Key:  "smtpPort",
-		Type: "number",
-	},
-	SmtpFrom: model.AppConfigVariable{
-		Key:  "smtpFrom",
-		Type: "string",
-	},
-	SmtpUser: model.AppConfigVariable{
-		Key:  "smtpUser",
-		Type: "string",
-	},
-	SmtpPassword: model.AppConfigVariable{
-		Key:  "smtpPassword",
-		Type: "string",
-	},
-}
-
-func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
-	var savedConfigVariables []model.AppConfigVariable
-
-	tx := s.db.Begin()
-	rt := reflect.ValueOf(input).Type()
-	rv := reflect.ValueOf(input)
-
-	for i := 0; i < rt.NumField(); i++ {
-		field := rt.Field(i)
-		key := field.Tag.Get("json")
-		value := rv.FieldByName(field.Name).String()
-
-		var appConfigVariable model.AppConfigVariable
-		if err := tx.First(&appConfigVariable, "key = ? AND is_internal = false", key).Error; err != nil {
-			tx.Rollback()
-			return nil, err
-		}
-
-		appConfigVariable.Value = value
-		if err := tx.Save(&appConfigVariable).Error; err != nil {
-			tx.Rollback()
-			return nil, err
-		}
-
-		savedConfigVariables = append(savedConfigVariables, appConfigVariable)
+// GetDbConfig returns the application configuration.
+// Important: Treat the object as read-only: do not modify its properties directly!
+func (s *AppConfigService) GetDbConfig() *model.AppConfig {
+	v := s.dbConfig.Load()
+	if v == nil {
+		// This indicates a development-time error
+		panic("called GetDbConfig before DbConfig is loaded")
 	}

-	tx.Commit()
+	return v
+}

-	if err := s.loadDbConfigFromDb(); err != nil {
+func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
+	// Values are the default ones
+	return &model.AppConfig{
+		// General
+		AppName:             model.AppConfigVariable{Value: "Pocket ID"},
+		SessionDuration:     model.AppConfigVariable{Value: "60"},
+		EmailsVerified:      model.AppConfigVariable{Value: "false"},
+		DisableAnimations:   model.AppConfigVariable{Value: "false"},
+		AllowOwnAccountEdit: model.AppConfigVariable{Value: "true"},
+		// Internal
+		BackgroundImageType: model.AppConfigVariable{Value: "jpg"},
+		LogoLightImageType:  model.AppConfigVariable{Value: "svg"},
+		LogoDarkImageType:   model.AppConfigVariable{Value: "svg"},
+		// Email
+		SmtpHost:                      model.AppConfigVariable{},
+		SmtpPort:                      model.AppConfigVariable{},
+		SmtpFrom:                      model.AppConfigVariable{},
+		SmtpUser:                      model.AppConfigVariable{},
+		SmtpPassword:                  model.AppConfigVariable{},
+		SmtpTls:                       model.AppConfigVariable{Value: "none"},
+		SmtpSkipCertVerify:            model.AppConfigVariable{Value: "false"},
+		EmailLoginNotificationEnabled: model.AppConfigVariable{Value: "false"},
+		EmailOneTimeAccessEnabled:     model.AppConfigVariable{Value: "false"},
+		// LDAP
+		LdapEnabled:                        model.AppConfigVariable{Value: "false"},
+		LdapUrl:                            model.AppConfigVariable{},
+		LdapBindDn:                         model.AppConfigVariable{},
+		LdapBindPassword:                   model.AppConfigVariable{},
+		LdapBase:                           model.AppConfigVariable{},
+		LdapUserSearchFilter:               model.AppConfigVariable{Value: "(objectClass=person)"},
+		LdapUserGroupSearchFilter:          model.AppConfigVariable{Value: "(objectClass=groupOfNames)"},
+		LdapSkipCertVerify:                 model.AppConfigVariable{Value: "false"},
+		LdapAttributeUserUniqueIdentifier:  model.AppConfigVariable{},
+		LdapAttributeUserUsername:          model.AppConfigVariable{},
+		LdapAttributeUserEmail:             model.AppConfigVariable{},
+		LdapAttributeUserFirstName:         model.AppConfigVariable{},
+		LdapAttributeUserLastName:          model.AppConfigVariable{},
+		LdapAttributeUserProfilePicture:    model.AppConfigVariable{},
+		LdapAttributeGroupMember:           model.AppConfigVariable{Value: "member"},
+		LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{},
+		LdapAttributeGroupName:             model.AppConfigVariable{},
+		LdapAttributeAdminGroup:            model.AppConfigVariable{},
+	}
+}
+
+func (s *AppConfigService) updateAppConfigStartTransaction(ctx context.Context) (tx *gorm.DB, err error) {
+	// We start a transaction before doing any work, to ensure that we are the only ones updating the data in the database
+	// This works across multiple processes too
+	tx = s.db.Begin()
+	err = tx.Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to begin database transaction: %w", err)
+	}
+
+	// With SQLite there's nothing else we need to do, because a transaction blocks the entire database
+	// However, with Postgres we need to manually lock the table to prevent others from doing the same
+	switch s.db.Name() {
+	case "postgres":
+		// We do not use "NOWAIT" so this blocks until the database is available, or the context is canceled
+		// Here we use a context with a 10s timeout in case the database is blocked for longer
+		lockCtx, lockCancel := context.WithTimeout(ctx, 10*time.Second)
+		defer lockCancel()
+		err = tx.
+			WithContext(lockCtx).
+			Exec("LOCK TABLE app_config_variables IN ACCESS EXCLUSIVE MODE").
+			Error
+		if err != nil {
+			tx.Rollback()
+			return nil, fmt.Errorf("failed to acquire lock on app_config_variables table: %w", err)
+		}
+	default:
+		// Nothing to do here
+	}
+
+	return tx, nil
+}
+
+func (s *AppConfigService) updateAppConfigUpdateDatabase(ctx context.Context, tx *gorm.DB, dbUpdate *[]model.AppConfigVariable) error {
+	err := tx.
+		WithContext(ctx).
+		Clauses(clause.OnConflict{
+			// Perform an "upsert" if the key already exists, replacing the value
+			Columns:   []clause.Column{{Name: "key"}},
+			DoUpdates: clause.AssignmentColumns([]string{"value"}),
+		}).
+		Create(&dbUpdate).
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to update config in database: %w", err)
+	}
+
+	return nil
+}
+
+func (s *AppConfigService) UpdateAppConfig(ctx context.Context, input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
+	if common.EnvConfig.UiConfigDisabled {
+		return nil, &common.UiConfigDisabledError{}
+	}
+
+	// If EmailLoginNotificationEnabled is set to false (explicitly), disable the EmailOneTimeAccessEnabled
+	if input.EmailLoginNotificationEnabled == "false" {
+		input.EmailOneTimeAccessEnabled = "false"
+	}
+
+	// Start the transaction
+	tx, err := s.updateAppConfigStartTransaction(ctx)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		tx.Rollback()
+	}()
+
+	// From here onwards, we know we are the only process/goroutine with exclusive access to the config
+	// Re-load the config from the database to be sure we have the correct data
+	cfg, err := s.loadDbConfigInternal(ctx, tx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to reload config from database: %w", err)
+	}
+
+	defaultCfg := s.getDefaultDbConfig()
+
+	// Iterate through all the fields to update
+	// We update the in-memory data (in the cfg struct) and collect values to update in the database
+	rt := reflect.ValueOf(input).Type()
+	rv := reflect.ValueOf(input)
+	dbUpdate := make([]model.AppConfigVariable, 0, rt.NumField())
+	for i := range rt.NumField() {
+		field := rt.Field(i)
+		value := rv.FieldByName(field.Name).String()
+
+		// Get the value of the json tag, taking only what's before the comma
+		key, _, _ := strings.Cut(field.Tag.Get("json"), ",")
+
+		// Update the in-memory config value
+		// If the new value is an empty string, then we set the in-memory value to the default one
+		// Skip values that are internal only and can't be updated
+		if value == "" {
+			// Ignore errors here as we know the key exists
+			defaultValue, _ := defaultCfg.FieldByKey(key)
+			err = cfg.UpdateField(key, defaultValue, true)
+		} else {
+			err = cfg.UpdateField(key, value, true)
+		}
+
+		// If we tried to update an internal field, ignore the error (and do not update in the DB)
+		if errors.Is(err, model.AppConfigInternalForbiddenError{}) {
+			continue
+		} else if err != nil {
+			return nil, fmt.Errorf("failed to update in-memory config for key '%s': %w", key, err)
+		}
+
+		// We always save "value" which can be an empty string
+		dbUpdate = append(dbUpdate, model.AppConfigVariable{
+			Key:   key,
+			Value: value,
+		})
+	}
+
+	// Update the values in the database
+	err = s.updateAppConfigUpdateDatabase(ctx, tx, &dbUpdate)
+	if err != nil {
 		return nil, err
 	}

-	return savedConfigVariables, nil
+	// Commit the changes to the DB, then finally save the updated config in the object
+	err = tx.Commit().Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to commit transaction: %w", err)
+	}
+
+	s.dbConfig.Store(cfg)
+
+	// Return the updated config
+	res := cfg.ToAppConfigVariableSlice(true)
+	return res, nil
 }

-func (s *AppConfigService) UpdateImageType(imageName string, fileType string) error {
-	key := fmt.Sprintf("%sImageType", imageName)
-	err := s.db.Model(&model.AppConfigVariable{}).Where("key = ?", key).Update("value", fileType).Error
+// UpdateAppConfigValues
+func (s *AppConfigService) UpdateAppConfigValues(ctx context.Context, keysAndValues ...string) error {
+	if common.EnvConfig.UiConfigDisabled {
+		return &common.UiConfigDisabledError{}
+	}
+
+	// Count of keysAndValues must be even
+	if len(keysAndValues)%2 != 0 {
+		return errors.New("invalid number of arguments received")
+	}
+
+	// Start the transaction
+	tx, err := s.updateAppConfigStartTransaction(ctx)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		tx.Rollback()
+	}()
+
+	// From here onwards, we know we are the only process/goroutine with exclusive access to the config
+	// Re-load the config from the database to be sure we have the correct data
+	cfg, err := s.loadDbConfigInternal(ctx, tx)
+	if err != nil {
+		return fmt.Errorf("failed to reload config from database: %w", err)
+	}
+
+	defaultCfg := s.getDefaultDbConfig()
+
+	// Iterate through all the fields to update
+	// We update the in-memory data (in the cfg struct) and collect values to update in the database
+	// (Note the += 2, as we are iterating through key-value pairs)
+	dbUpdate := make([]model.AppConfigVariable, 0, len(keysAndValues)/2)
+	for i := 0; i < len(keysAndValues); i += 2 {
+		key := keysAndValues[i]
+		value := keysAndValues[i+1]
+
+		// Ensure that the field is valid
+		// We do this by grabbing the default value
+		var defaultValue string
+		defaultValue, err = defaultCfg.FieldByKey(key)
+		if err != nil {
+			return fmt.Errorf("invalid configuration key '%s': %w", key, err)
+		}
+
+		// Update the in-memory config value
+		// If the new value is an empty string, then we set the in-memory value to the default one
+		// Skip values that are internal only and can't be updated
+		if value == "" {
+			err = cfg.UpdateField(key, defaultValue, false)
+		} else {
+			err = cfg.UpdateField(key, value, false)
+		}
+		if err != nil {
+			return fmt.Errorf("failed to update in-memory config for key '%s': %w", key, err)
+		}
+
+		// We always save "value" which can be an empty string
+		dbUpdate = append(dbUpdate, model.AppConfigVariable{
+			Key:   key,
+			Value: value,
+		})
+	}
+
+	// Update the values in the database
+	err = s.updateAppConfigUpdateDatabase(ctx, tx, &dbUpdate)
 	if err != nil {
 		return err
 	}

-	return s.loadDbConfigFromDb()
-}
-
-func (s *AppConfigService) ListAppConfig(showAll bool) ([]model.AppConfigVariable, error) {
-	var configuration []model.AppConfigVariable
-	var err error
-
-	if showAll {
-		err = s.db.Find(&configuration).Error
-	} else {
-		err = s.db.Find(&configuration, "is_public = true").Error
-	}
-
+	// Commit the changes to the DB, then finally save the updated config in the object
+	err = tx.Commit().Error
 	if err != nil {
-		return nil, err
+		return fmt.Errorf("failed to commit transaction: %w", err)
 	}

-	return configuration, nil
+	s.dbConfig.Store(cfg)
+
+	return nil
 }

-func (s *AppConfigService) UpdateImage(uploadedFile *multipart.FileHeader, imageName string, oldImageType string) error {
+func (s *AppConfigService) ListAppConfig(showAll bool) []model.AppConfigVariable {
+	return s.GetDbConfig().ToAppConfigVariableSlice(showAll)
+}
+
+func (s *AppConfigService) UpdateImage(ctx context.Context, uploadedFile *multipart.FileHeader, imageName string, oldImageType string) (err error) {
 	fileType := utils.GetFileExtension(uploadedFile.Filename)
 	mimeType := utils.GetImageMimeType(fileType)
 	if mimeType == "" {
-		return common.ErrFileTypeNotSupported
+		return &common.FileTypeNotSupportedError{}
 	}

-	// Delete the old image if it has a different file type
+	// Save the updated image
+	imagePath := common.EnvConfig.UploadPath + "/application-images/" + imageName + "." + fileType
+	err = utils.SaveFile(uploadedFile, imagePath)
+	if err != nil {
+		return err
+	}
+
+	// Delete the old image if it has a different file type, then update the type in the database
 	if fileType != oldImageType {
-		oldImagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, oldImageType)
-		if err := os.Remove(oldImagePath); err != nil {
+		oldImagePath := common.EnvConfig.UploadPath + "/application-images/" + imageName + "." + oldImageType
+		err = os.Remove(oldImagePath)
+		if err != nil {
 			return err
 		}
-	}

-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, fileType)
-	if err := utils.SaveFile(uploadedFile, imagePath); err != nil {
-		return err
-	}
+		// Update the file type in the database
+		err = s.UpdateAppConfigValues(ctx, imageName+"ImageType", fileType)
+		if err != nil {
+			return err
+		}

-	// Update the file type in the database
-	if err := s.UpdateImageType(imageName, fileType); err != nil {
-		return err
 	}

 	return nil
 }

-// InitDbConfig creates the default configuration values in the database if they do not exist,
-// updates existing configurations if they differ from the default, and deletes any configurations
-// that are not in the default configuration.
-func (s *AppConfigService) InitDbConfig() error {
-	// Reflect to get the underlying value of DbConfig and its default configuration
-	defaultConfigReflectValue := reflect.ValueOf(defaultDbConfig)
-	defaultKeys := make(map[string]struct{})
+// LoadDbConfig loads the configuration values from the database into the DbConfig struct.
+func (s *AppConfigService) LoadDbConfig(ctx context.Context) (err error) {
+	var dest *model.AppConfig

-	// Iterate over the fields of DbConfig
-	for i := 0; i < defaultConfigReflectValue.NumField(); i++ {
-		defaultConfigVar := defaultConfigReflectValue.Field(i).Interface().(model.AppConfigVariable)
+	// If the UI config is disabled, only load from the env
+	if common.EnvConfig.UiConfigDisabled {
+		dest, err = s.loadDbConfigFromEnv()
+	} else {
+		dest, err = s.loadDbConfigInternal(ctx, s.db)
+	}
+	if err != nil {
+		return err
+	}

-		defaultKeys[defaultConfigVar.Key] = struct{}{}
+	// Update the value in the object
+	s.dbConfig.Store(dest)

-		var storedConfigVar model.AppConfigVariable
-		if err := s.db.First(&storedConfigVar, "key = ?", defaultConfigVar.Key).Error; err != nil {
-			// If the configuration does not exist, create it
-			if err := s.db.Create(&defaultConfigVar).Error; err != nil {
-				return err
-			}
+	return nil
+}
+
+func (s *AppConfigService) loadDbConfigFromEnv() (*model.AppConfig, error) {
+	// First, start from the default configuration
+	dest := s.getDefaultDbConfig()
+
+	// Iterate through each field
+	rt := reflect.ValueOf(dest).Elem().Type()
+	rv := reflect.ValueOf(dest).Elem()
+	for i := range rt.NumField() {
+		field := rt.Field(i)
+
+		// Get the value of the key tag, taking only what's before the comma
+		// The env var name is the key converted to SCREAMING_SNAKE_CASE
+		key, _, _ := strings.Cut(field.Tag.Get("key"), ",")
+		envVarName := utils.CamelCaseToScreamingSnakeCase(key)
+
+		// Set the value if it's set
+		value, ok := os.LookupEnv(envVarName)
+		if ok {
+			rv.Field(i).FieldByName("Value").SetString(value)
+		}
+	}
+
+	return dest, nil
+}
+
+func (s *AppConfigService) loadDbConfigInternal(ctx context.Context, tx *gorm.DB) (*model.AppConfig, error) {
+	// First, start from the default configuration
+	dest := s.getDefaultDbConfig()
+
+	// Load all configuration values from the database
+	// This loads all values in a single shot
+	loaded := []model.AppConfigVariable{}
+	queryCtx, queryCancel := context.WithTimeout(ctx, 10*time.Second)
+	defer queryCancel()
+	err := tx.
+		WithContext(queryCtx).
+		Find(&loaded).Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to load configuration from the database: %w", err)
+	}
+
+	// Iterate through all values loaded from the database
+	for _, v := range loaded {
+		// If the value is empty, it means we are using the default value
+		if v.Value == "" {
 			continue
 		}

-		// Update existing configuration if it differs from the default
-		if storedConfigVar.Type != defaultConfigVar.Type || storedConfigVar.IsPublic != defaultConfigVar.IsPublic || storedConfigVar.IsInternal != defaultConfigVar.IsInternal {
-			storedConfigVar.Type = defaultConfigVar.Type
-			storedConfigVar.IsPublic = defaultConfigVar.IsPublic
-			storedConfigVar.IsInternal = defaultConfigVar.IsInternal
-			if err := s.db.Save(&storedConfigVar).Error; err != nil {
-				return err
-			}
+		// Find the field in the struct whose "key" tag matches, then update that
+		err = dest.UpdateField(v.Key, v.Value, false)
+
+		// We ignore the case of fields that don't exist, as there may be leftover data in the database
+		if err != nil && !errors.Is(err, model.AppConfigKeyNotFoundError{}) {
+			return nil, fmt.Errorf("failed to process config for key '%s': %w", v.Key, err)
 		}
 	}

-	// Delete any configurations not in the default keys
-	var allConfigVars []model.AppConfigVariable
-	if err := s.db.Find(&allConfigVars).Error; err != nil {
-		return err
-	}
-
-	for _, config := range allConfigVars {
-		if _, exists := defaultKeys[config.Key]; !exists {
-			if err := s.db.Delete(&config).Error; err != nil {
-				return err
-			}
-		}
-	}
-	return s.loadDbConfigFromDb()
-}
-
-func (s *AppConfigService) loadDbConfigFromDb() error {
-	dbConfigReflectValue := reflect.ValueOf(s.DbConfig).Elem()
-
-	for i := 0; i < dbConfigReflectValue.NumField(); i++ {
-		dbConfigField := dbConfigReflectValue.Field(i)
-		currentConfigVar := dbConfigField.Interface().(model.AppConfigVariable)
-		var storedConfigVar model.AppConfigVariable
-		if err := s.db.First(&storedConfigVar, "key = ?", currentConfigVar.Key).Error; err != nil {
-			return err
-		}
-
-		dbConfigField.Set(reflect.ValueOf(storedConfigVar))
-	}
-
-	return nil
+	return dest, nil
 }
--- a/backend/internal/service/app_config_service_test.go
+++ b/backend/internal/service/app_config_service_test.go
@@ -0,0 +1,561 @@
+package service
+
+import (
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/stretchr/testify/require"
+)
+
+// NewTestAppConfigService is a function used by tests to create AppConfigService objects with pre-defined configuration values
+func NewTestAppConfigService(config *model.AppConfig) *AppConfigService {
+	service := &AppConfigService{
+		dbConfig: atomic.Pointer[model.AppConfig]{},
+	}
+	service.dbConfig.Store(config)
+
+	return service
+}
+
+func TestLoadDbConfig(t *testing.T) {
+	t.Run("empty config table", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+		service := &AppConfigService{
+			db: db,
+		}
+
+		// Load the config
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Config should be equal to default config
+		require.Equal(t, service.GetDbConfig(), service.getDefaultDbConfig())
+	})
+
+	t.Run("loads value from config table", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Populate the config table with some initial values
+		err := db.
+			Create([]model.AppConfigVariable{
+				// Should be set to the default value because it's an empty string
+				{Key: "appName", Value: ""},
+				// Overrides default value
+				{Key: "sessionDuration", Value: "5"},
+				// Does not have a default value
+				{Key: "smtpHost", Value: "example"},
+			}).
+			Error
+		require.NoError(t, err)
+
+		// Load the config
+		service := &AppConfigService{
+			db: db,
+		}
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Values should match expected ones
+		expect := service.getDefaultDbConfig()
+		expect.SessionDuration.Value = "5"
+		expect.SmtpHost.Value = "example"
+		require.Equal(t, service.GetDbConfig(), expect)
+	})
+
+	t.Run("ignores unknown config keys", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Add an entry with a key that doesn't exist in the config struct
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "__nonExistentKey", Value: "some value"},
+			{Key: "appName", Value: "TestApp"}, // This one should still be loaded
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+		// This should not fail, just ignore the unknown key
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		config := service.GetDbConfig()
+		require.Equal(t, "TestApp", config.AppName.Value)
+	})
+
+	t.Run("loading config multiple times", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Initial state
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "appName", Value: "InitialApp"},
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+		require.Equal(t, "InitialApp", service.GetDbConfig().AppName.Value)
+
+		// Update the database value
+		err = db.Model(&model.AppConfigVariable{}).
+			Where("key = ?", "appName").
+			Update("value", "UpdatedApp").Error
+		require.NoError(t, err)
+
+		// Load the config again, it should reflect the updated value
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+		require.Equal(t, "UpdatedApp", service.GetDbConfig().AppName.Value)
+	})
+
+	t.Run("loads config from env when UiConfigDisabled is true", func(t *testing.T) {
+		// Save the original state and restore it after the test
+		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
+		defer func() {
+			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
+		}()
+
+		// Set environment variables for testing
+		t.Setenv("APP_NAME", "EnvTest App")
+		t.Setenv("SESSION_DURATION", "45")
+
+		// Enable UiConfigDisabled to load from env
+		common.EnvConfig.UiConfigDisabled = true
+
+		// Create database with config that should be ignored
+		db := newAppConfigTestDatabaseForTest(t)
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "appName", Value: "DB App"},
+			{Key: "sessionDuration", Value: "120"},
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+
+		// Load the config
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Config should be loaded from env, not DB
+		config := service.GetDbConfig()
+		require.Equal(t, "EnvTest App", config.AppName.Value, "Should load appName from env")
+		require.Equal(t, "45", config.SessionDuration.Value, "Should load sessionDuration from env")
+	})
+
+	t.Run("ignores env vars when UiConfigDisabled is false", func(t *testing.T) {
+		// Save the original state and restore it after the test
+		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
+		defer func() {
+			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
+		}()
+
+		// Set environment variables that should be ignored
+		t.Setenv("APP_NAME", "EnvTest App")
+		t.Setenv("SESSION_DURATION", "45")
+
+		// Make sure UiConfigDisabled is false to load from DB
+		common.EnvConfig.UiConfigDisabled = false
+
+		// Create database with config values that should take precedence
+		db := newAppConfigTestDatabaseForTest(t)
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "appName", Value: "DB App"},
+			{Key: "sessionDuration", Value: "120"},
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+
+		// Load the config
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Config should be loaded from DB, not env
+		config := service.GetDbConfig()
+		require.Equal(t, "DB App", config.AppName.Value, "Should load appName from DB, not env")
+		require.Equal(t, "120", config.SessionDuration.Value, "Should load sessionDuration from DB, not env")
+	})
+}
+
+func TestUpdateAppConfigValues(t *testing.T) {
+	t.Run("update single value", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Update a single config value
+		err = service.UpdateAppConfigValues(t.Context(), "appName", "Test App")
+		require.NoError(t, err)
+
+		// Verify in-memory config was updated
+		config := service.GetDbConfig()
+		require.Equal(t, "Test App", config.AppName.Value)
+
+		// Verify database was updated
+		var dbValue model.AppConfigVariable
+		err = db.Where("key = ?", "appName").First(&dbValue).Error
+		require.NoError(t, err)
+		require.Equal(t, "Test App", dbValue.Value)
+	})
+
+	t.Run("update multiple values", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Update multiple config values
+		err = service.UpdateAppConfigValues(
+			t.Context(),
+			"appName", "Test App",
+			"sessionDuration", "30",
+			"smtpHost", "mail.example.com",
+		)
+		require.NoError(t, err)
+
+		// Verify in-memory config was updated
+		config := service.GetDbConfig()
+		require.Equal(t, "Test App", config.AppName.Value)
+		require.Equal(t, "30", config.SessionDuration.Value)
+		require.Equal(t, "mail.example.com", config.SmtpHost.Value)
+
+		// Verify database was updated
+		var count int64
+		db.Model(&model.AppConfigVariable{}).Count(&count)
+		require.Equal(t, int64(3), count)
+
+		var appName, sessionDuration, smtpHost model.AppConfigVariable
+		err = db.Where("key = ?", "appName").First(&appName).Error
+		require.NoError(t, err)
+		require.Equal(t, "Test App", appName.Value)
+
+		err = db.Where("key = ?", "sessionDuration").First(&sessionDuration).Error
+		require.NoError(t, err)
+		require.Equal(t, "30", sessionDuration.Value)
+
+		err = db.Where("key = ?", "smtpHost").First(&smtpHost).Error
+		require.NoError(t, err)
+		require.Equal(t, "mail.example.com", smtpHost.Value)
+	})
+
+	t.Run("empty value resets to default", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// First change the value
+		err = service.UpdateAppConfigValues(t.Context(), "sessionDuration", "30")
+		require.NoError(t, err)
+		require.Equal(t, "30", service.GetDbConfig().SessionDuration.Value)
+
+		// Now set it to empty which should use default value
+		err = service.UpdateAppConfigValues(t.Context(), "sessionDuration", "")
+		require.NoError(t, err)
+		require.Equal(t, "60", service.GetDbConfig().SessionDuration.Value) // Default value from getDefaultDbConfig
+	})
+
+	t.Run("error with odd number of arguments", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Try to update with odd number of arguments
+		err = service.UpdateAppConfigValues(t.Context(), "appName", "Test App", "sessionDuration")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "invalid number of arguments")
+	})
+
+	t.Run("error with invalid key", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Try to update with invalid key
+		err = service.UpdateAppConfigValues(t.Context(), "nonExistentKey", "some value")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "invalid configuration key")
+	})
+}
+
+func TestUpdateAppConfig(t *testing.T) {
+	t.Run("updates configuration values from DTO", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Create update DTO
+		input := dto.AppConfigUpdateDto{
+			AppName:         "Updated App Name",
+			SessionDuration: "120",
+			SmtpHost:        "smtp.example.com",
+			SmtpPort:        "587",
+		}
+
+		// Update config
+		updatedVars, err := service.UpdateAppConfig(t.Context(), input)
+		require.NoError(t, err)
+
+		// Verify returned updated variables
+		require.NotEmpty(t, updatedVars)
+
+		var foundAppName, foundSessionDuration, foundSmtpHost, foundSmtpPort bool
+		for _, v := range updatedVars {
+			switch v.Key {
+			case "appName":
+				require.Equal(t, "Updated App Name", v.Value)
+				foundAppName = true
+			case "sessionDuration":
+				require.Equal(t, "120", v.Value)
+				foundSessionDuration = true
+			case "smtpHost":
+				require.Equal(t, "smtp.example.com", v.Value)
+				foundSmtpHost = true
+			case "smtpPort":
+				require.Equal(t, "587", v.Value)
+				foundSmtpPort = true
+			}
+		}
+		require.True(t, foundAppName)
+		require.True(t, foundSessionDuration)
+		require.True(t, foundSmtpHost)
+		require.True(t, foundSmtpPort)
+
+		// Verify in-memory config was updated
+		config := service.GetDbConfig()
+		require.Equal(t, "Updated App Name", config.AppName.Value)
+		require.Equal(t, "120", config.SessionDuration.Value)
+		require.Equal(t, "smtp.example.com", config.SmtpHost.Value)
+		require.Equal(t, "587", config.SmtpPort.Value)
+
+		// Verify database was updated
+		var appName, sessionDuration, smtpHost, smtpPort model.AppConfigVariable
+		err = db.Where("key = ?", "appName").First(&appName).Error
+		require.NoError(t, err)
+		require.Equal(t, "Updated App Name", appName.Value)
+
+		err = db.Where("key = ?", "sessionDuration").First(&sessionDuration).Error
+		require.NoError(t, err)
+		require.Equal(t, "120", sessionDuration.Value)
+
+		err = db.Where("key = ?", "smtpHost").First(&smtpHost).Error
+		require.NoError(t, err)
+		require.Equal(t, "smtp.example.com", smtpHost.Value)
+
+		err = db.Where("key = ?", "smtpPort").First(&smtpPort).Error
+		require.NoError(t, err)
+		require.Equal(t, "587", smtpPort.Value)
+	})
+
+	t.Run("empty values reset to defaults", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config and modify some values
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// First set some non-default values
+		err = service.UpdateAppConfigValues(t.Context(),
+			"appName", "Custom App",
+			"sessionDuration", "120",
+		)
+		require.NoError(t, err)
+
+		// Create update DTO with empty values to reset to defaults
+		input := dto.AppConfigUpdateDto{
+			AppName:         "", // Should reset to default "Pocket ID"
+			SessionDuration: "", // Should reset to default "60"
+		}
+
+		// Update config
+		updatedVars, err := service.UpdateAppConfig(t.Context(), input)
+		require.NoError(t, err)
+
+		// Verify returned updated variables (they should be empty strings in DB)
+		var foundAppName, foundSessionDuration bool
+		for _, v := range updatedVars {
+			switch v.Key {
+			case "appName":
+				require.Equal(t, "Pocket ID", v.Value) // Returns the default value
+				foundAppName = true
+			case "sessionDuration":
+				require.Equal(t, "60", v.Value) // Returns the default value
+				foundSessionDuration = true
+			}
+		}
+		require.True(t, foundAppName)
+		require.True(t, foundSessionDuration)
+
+		// Verify in-memory config was reset to defaults
+		config := service.GetDbConfig()
+		require.Equal(t, "Pocket ID", config.AppName.Value)  // Default value
+		require.Equal(t, "60", config.SessionDuration.Value) // Default value
+
+		// Verify database was updated with empty values
+		for _, key := range []string{"appName", "sessionDuration"} {
+			var loaded model.AppConfigVariable
+			err = db.Where("key = ?", key).First(&loaded).Error
+			require.NoErrorf(t, err, "Failed to load DB value for key '%s'", key)
+			require.Emptyf(t, loaded.Value, "Loaded value for key '%s' is not empty", key)
+		}
+	})
+
+	t.Run("auto disables EmailOneTimeAccessEnabled when EmailLoginNotificationEnabled is false", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// First enable both settings
+		err = service.UpdateAppConfigValues(t.Context(),
+			"emailLoginNotificationEnabled", "true",
+			"emailOneTimeAccessEnabled", "true",
+		)
+		require.NoError(t, err)
+
+		// Verify both are enabled
+		config := service.GetDbConfig()
+		require.True(t, config.EmailLoginNotificationEnabled.IsTrue())
+		require.True(t, config.EmailOneTimeAccessEnabled.IsTrue())
+
+		// Now disable EmailLoginNotificationEnabled
+		input := dto.AppConfigUpdateDto{
+			EmailLoginNotificationEnabled: "false",
+			// Don't set EmailOneTimeAccessEnabled, it should be auto-disabled
+		}
+
+		// Update config
+		_, err = service.UpdateAppConfig(t.Context(), input)
+		require.NoError(t, err)
+
+		// Verify EmailOneTimeAccessEnabled was automatically disabled
+		config = service.GetDbConfig()
+		require.False(t, config.EmailLoginNotificationEnabled.IsTrue())
+		require.False(t, config.EmailOneTimeAccessEnabled.IsTrue())
+	})
+
+	t.Run("cannot update when UiConfigDisabled is true", func(t *testing.T) {
+		// Save the original state and restore it after the test
+		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
+		defer func() {
+			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
+		}()
+
+		// Disable UI config
+		common.EnvConfig.UiConfigDisabled = true
+
+		db := newAppConfigTestDatabaseForTest(t)
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Try to update config
+		_, err = service.UpdateAppConfig(t.Context(), dto.AppConfigUpdateDto{
+			AppName: "Should Not Update",
+		})
+
+		// Should get a UiConfigDisabledError
+		require.Error(t, err)
+		var uiConfigDisabledErr *common.UiConfigDisabledError
+		require.ErrorAs(t, err, &uiConfigDisabledErr)
+	})
+}
+
+// Implements gorm's logger.Writer interface
+type testLoggerAdapter struct {
+	t *testing.T
+}
+
+func (l testLoggerAdapter) Printf(format string, args ...any) {
+	l.t.Logf(format, args...)
+}
+
+func newAppConfigTestDatabaseForTest(t *testing.T) *gorm.DB {
+	t.Helper()
+
+	// Get a name for this in-memory database that is specific to the test
+	dbName := utils.CreateSha256Hash(t.Name())
+
+	// Connect to a new in-memory SQL database
+	db, err := gorm.Open(
+		sqlite.Open("file:"+dbName+"?mode=memory&cache=shared"),
+		&gorm.Config{
+			TranslateError: true,
+			Logger: logger.New(
+				testLoggerAdapter{t: t},
+				logger.Config{
+					SlowThreshold:             200 * time.Millisecond,
+					LogLevel:                  logger.Info,
+					IgnoreRecordNotFoundError: false,
+					ParameterizedQueries:      false,
+					Colorful:                  false,
+				},
+			),
+		})
+	require.NoError(t, err, "Failed to connect to test database")
+
+	// Create the app_config_variables table
+	err = db.Exec(`
+CREATE TABLE app_config_variables
+(
+    key           VARCHAR(100) NOT NULL PRIMARY KEY,
+    value         TEXT NOT NULL
+)
+`).Error
+	require.NoError(t, err, "Failed to create test config table")
+
+	return db
+}
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -1,31 +1,34 @@
 package service

 import (
-	userAgentParser "github.com/mileusna/useragent"
-	"github.com/oschwald/maxminddb-golang/v2"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
+	"context"
+	"fmt"
 	"log"
-	"net/netip"
+
+	userAgentParser "github.com/mileusna/useragent"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 )

 type AuditLogService struct {
 	db               *gorm.DB
 	appConfigService *AppConfigService
 	emailService     *EmailService
+	geoliteService   *GeoLiteService
 }

-func NewAuditLogService(db *gorm.DB, appConfigService *AppConfigService, emailService *EmailService) *AuditLogService {
-	return &AuditLogService{db: db, appConfigService: appConfigService, emailService: emailService}
+func NewAuditLogService(db *gorm.DB, appConfigService *AppConfigService, emailService *EmailService, geoliteService *GeoLiteService) *AuditLogService {
+	return &AuditLogService{db: db, appConfigService: appConfigService, emailService: emailService, geoliteService: geoliteService}
 }

 // Create creates a new audit log entry in the database
-func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
-	country, city, err := s.GetIpLocation(ipAddress)
+func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData, tx *gorm.DB) model.AuditLog {
+	country, city, err := s.geoliteService.GetLocationByIP(ipAddress)
 	if err != nil {
-		log.Printf("Failed to get IP location: %v\n", err)
+		log.Printf("Failed to get IP location: %v", err)
 	}

 	auditLog := model.AuditLog{
@@ -39,8 +42,12 @@ func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent
 	}

 	// Save the audit log in the database
-	if err := s.db.Create(&auditLog).Error; err != nil {
-		log.Printf("Failed to create audit log: %v\n", err)
+	err = tx.
+		WithContext(ctx).
+		Create(&auditLog).
+		Error
+	if err != nil {
+		log.Printf("Failed to create audit log: %v", err)
 		return model.AuditLog{}
 	}

@@ -48,24 +55,41 @@ func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent
 }

 // CreateNewSignInWithEmail creates a new audit log entry in the database and sends an email if the device hasn't been used before
-func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
-	createdAuditLog := s.Create(model.AuditLogEventSignIn, ipAddress, userAgent, userID, data)
+func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddress, userAgent, userID string, tx *gorm.DB) model.AuditLog {
+	createdAuditLog := s.Create(ctx, model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{}, tx)

 	// Count the number of times the user has logged in from the same device
 	var count int64
-	err := s.db.Model(&model.AuditLog{}).Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).Count(&count).Error
+	err := tx.
+		WithContext(ctx).
+		Model(&model.AuditLog{}).
+		Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).
+		Count(&count).
+		Error
 	if err != nil {
 		log.Printf("Failed to count audit logs: %v\n", err)
 		return createdAuditLog
 	}

-	// If the user hasn't logged in from the same device before, send an email
-	if count <= 1 {
+	// If the user hasn't logged in from the same device before and email notifications are enabled, send an email
+	if s.appConfigService.GetDbConfig().EmailLoginNotificationEnabled.IsTrue() && count <= 1 {
+		// We use a background context here as this is running in a goroutine
+		//nolint:contextcheck
 		go func() {
-			var user model.User
-			s.db.Where("id = ?", userID).First(&user)
+			innerCtx := context.Background()

-			err := SendEmail(s.emailService, email.Address{
+			// Note we don't use the transaction here because this is running in background
+			var user model.User
+			innerErr := s.db.
+				WithContext(innerCtx).
+				Where("id = ?", userID).
+				First(&user).
+				Error
+			if innerErr != nil {
+				log.Printf("Failed to load user: %v", innerErr)
+			}
+
+			innerErr = SendEmail(innerCtx, s.emailService, email.Address{
 				Name:  user.Username,
 				Email: user.Email,
 			}, NewLoginTemplate, &NewLoginTemplateData{
@@ -75,8 +99,8 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 				Device:    s.DeviceStringFromUserAgent(userAgent),
 				DateTime:  createdAuditLog.CreatedAt.UTC(),
 			})
-			if err != nil {
-				log.Printf("Failed to send email to '%s': %v\n", user.Email, err)
+			if innerErr != nil {
+				log.Printf("Failed to send email to '%s': %v", user.Email, innerErr)
 			}
 		}()
 	}
@@ -85,11 +109,14 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 }

 // ListAuditLogsForUser retrieves all audit logs for a given user ID
-func (s *AuditLogService) ListAuditLogsForUser(userID string, page int, pageSize int) ([]model.AuditLog, utils.PaginationResponse, error) {
+func (s *AuditLogService) ListAuditLogsForUser(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
 	var logs []model.AuditLog
-	query := s.db.Model(&model.AuditLog{}).Where("user_id = ?", userID).Order("created_at desc")
+	query := s.db.
+		WithContext(ctx).
+		Model(&model.AuditLog{}).
+		Where("user_id = ?", userID)

-	pagination, err := utils.Paginate(page, pageSize, query, &logs)
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
 	return logs, pagination, err
 }

@@ -98,28 +125,98 @@ func (s *AuditLogService) DeviceStringFromUserAgent(userAgent string) string {
 	return ua.Name + " on " + ua.OS + " " + ua.OSVersion
 }

-func (s *AuditLogService) GetIpLocation(ipAddress string) (country, city string, err error) {
-	db, err := maxminddb.Open("GeoLite2-City.mmdb")
+func (s *AuditLogService) ListAllAuditLogs(ctx context.Context, sortedPaginationRequest utils.SortedPaginationRequest, filters dto.AuditLogFilterDto) ([]model.AuditLog, utils.PaginationResponse, error) {
+	var logs []model.AuditLog
+
+	query := s.db.
+		WithContext(ctx).
+		Preload("User").
+		Model(&model.AuditLog{})
+
+	if filters.UserID != "" {
+		query = query.Where("user_id = ?", filters.UserID)
+	}
+	if filters.Event != "" {
+		query = query.Where("event = ?", filters.Event)
+	}
+	if filters.ClientName != "" {
+		dialect := s.db.Name()
+		switch dialect {
+		case "sqlite":
+			query = query.Where("json_extract(data, '$.clientName') = ?", filters.ClientName)
+		case "postgres":
+			query = query.Where("data->>'clientName' = ?", filters.ClientName)
+		default:
+			return nil, utils.PaginationResponse{}, fmt.Errorf("unsupported database dialect: %s", dialect)
+		}
+	}
+
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
 	if err != nil {
-		return "", "", err
-	}
-	defer db.Close()
-
-	addr := netip.MustParseAddr(ipAddress)
-
-	var record struct {
-		City struct {
-			Names map[string]string `maxminddb:"names"`
-		} `maxminddb:"city"`
-		Country struct {
-			Names map[string]string `maxminddb:"names"`
-		} `maxminddb:"country"`
+		return nil, pagination, err
 	}

-	err = db.Lookup(addr).Decode(&record)
-	if err != nil {
-		return "", "", err
-	}
-
-	return record.Country.Names["en"], record.City.Names["en"], nil
+	return logs, pagination, nil
+}
+
+func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[string]string, err error) {
+	query := s.db.
+		WithContext(ctx).
+		Joins("User").
+		Model(&model.AuditLog{}).
+		Select("DISTINCT User.id, User.username").
+		Where("User.username IS NOT NULL")
+
+	type Result struct {
+		ID       string `gorm:"column:id"`
+		Username string `gorm:"column:username"`
+	}
+
+	var results []Result
+	if err := query.Find(&results).Error; err != nil {
+		return nil, fmt.Errorf("failed to query user IDs: %w", err)
+	}
+
+	users = make(map[string]string, len(results))
+	for _, result := range results {
+		users[result.ID] = result.Username
+	}
+
+	return users, nil
+}
+
+func (s *AuditLogService) ListClientNames(ctx context.Context) (clientNames []string, err error) {
+	dialect := s.db.Name()
+	query := s.db.
+		WithContext(ctx).
+		Model(&model.AuditLog{})
+
+	switch dialect {
+	case "sqlite":
+		query = query.
+			Select("DISTINCT json_extract(data, '$.clientName') AS client_name").
+			Where("json_extract(data, '$.clientName') IS NOT NULL")
+	case "postgres":
+		query = query.
+			Select("DISTINCT data->>'clientName' AS client_name").
+			Where("data->>'clientName' IS NOT NULL")
+	default:
+		return nil, fmt.Errorf("unsupported database dialect: %s", dialect)
+	}
+
+	type Result struct {
+		ClientName string `gorm:"column:client_name"`
+	}
+
+	var results []Result
+	if err := query.Find(&results).Error; err != nil {
+		return nil, fmt.Errorf("failed to query client IDs: %w", err)
+	}
+
+	clientNames = make([]string, len(results))
+	for i, result := range results {
+		clientNames[i] = result.ClientName
+	}
+
+	return clientNames, nil
 }
--- a/backend/internal/service/custom_claim_service.go
+++ b/backend/internal/service/custom_claim_service.go
@@ -0,0 +1,238 @@
+package service
+
+import (
+	"context"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"gorm.io/gorm"
+)
+
+type CustomClaimService struct {
+	db *gorm.DB
+}
+
+func NewCustomClaimService(db *gorm.DB) *CustomClaimService {
+	return &CustomClaimService{db: db}
+}
+
+// isReservedClaim checks if a claim key is reserved e.g. email, preferred_username
+func isReservedClaim(key string) bool {
+	switch key {
+	case "given_name",
+		"family_name",
+		"name",
+		"email",
+		"preferred_username",
+		"groups",
+		"sub",
+		"iss",
+		"aud",
+		"exp",
+		"iat",
+		"auth_time",
+		"nonce",
+		"acr",
+		"amr",
+		"azp",
+		"nbf",
+		"jti":
+		return true
+	default:
+		return false
+	}
+}
+
+// idType is the type of the id used to identify the user or user group
+type idType string
+
+const (
+	UserID      idType = "user_id"
+	UserGroupID idType = "user_group_id"
+)
+
+// UpdateCustomClaimsForUser updates the custom claims for a user
+func (s *CustomClaimService) UpdateCustomClaimsForUser(ctx context.Context, userID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	return s.updateCustomClaims(ctx, UserID, userID, claims)
+}
+
+// UpdateCustomClaimsForUserGroup updates the custom claims for a user group
+func (s *CustomClaimService) UpdateCustomClaimsForUserGroup(ctx context.Context, userGroupID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	return s.updateCustomClaims(ctx, UserGroupID, userGroupID, claims)
+}
+
+// updateCustomClaims updates the custom claims for a user or user group
+func (s *CustomClaimService) updateCustomClaims(ctx context.Context, idType idType, value string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	// Check for duplicate keys in the claims slice
+	seenKeys := make(map[string]struct{})
+	for _, claim := range claims {
+		if _, ok := seenKeys[claim.Key]; ok {
+			return nil, &common.DuplicateClaimError{Key: claim.Key}
+		}
+		seenKeys[claim.Key] = struct{}{}
+	}
+
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	var existingClaims []model.CustomClaim
+	err := tx.
+		WithContext(ctx).
+		Where(string(idType), value).
+		Find(&existingClaims).
+		Error
+	if err != nil {
+		return nil, err
+	}
+
+	// Delete claims that are not in the new list
+	for _, existingClaim := range existingClaims {
+		found := false
+		for _, claim := range claims {
+			if claim.Key == existingClaim.Key {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			err = tx.
+				WithContext(ctx).
+				Delete(&existingClaim).
+				Error
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	// Add or update claims
+	for _, claim := range claims {
+		if isReservedClaim(claim.Key) {
+			return nil, &common.ReservedClaimError{Key: claim.Key}
+		}
+		customClaim := model.CustomClaim{
+			Key:   claim.Key,
+			Value: claim.Value,
+		}
+
+		switch idType {
+		case UserID:
+			customClaim.UserID = &value
+		case UserGroupID:
+			customClaim.UserGroupID = &value
+		}
+
+		// Update the claim if it already exists or create a new one
+		err = tx.
+			WithContext(ctx).
+			Where(string(idType)+" = ? AND key = ?", value, claim.Key).
+			Assign(&customClaim).
+			FirstOrCreate(&model.CustomClaim{}).
+			Error
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Get the updated claims
+	var updatedClaims []model.CustomClaim
+	err = tx.
+		WithContext(ctx).
+		Where(string(idType)+" = ?", value).
+		Find(&updatedClaims).
+		Error
+	if err != nil {
+		return nil, err
+	}
+
+	err = tx.Commit().Error
+	if err != nil {
+		return nil, err
+	}
+
+	return updatedClaims, nil
+}
+
+func (s *CustomClaimService) GetCustomClaimsForUser(ctx context.Context, userID string, tx *gorm.DB) ([]model.CustomClaim, error) {
+	var customClaims []model.CustomClaim
+	err := tx.
+		WithContext(ctx).
+		Where("user_id = ?", userID).
+		Find(&customClaims).
+		Error
+	return customClaims, err
+}
+
+func (s *CustomClaimService) GetCustomClaimsForUserGroup(ctx context.Context, userGroupID string, tx *gorm.DB) ([]model.CustomClaim, error) {
+	var customClaims []model.CustomClaim
+	err := tx.
+		WithContext(ctx).
+		Where("user_group_id = ?", userGroupID).
+		Find(&customClaims).
+		Error
+	return customClaims, err
+}
+
+// GetCustomClaimsForUserWithUserGroups returns the custom claims of a user and all user groups the user is a member of,
+// prioritizing the user's claims over user group claims with the same key.
+func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(ctx context.Context, userID string, tx *gorm.DB) ([]model.CustomClaim, error) {
+	// Get the custom claims of the user
+	customClaims, err := s.GetCustomClaimsForUser(ctx, userID, tx)
+	if err != nil {
+		return nil, err
+	}
+
+	// Store user's claims in a map to prioritize and prevent duplicates
+	claimsMap := make(map[string]model.CustomClaim)
+	for _, claim := range customClaims {
+		claimsMap[claim.Key] = claim
+	}
+
+	// Get all user groups of the user
+	var userGroupsOfUser []model.UserGroup
+	err = tx.
+		WithContext(ctx).
+		Preload("CustomClaims").
+		Joins("JOIN user_groups_users ON user_groups_users.user_group_id = user_groups.id").
+		Where("user_groups_users.user_id = ?", userID).
+		Find(&userGroupsOfUser).Error
+	if err != nil {
+		return nil, err
+	}
+
+	// Add only non-duplicate custom claims from user groups
+	for _, userGroup := range userGroupsOfUser {
+		for _, groupClaim := range userGroup.CustomClaims {
+			// Only add claim if it does not exist in the user's claims
+			if _, exists := claimsMap[groupClaim.Key]; !exists {
+				claimsMap[groupClaim.Key] = groupClaim
+			}
+		}
+	}
+
+	// Convert the claimsMap back to a slice
+	finalClaims := make([]model.CustomClaim, 0, len(claimsMap))
+	for _, claim := range claimsMap {
+		finalClaims = append(finalClaims, claim)
+	}
+
+	return finalClaims, nil
+}
+
+// GetSuggestions returns a list of custom claim keys that have been used before
+func (s *CustomClaimService) GetSuggestions(ctx context.Context) ([]string, error) {
+	var customClaimsKeys []string
+
+	err := s.db.
+		WithContext(ctx).
+		Model(&model.CustomClaim{}).
+		Group("key").
+		Order("COUNT(*) DESC").
+		Pluck("key", &customClaimsKeys).Error
+
+	return customClaimsKeys, err
+}
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -0,0 +1,351 @@
+//go:build e2etest
+
+package service
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/fxamacker/cbor/v2"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
+)
+
+type TestService struct {
+	db               *gorm.DB
+	jwtService       *JwtService
+	appConfigService *AppConfigService
+}
+
+func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService *JwtService) *TestService {
+	return &TestService{db: db, appConfigService: appConfigService, jwtService: jwtService}
+}
+
+//nolint:gocognit
+func (s *TestService) SeedDatabase() error {
+	return s.db.Transaction(func(tx *gorm.DB) error {
+		users := []model.User{
+			{
+				Base: model.Base{
+					ID: "f4b89dc2-62fb-46bf-9f5f-c34f4eafe93e",
+				},
+				Username:  "tim",
+				Email:     "tim.cook@test.com",
+				FirstName: "Tim",
+				LastName:  "Cook",
+				IsAdmin:   true,
+			},
+			{
+				Base: model.Base{
+					ID: "1cd19686-f9a6-43f4-a41f-14a0bf5b4036",
+				},
+				Username:  "craig",
+				Email:     "craig.federighi@test.com",
+				FirstName: "Craig",
+				LastName:  "Federighi",
+				IsAdmin:   false,
+			},
+		}
+		for _, user := range users {
+			if err := tx.Create(&user).Error; err != nil {
+				return err
+			}
+		}
+
+		oneTimeAccessTokens := []model.OneTimeAccessToken{{
+			Base: model.Base{
+				ID: "bf877753-4ea4-4c9c-bbbd-e198bb201cb8",
+			},
+			Token:     "HPe6k6uiDRRVuAQV",
+			ExpiresAt: datatype.DateTime(time.Now().Add(1 * time.Hour)),
+			UserID:    users[0].ID,
+		},
+			{
+				Base: model.Base{
+					ID: "d3afae24-fe2d-4a98-abec-cf0b8525096a",
+				},
+				Token:     "YCGDtftvsvYWiXd0",
+				ExpiresAt: datatype.DateTime(time.Now().Add(-1 * time.Second)), // expired
+				UserID:    users[0].ID,
+			},
+		}
+		for _, token := range oneTimeAccessTokens {
+			if err := tx.Create(&token).Error; err != nil {
+				return err
+			}
+		}
+
+		userGroups := []model.UserGroup{
+			{
+				Base: model.Base{
+					ID: "c7ae7c01-28a3-4f3c-9572-1ee734ea8368",
+				},
+				Name:         "developers",
+				FriendlyName: "Developers",
+				Users:        []model.User{users[0], users[1]},
+			},
+			{
+				Base: model.Base{
+					ID: "adab18bf-f89d-4087-9ee1-70ff15b48211",
+				},
+				Name:         "designers",
+				FriendlyName: "Designers",
+				Users:        []model.User{users[0]},
+			},
+		}
+		for _, group := range userGroups {
+			if err := tx.Create(&group).Error; err != nil {
+				return err
+			}
+		}
+
+		oidcClients := []model.OidcClient{
+			{
+				Base: model.Base{
+					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
+				},
+				Name:               "Nextcloud",
+				Secret:             "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
+				CallbackURLs:       model.UrlList{"http://nextcloud/auth/callback"},
+				LogoutCallbackURLs: model.UrlList{"http://nextcloud/auth/logout/callback"},
+				ImageType:          utils.StringPointer("png"),
+				CreatedByID:        users[0].ID,
+			},
+			{
+				Base: model.Base{
+					ID: "606c7782-f2b1-49e5-8ea9-26eb1b06d018",
+				},
+				Name:         "Immich",
+				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
+				CallbackURLs: model.UrlList{"http://immich/auth/callback"},
+				CreatedByID:  users[1].ID,
+				AllowedUserGroups: []model.UserGroup{
+					userGroups[1],
+				},
+			},
+		}
+		for _, client := range oidcClients {
+			if err := tx.Create(&client).Error; err != nil {
+				return err
+			}
+		}
+
+		authCode := model.OidcAuthorizationCode{
+			Code:      "auth-code",
+			Scope:     "openid profile",
+			Nonce:     "nonce",
+			ExpiresAt: datatype.DateTime(time.Now().Add(1 * time.Hour)),
+			UserID:    users[0].ID,
+			ClientID:  oidcClients[0].ID,
+		}
+		if err := tx.Create(&authCode).Error; err != nil {
+			return err
+		}
+
+		refreshToken := model.OidcRefreshToken{
+			Token:     utils.CreateSha256Hash("ou87UDg249r1StBLYkMEqy9TXDbV5HmGuDpMcZDo"),
+			ExpiresAt: datatype.DateTime(time.Now().Add(24 * time.Hour)),
+			Scope:     "openid profile email",
+			UserID:    users[0].ID,
+			ClientID:  oidcClients[0].ID,
+		}
+		if err := tx.Create(&refreshToken).Error; err != nil {
+			return err
+		}
+
+		accessToken := model.OneTimeAccessToken{
+			Token:     "one-time-token",
+			ExpiresAt: datatype.DateTime(time.Now().Add(1 * time.Hour)),
+			UserID:    users[0].ID,
+		}
+		if err := tx.Create(&accessToken).Error; err != nil {
+			return err
+		}
+
+		userAuthorizedClient := model.UserAuthorizedOidcClient{
+			Scope:    "openid profile email",
+			UserID:   users[0].ID,
+			ClientID: oidcClients[0].ID,
+		}
+		if err := tx.Create(&userAuthorizedClient).Error; err != nil {
+			return err
+		}
+
+		// To generate a new key pair, run the following command:
+		// openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | \
+		// openssl pkcs8 -topk8 -nocrypt | tee >(openssl pkey -pubout)
+
+		publicKeyPasskey1, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
+		publicKeyPasskey2, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbL5nPhZRAdJ3hEaqrHMSnJBhfMqtQGKwDYpaLIQFAKLhw==")
+		webauthnCredentials := []model.WebauthnCredential{
+			{
+				Name:            "Passkey 1",
+				CredentialID:    []byte("test-credential-tim"),
+				PublicKey:       publicKeyPasskey1,
+				AttestationType: "none",
+				Transport:       model.AuthenticatorTransportList{protocol.Internal},
+				UserID:          users[0].ID,
+			},
+			{
+				Name:            "Passkey 2",
+				CredentialID:    []byte("test-credential-craig"),
+				PublicKey:       publicKeyPasskey2,
+				AttestationType: "none",
+				Transport:       model.AuthenticatorTransportList{protocol.Internal},
+				UserID:          users[1].ID,
+			},
+		}
+		for _, credential := range webauthnCredentials {
+			if err := tx.Create(&credential).Error; err != nil {
+				return err
+			}
+		}
+
+		webauthnSession := model.WebauthnSession{
+			Challenge:        "challenge",
+			ExpiresAt:        datatype.DateTime(time.Now().Add(1 * time.Hour)),
+			UserVerification: "preferred",
+		}
+		if err := tx.Create(&webauthnSession).Error; err != nil {
+			return err
+		}
+
+		apiKey := model.ApiKey{
+			Base: model.Base{
+				ID: "5f1fa856-c164-4295-961e-175a0d22d725",
+			},
+			Name:   "Test API Key",
+			Key:    "6c34966f57ef2bb7857649aff0e7ab3ad67af93c846342ced3f5a07be8706c20",
+			UserID: users[0].ID,
+		}
+		if err := tx.Create(&apiKey).Error; err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+func (s *TestService) ResetDatabase() error {
+	err := s.db.Transaction(func(tx *gorm.DB) error {
+		var tables []string
+
+		switch common.EnvConfig.DbProvider {
+		case common.DbProviderSqlite:
+			// Query to get all tables for SQLite
+			if err := tx.Raw("SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' AND name != 'schema_migrations';").Scan(&tables).Error; err != nil {
+				return err
+			}
+		case common.DbProviderPostgres:
+			// Query to get all tables for PostgreSQL
+			if err := tx.Raw(`
+                SELECT tablename 
+                FROM pg_tables 
+                WHERE schemaname = 'public' AND tablename != 'schema_migrations';
+            `).Scan(&tables).Error; err != nil {
+				return err
+			}
+		default:
+			return fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
+		}
+
+		// Delete all rows from all tables
+		for _, table := range tables {
+			if err := tx.Exec(fmt.Sprintf("DELETE FROM %s;", table)).Error; err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+
+	return err
+}
+
+func (s *TestService) ResetApplicationImages() error {
+	if err := os.RemoveAll(common.EnvConfig.UploadPath); err != nil {
+		log.Printf("Error removing directory: %v", err)
+		return err
+	}
+
+	files, err := resources.FS.ReadDir("images")
+	if err != nil {
+		return err
+	}
+
+	for _, file := range files {
+		srcFilePath := filepath.Join("images", file.Name())
+		destFilePath := filepath.Join(common.EnvConfig.UploadPath, "application-images", file.Name())
+
+		err := utils.CopyEmbeddedFileToDisk(srcFilePath, destFilePath)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *TestService) ResetAppConfig(ctx context.Context) error {
+	// Reset all app config variables to their default values in the database
+	err := s.db.Session(&gorm.Session{AllowGlobalUpdate: true}).Model(&model.AppConfigVariable{}).Update("value", "").Error
+	if err != nil {
+		return err
+	}
+
+	// Reload the app config from the database after resetting the values
+	return s.appConfigService.LoadDbConfig(ctx)
+}
+
+func (s *TestService) SetJWTKeys() {
+	const privateKeyString = `{"alg":"RS256","d":"mvMDWSdPPvcum0c0iEHE2gbqtV2NKMmLwrl9E6K7g8lTV95SePLnW_bwyMPV7EGp7PQk3l17I5XRhFjze7GqTnFIOgKzMianPs7jv2ELtBMGK0xOPATgu1iGb70xZ6vcvuEfRyY3dJ0zr4jpUdVuXwKmx9rK4IdZn2dFCKfvSuspqIpz11RhF1ALrqDLkxGVv7ZwNh0_VhJZU9hcjG5l6xc7rQEKpPRkZp0IdjkGS8Z0FskoVaiRIWAbZuiVFB9WCW8k1czC4HQTPLpII01bUQx2ludbm0UlXRgVU9ptUUbU7GAImQqTOW8LfPGklEvcgzlIlR_oqw4P9yBxLi-yMQ","dp":"pvNCSnnhbo8Igw9psPR-DicxFnkXlu_ix4gpy6efTrxA-z1VDFDioJ814vKQNioYDzpyAP1gfMPhRkvG_q0hRZsJah3Sb9dfA-WkhSWY7lURQP4yIBTMU0PF_rEATuS7lRciYk1SOx5fqXZd3m_LP0vpBC4Ujlq6NAq6CIjCnms","dq":"TtUVGCCkPNgfOLmkYXu7dxxUCV5kB01-xAEK2OY0n0pG8vfDophH4_D_ZC7nvJ8J9uDhs_3JStexq1lIvaWtG99RNTChIEDzpdn6GH9yaVcb_eB4uJjrNm64FhF8PGCCwxA-xMCZMaARKwhMB2_IOMkxUbWboL3gnhJ2rDO_QO0","e":"AQAB","kid":"8uHDw3M6rf8","kty":"RSA","n":"yaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC-585UXacoJ0chUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl_4EDDTO8HwawTjwkPoQlRzeByhlvGPVvwgB3Fn93B8QJ_cZhXKxJvjjrC_8Pk76heC_ntEMru71Ix77BoC3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeOZl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJw","p":"_Yylc9e07CKdqNRD2EosMC2mrhrEa9j5oY_l00Qyy4-jmCA59Q9viyqvveRo0U7cRvFA5BWgWN6GGLh1DG3X-QBqVr0dnk3uzbobb55RYUXyPLuBZI2q6w2oasbiDwPdY7KpkVv_H-bpITQlyDvO8hhucA6rUV7F6KTQVz8M3Ms","q":"y5p3hch-7jJ21TkAhp_Vk1fLCAuD4tbErwQs2of9ja8sB4iJOs5Wn6HD3P7Mc8Plye7qaLHvzc8I5g0tPKWvC0DPd_FLPXiWwMVAzee3NUX_oGeJNOQp11y1w_KqdO9qZqHSEPZ3NcFL_SZMFgggxhM1uzRiPzsVN0lnD_6prZU","qi":"2Grt6uXHm61ji3xSdkBWNtUnj19vS1-7rFJp5SoYztVQVThf_W52BAiXKBdYZDRVoItC_VS2NvAOjeJjhYO_xQ_q3hK7MdtuXfEPpLnyXKkmWo3lrJ26wbeF6l05LexCkI7ShsOuSt-dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI","use":"sig"}`
+
+	privateKey, _ := jwk.ParseKey([]byte(privateKeyString))
+	_ = s.jwtService.SetKey(privateKey)
+}
+
+// getCborPublicKey decodes a Base64 encoded public key and returns the CBOR encoded COSE key
+func (s *TestService) getCborPublicKey(base64PublicKey string) ([]byte, error) {
+	decodedKey, err := base64.StdEncoding.DecodeString(base64PublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64 key: %w", err)
+	}
+	pubKey, err := x509.ParsePKIXPublicKey(decodedKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("not an ECDSA public key")
+	}
+
+	coseKey := map[int]interface{}{
+		1:  2,                     // Key type: EC2
+		3:  -7,                    // Algorithm: ECDSA with SHA-256
+		-1: 1,                     // Curve: P-256
+		-2: ecdsaPubKey.X.Bytes(), // X coordinate
+		-3: ecdsaPubKey.Y.Bytes(), // Y coordinate
+	}
+
+	cborPublicKey, err := cbor.Marshal(coseKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal COSE key: %w", err)
+	}
+
+	return cborPublicKey, nil
+}
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -2,51 +2,78 @@ package service

 import (
 	"bytes"
+	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
 	htemplate "html/template"
-	"io/fs"
+	"io"
 	"mime/multipart"
 	"mime/quotedprintable"
-	"net/smtp"
 	"net/textproto"
+	"os"
+	"strings"
 	ttemplate "text/template"
+	"time"
+
+	"github.com/emersion/go-sasl"
+	"github.com/emersion/go-smtp"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 )

 type EmailService struct {
 	appConfigService *AppConfigService
+	db               *gorm.DB
 	htmlTemplates    map[string]*htemplate.Template
 	textTemplates    map[string]*ttemplate.Template
 }

-func NewEmailService(appConfigService *AppConfigService, templateDir fs.FS) (*EmailService, error) {
-	htmlTemplates, err := email.PrepareHTMLTemplates(templateDir, emailTemplatesPaths)
+func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailService, error) {
+	htmlTemplates, err := email.PrepareHTMLTemplates(emailTemplatesPaths)
 	if err != nil {
 		return nil, fmt.Errorf("prepare html templates: %w", err)
 	}

-	textTemplates, err := email.PrepareTextTemplates(templateDir, emailTemplatesPaths)
+	textTemplates, err := email.PrepareTextTemplates(emailTemplatesPaths)
 	if err != nil {
 		return nil, fmt.Errorf("prepare html templates: %w", err)
 	}

 	return &EmailService{
 		appConfigService: appConfigService,
+		db:               db,
 		htmlTemplates:    htmlTemplates,
 		textTemplates:    textTemplates,
 	}, nil
 }

-func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
-	// Check if SMTP settings are set
-	if srv.appConfigService.DbConfig.EmailEnabled.Value != "true" {
-		return errors.New("email not enabled")
+func (srv *EmailService) SendTestEmail(ctx context.Context, recipientUserId string) error {
+	var user model.User
+	err := srv.db.
+		WithContext(ctx).
+		First(&user, "id = ?", recipientUserId).
+		Error
+	if err != nil {
+		return err
 	}

+	return SendEmail(ctx, srv,
+		email.Address{
+			Email: user.Email,
+			Name:  user.FullName(),
+		}, TestTemplate, nil)
+}
+
+func SendEmail[V any](ctx context.Context, srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
+	dbConfig := srv.appConfigService.GetDbConfig()
+
 	data := &email.TemplateData[V]{
-		AppName: srv.appConfigService.DbConfig.AppName.Value,
+		AppName: dbConfig.AppName.Value,
 		LogoURL: common.EnvConfig.AppURL + "/api/application-configuration/logo",
 		Data:    tData,
 	}
@@ -61,34 +88,169 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	c.AddHeader("Subject", template.Title(data))
 	c.AddAddressHeader("From", []email.Address{
 		{
-			Email: srv.appConfigService.DbConfig.SmtpFrom.Value,
-			Name:  srv.appConfigService.DbConfig.AppName.Value,
+			Email: dbConfig.SmtpFrom.Value,
+			Name:  dbConfig.AppName.Value,
 		},
 	})
 	c.AddAddressHeader("To", []email.Address{toEmail})
 	c.AddHeaderRaw("Content-Type",
 		fmt.Sprintf("multipart/alternative;\n boundary=%s;\n charset=UTF-8", boundary),
 	)
+
+	c.AddHeader("MIME-Version", "1.0")
+	c.AddHeader("Date", time.Now().Format(time.RFC1123Z))
+
+	// to create a message-id, we need the FQDN of the sending server, but that may be a docker hostname or localhost
+	// so we use the domain of the from address instead (the same as Thunderbird does)
+	// if the address does not have an @ (which would be unusual), we use hostname
+
+	from_address := dbConfig.SmtpFrom.Value
+	domain := ""
+	if strings.Contains(from_address, "@") {
+		domain = strings.Split(from_address, "@")[1]
+	} else {
+		hostname, err := os.Hostname()
+		if err != nil {
+			// can that happen? we just give up
+			return fmt.Errorf("failed to get own hostname: %w", err)
+		} else {
+			domain = hostname
+		}
+	}
+	c.AddHeader("Message-ID", "<"+uuid.New().String()+"@"+domain+">")
+
 	c.Body(body)

-	// Set up the authentication information.
-	auth := smtp.PlainAuth("",
-		srv.appConfigService.DbConfig.SmtpUser.Value,
-		srv.appConfigService.DbConfig.SmtpPassword.Value,
-		srv.appConfigService.DbConfig.SmtpHost.Value,
-	)
+	// Check if the context is still valid before attemtping to connect
+	// We need to do this because the smtp library doesn't have context support
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+		// All good
+	}
+
+	// Connect to the SMTP server
+	client, err := srv.getSmtpClient()
+	if err != nil {
+		return fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+	defer client.Close()
+
+	// Check if the context is still valid before sending the email
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+		// All good
+	}

 	// Send the email
-	err = smtp.SendMail(
-		srv.appConfigService.DbConfig.SmtpHost.Value+":"+srv.appConfigService.DbConfig.SmtpPort.Value,
-		auth,
-		srv.appConfigService.DbConfig.SmtpFrom.Value,
-		[]string{toEmail.Email},
-		[]byte(c.String()),
-	)
+	if err := srv.sendEmailContent(client, toEmail, c); err != nil {
+		return fmt.Errorf("send email content: %w", err)
+	}

+	return nil
+}
+
+func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
+	dbConfig := srv.appConfigService.GetDbConfig()
+
+	port := dbConfig.SmtpPort.Value
+	smtpAddress := dbConfig.SmtpHost.Value + ":" + port
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: dbConfig.SmtpSkipCertVerify.IsTrue(), //nolint:gosec
+		ServerName:         dbConfig.SmtpHost.Value,
+	}
+
+	// Connect to the SMTP server based on TLS setting
+	switch dbConfig.SmtpTls.Value {
+	case "none":
+		client, err = smtp.Dial(smtpAddress)
+	case "tls":
+		client, err = smtp.DialTLS(smtpAddress, tlsConfig)
+	case "starttls":
+		client, err = smtp.DialStartTLS(
+			smtpAddress,
+			tlsConfig,
+		)
+	default:
+		return nil, fmt.Errorf("invalid SMTP TLS setting: %s", dbConfig.SmtpTls.Value)
+	}
 	if err != nil {
-		return fmt.Errorf("failed to send email: %w", err)
+		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+	}
+
+	client.CommandTimeout = 10 * time.Second
+
+	// Send the HELO command
+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to send HELO command: %w", err)
+	}
+
+	// Set up the authentication if user or password are set
+	smtpUser := dbConfig.SmtpUser.Value
+	smtpPassword := dbConfig.SmtpPassword.Value
+
+	if smtpUser != "" || smtpPassword != "" {
+		// Authenticate with plain auth
+		auth := sasl.NewPlainClient("", smtpUser, smtpPassword)
+		if err := client.Auth(auth); err != nil {
+			// If the server does not support plain auth, try login auth
+			var smtpErr *smtp.SMTPError
+			ok := errors.As(err, &smtpErr)
+			if ok && smtpErr.Code == smtp.ErrAuthUnknownMechanism.Code {
+				auth = sasl.NewLoginClient(smtpUser, smtpPassword)
+				err = client.Auth(auth)
+			}
+			// Both plain and login auth failed
+			if err != nil {
+				return nil, fmt.Errorf("failed to authenticate: %w", err)
+			}
+
+		}
+	}
+
+	return client, err
+}
+
+func (srv *EmailService) sendHelloCommand(client *smtp.Client) error {
+	hostname, err := os.Hostname()
+	if err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Address, c *email.Composer) error {
+	// Set the sender
+	if err := client.Mail(srv.appConfigService.GetDbConfig().SmtpFrom.Value, nil); err != nil {
+		return fmt.Errorf("failed to set sender: %w", err)
+	}
+
+	// Set the recipient
+	if err := client.Rcpt(toEmail.Email, nil); err != nil {
+		return fmt.Errorf("failed to set recipient: %w", err)
+	}
+
+	// Get a writer to write the email data
+	w, err := client.Data()
+	if err != nil {
+		return fmt.Errorf("failed to start data: %w", err)
+	}
+
+	// Write the email content
+	_, err = io.Copy(w, strings.NewReader(c.String()))
+	if err != nil {
+		return fmt.Errorf("failed to write email data: %w", err)
+	}
+
+	// Close the writer
+	if err := w.Close(); err != nil {
+		return fmt.Errorf("failed to close data writer: %w", err)
 	}

 	return nil
--- a/backend/internal/service/email_service_templates.go
+++ b/backend/internal/service/email_service_templates.go
@@ -2,14 +2,15 @@ package service

 import (
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 )

 /**
 How to add new template:
 - pick unique and descriptive template ${name} (for example "login-with-new-device")
- in backend/email-templates/ create "${name}_html.tmpl" and "${name}_text.tmpl"
+- in backend/resources/email-templates/ create "${name}_html.tmpl" and "${name}_text.tmpl"
 - create xxxxTemplate and xxxxTemplateData (for example NewLoginTemplate and NewLoginTemplateData)
  - Path *must* be ${name}
 - add xxxTemplate.Path to "emailTemplatePaths" at the end
@@ -27,6 +28,20 @@ var NewLoginTemplate = email.Template[NewLoginTemplateData]{
 	},
 }

+var OneTimeAccessTemplate = email.Template[OneTimeAccessTemplateData]{
+	Path: "one-time-access",
+	Title: func(data *email.TemplateData[OneTimeAccessTemplateData]) string {
+		return "Login Code"
+	},
+}
+
+var TestTemplate = email.Template[struct{}]{
+	Path: "test",
+	Title: func(data *email.TemplateData[struct{}]) string {
+		return "Test email"
+	},
+}
+
 type NewLoginTemplateData struct {
 	IPAddress string
 	Country   string
@@ -35,5 +50,11 @@ type NewLoginTemplateData struct {
 	DateTime  time.Time
 }

+type OneTimeAccessTemplateData = struct {
+	Code              string
+	LoginLink         string
+	LoginLinkWithCode string
+}
+
 // this is list of all template paths used for preloading templates
-var emailTemplatesPaths = []string{NewLoginTemplate.Path}
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path}
--- a/backend/internal/service/geolite_service.go
+++ b/backend/internal/service/geolite_service.go
@@ -0,0 +1,239 @@
+package service
+
+import (
+	"archive/tar"
+	"compress/gzip"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/netip"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/oschwald/maxminddb-golang/v2"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+type GeoLiteService struct {
+	disableUpdater bool
+	mutex          sync.Mutex
+}
+
+var localhostIPNets = []*net.IPNet{
+	{IP: net.IPv4(127, 0, 0, 0), Mask: net.CIDRMask(8, 32)}, // 127.0.0.0/8
+	{IP: net.IPv6loopback, Mask: net.CIDRMask(128, 128)},    // ::1/128
+}
+
+var privateLanIPNets = []*net.IPNet{
+	{IP: net.IPv4(10, 0, 0, 0), Mask: net.CIDRMask(8, 32)},     // 10.0.0.0/8
+	{IP: net.IPv4(172, 16, 0, 0), Mask: net.CIDRMask(12, 32)},  // 172.16.0.0/12
+	{IP: net.IPv4(192, 168, 0, 0), Mask: net.CIDRMask(16, 32)}, // 192.168.0.0/16
+}
+
+var tailscaleIPNets = []*net.IPNet{
+	{IP: net.IPv4(100, 64, 0, 0), Mask: net.CIDRMask(10, 32)}, // 100.64.0.0/10
+}
+
+// NewGeoLiteService initializes a new GeoLiteService instance and starts a goroutine to update the GeoLite2 City database.
+func NewGeoLiteService(ctx context.Context) *GeoLiteService {
+	service := &GeoLiteService{}
+
+	if common.EnvConfig.MaxMindLicenseKey == "" && common.EnvConfig.GeoLiteDBUrl == common.MaxMindGeoLiteCityUrl {
+		// Warn the user, and disable the updater.
+		log.Println("MAXMIND_LICENSE_KEY environment variable is empty. The GeoLite2 City database won't be updated.")
+		service.disableUpdater = true
+	}
+
+	go func() {
+		err := service.updateDatabase(ctx)
+		if err != nil {
+			log.Printf("Failed to update GeoLite2 City database: %v", err)
+		}
+	}()
+
+	return service
+}
+
+// GetLocationByIP returns the country and city of the given IP address.
+func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
+	// Check the IP address against known private IP ranges
+	if ip := net.ParseIP(ipAddress); ip != nil {
+		for _, ipNet := range tailscaleIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "Tailscale", nil
+			}
+		}
+		for _, ipNet := range privateLanIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "LAN/Docker/k8s", nil
+			}
+		}
+		for _, ipNet := range localhostIPNets {
+			if ipNet.Contains(ip) {
+				return "Internal Network", "localhost", nil
+			}
+		}
+	}
+
+	// Race condition between reading and writing the database.
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	db, err := maxminddb.Open(common.EnvConfig.GeoLiteDBPath)
+	if err != nil {
+		return "", "", err
+	}
+	defer db.Close()
+
+	addr := netip.MustParseAddr(ipAddress)
+
+	var record struct {
+		City struct {
+			Names map[string]string `maxminddb:"names"`
+		} `maxminddb:"city"`
+		Country struct {
+			Names map[string]string `maxminddb:"names"`
+		} `maxminddb:"country"`
+	}
+
+	err = db.Lookup(addr).Decode(&record)
+	if err != nil {
+		return "", "", err
+	}
+
+	return record.Country.Names["en"], record.City.Names["en"], nil
+}
+
+// UpdateDatabase checks the age of the database and updates it if it's older than 14 days.
+func (s *GeoLiteService) updateDatabase(parentCtx context.Context) error {
+	if s.disableUpdater {
+		// Avoid updating the GeoLite2 City database.
+		return nil
+	}
+
+	if s.isDatabaseUpToDate() {
+		log.Println("GeoLite2 City database is up-to-date.")
+		return nil
+	}
+
+	log.Println("Updating GeoLite2 City database...")
+	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)
+
+	ctx, cancel := context.WithTimeout(parentCtx, 10*time.Minute)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, downloadUrl, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to download database: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("failed to download database, received HTTP %d", resp.StatusCode)
+	}
+
+	// Extract the database file directly to the target path
+	if err := s.extractDatabase(resp.Body); err != nil {
+		return fmt.Errorf("failed to extract database: %w", err)
+	}
+
+	log.Println("GeoLite2 City database successfully updated.")
+	return nil
+}
+
+// isDatabaseUpToDate checks if the database file is older than 14 days.
+func (s *GeoLiteService) isDatabaseUpToDate() bool {
+	info, err := os.Stat(common.EnvConfig.GeoLiteDBPath)
+	if err != nil {
+		// If the file doesn't exist, treat it as not up-to-date
+		return false
+	}
+	return time.Since(info.ModTime()) < 14*24*time.Hour
+}
+
+// extractDatabase extracts the database file from the tar.gz archive directly to the target location.
+func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
+	gzr, err := gzip.NewReader(reader)
+	if err != nil {
+		return fmt.Errorf("failed to create gzip reader: %w", err)
+	}
+	defer gzr.Close()
+
+	tarReader := tar.NewReader(gzr)
+
+	var totalSize int64
+	const maxTotalSize = 300 * 1024 * 1024 // 300 MB limit for total decompressed size
+
+	// Iterate over the files in the tar archive
+	for {
+		header, err := tarReader.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("failed to read tar archive: %w", err)
+		}
+
+		// Check if the file is the GeoLite2-City.mmdb file
+		if header.Typeflag == tar.TypeReg && filepath.Base(header.Name) == "GeoLite2-City.mmdb" {
+			totalSize += header.Size
+			if totalSize > maxTotalSize {
+				return errors.New("total decompressed size exceeds maximum allowed limit")
+			}
+
+			// extract to a temporary file to avoid having a corrupted db in case of write failure.
+			baseDir := filepath.Dir(common.EnvConfig.GeoLiteDBPath)
+			tmpFile, err := os.CreateTemp(baseDir, "geolite.*.mmdb.tmp")
+			if err != nil {
+				return fmt.Errorf("failed to create temporary database file: %w", err)
+			}
+			tempName := tmpFile.Name()
+
+			// Write the file contents directly to the target location
+			if _, err := io.Copy(tmpFile, tarReader); err != nil { //nolint:gosec
+				// if fails to write, then cleanup and throw an error
+				tmpFile.Close()
+				os.Remove(tempName)
+				return fmt.Errorf("failed to write database file: %w", err)
+			}
+			tmpFile.Close()
+
+			// ensure the database is not corrupted
+			db, err := maxminddb.Open(tempName)
+			if err != nil {
+				// if fails to write, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to open downloaded database file: %w", err)
+			}
+			db.Close()
+
+			// ensure we lock the structure before we overwrite the database
+			// to prevent race conditions between reading and writing the mmdb.
+			s.mutex.Lock()
+			// replace the old file with the new file
+			err = os.Rename(tempName, common.EnvConfig.GeoLiteDBPath)
+			s.mutex.Unlock()
+
+			if err != nil {
+				// if cannot overwrite via rename, then cleanup and throw an error
+				os.Remove(tempName)
+				return fmt.Errorf("failed to replace database file: %w", err)
+			}
+			return nil
+		}
+	}
+
+	return errors.New("GeoLite2-City.mmdb not found in archive")
+}
--- a/backend/internal/service/jwt_service.go
+++ b/backend/internal/service/jwt_service.go
@@ -1,312 +1,551 @@
 package service

 import (
+	"context"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
 	"encoding/base64"
-	"encoding/pem"
+	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"io"
 	"log"
-	"math/big"
 	"os"
 	"path/filepath"
-	"slices"
-	"strconv"
 	"time"
+
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/lestrrat-go/jwx/v3/jwt"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 const (
-	privateKeyPath = "data/keys/jwt_private_key.pem"
-	publicKeyPath  = "data/keys/jwt_public_key.pem"
+	// PrivateKeyFile is the path in the data/keys folder where the key is stored
+	// This is a JSON file containing a key encoded as JWK
+	PrivateKeyFile = "jwt_private_key.json"
+
+	// RsaKeySize is the size, in bits, of the RSA key to generate if none is found
+	RsaKeySize = 2048
+
+	// KeyUsageSigning is the usage for the private keys, for the "use" property
+	KeyUsageSigning = "sig"
+
+	// IsAdminClaim is a boolean claim used in access tokens for admin users
+	// This may be omitted on non-admin tokens
+	IsAdminClaim = "isAdmin"
+
+	// TokenTypeClaim is the claim used to identify the type of token
+	TokenTypeClaim = "type"
+
+	// OAuthAccessTokenJWTType identifies a JWT as an OAuth access token
+	OAuthAccessTokenJWTType = "oauth-access-token" //nolint:gosec
+
+	// AccessTokenJWTType identifies a JWT as an access token used by Pocket ID
+	AccessTokenJWTType = "access-token"
+
+	// IDTokenJWTType identifies a JWT as an ID token used by Pocket ID
+	IDTokenJWTType = "id-token"
+
+	// Acceptable clock skew for verifying tokens
+	clockSkew = time.Minute
 )

 type JwtService struct {
-	publicKey        *rsa.PublicKey
-	privateKey       *rsa.PrivateKey
+	privateKey       jwk.Key
+	keyId            string
 	appConfigService *AppConfigService
+	jwksEncoded      []byte
 }

 func NewJwtService(appConfigService *AppConfigService) *JwtService {
-	service := &JwtService{
-		appConfigService: appConfigService,
-	}
+	service := &JwtService{}

 	// Ensure keys are generated or loaded
-	if err := service.loadOrGenerateKeys(); err != nil {
+	if err := service.init(appConfigService, common.EnvConfig.KeysPath); err != nil {
 		log.Fatalf("Failed to initialize jwt service: %v", err)
 	}

 	return service
 }

-type AccessTokenJWTClaims struct {
-	jwt.RegisteredClaims
-	IsAdmin bool `json:"isAdmin,omitempty"`
+func (s *JwtService) init(appConfigService *AppConfigService, keysPath string) error {
+	s.appConfigService = appConfigService
+
+	// Ensure keys are generated or loaded
+	return s.loadOrGenerateKey(keysPath)
 }

-type JWK struct {
-	Kid string `json:"kid"`
-	Kty string `json:"kty"`
-	Use string `json:"use"`
-	Alg string `json:"alg"`
-	N   string `json:"n"`
-	E   string `json:"e"`
-}
+// loadOrGenerateKey loads the private key from the given path or generates it if not existing.
+func (s *JwtService) loadOrGenerateKey(keysPath string) error {
+	var key jwk.Key

-// loadOrGenerateKeys loads RSA keys from the given paths or generates them if they do not exist.
-func (s *JwtService) loadOrGenerateKeys() error {
-	if _, err := os.Stat(privateKeyPath); os.IsNotExist(err) {
-		if err := s.generateKeys(); err != nil {
-			return err
+	// First, check if we have a JWK file
+	// If we do, then we just load that
+	jwkPath := filepath.Join(keysPath, PrivateKeyFile)
+	ok, err := utils.FileExists(jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (JWK) exists at path '%s': %w", jwkPath, err)
+	}
+	if ok {
+		key, err = s.loadKeyJWK(jwkPath)
+		if err != nil {
+			return fmt.Errorf("failed to load private key file (JWK) at path '%s': %w", jwkPath, err)
 		}
+
+		// Set the key, and we are done
+		err = s.SetKey(key)
+		if err != nil {
+			return fmt.Errorf("failed to set private key: %w", err)
+		}
+
+		return nil
 	}

-	privateKeyBytes, err := os.ReadFile(privateKeyPath)
+	// If we are here, we need to generate a new key
+	key, err = s.generateNewRSAKey()
 	if err != nil {
-		return errors.New("can't read jwt private key: " + err.Error())
-	}
-	s.privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
-	if err != nil {
-		return errors.New("can't parse jwt private key: " + err.Error())
+		return fmt.Errorf("failed to generate new private key: %w", err)
 	}

-	publicKeyBytes, err := os.ReadFile(publicKeyPath)
+	// Set the key in the object, which also validates it
+	err = s.SetKey(key)
 	if err != nil {
-		return errors.New("can't read jwt public key: " + err.Error())
+		return fmt.Errorf("failed to set private key: %w", err)
 	}
-	s.publicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
+
+	// Save the key as JWK
+	err = SaveKeyJWK(s.privateKey, jwkPath)
 	if err != nil {
-		return errors.New("can't parse jwt public key: " + err.Error())
+		return fmt.Errorf("failed to save private key file at path '%s': %w", jwkPath, err)
+	}
+
+	return nil
+}
+
+func ValidateKey(privateKey jwk.Key) error {
+	// Validate the loaded key
+	err := privateKey.Validate()
+	if err != nil {
+		return fmt.Errorf("key object is invalid: %w", err)
+	}
+	keyID, ok := privateKey.KeyID()
+	if !ok || keyID == "" {
+		return errors.New("key object does not contain a key ID")
+	}
+	usage, ok := privateKey.KeyUsage()
+	if !ok || usage != KeyUsageSigning {
+		return errors.New("key object is not valid for signing")
+	}
+	ok, err = jwk.IsPrivateKey(privateKey)
+	if err != nil || !ok {
+		return errors.New("key object is not a private key")
+	}
+
+	return nil
+}
+
+func (s *JwtService) SetKey(privateKey jwk.Key) error {
+	// Validate the loaded key
+	err := ValidateKey(privateKey)
+	if err != nil {
+		return fmt.Errorf("private key is not valid: %w", err)
+	}
+
+	// Set the private key and key id in the object
+	s.privateKey = privateKey
+
+	keyId, ok := privateKey.KeyID()
+	if !ok {
+		return errors.New("key object does not contain a key ID")
+	}
+	s.keyId = keyId
+
+	// Create and encode a JWKS containing the public key
+	publicKey, err := s.GetPublicJWK()
+	if err != nil {
+		return fmt.Errorf("failed to get public JWK: %w", err)
+	}
+	jwks := jwk.NewSet()
+	err = jwks.AddKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("failed to add public key to JWKS: %w", err)
+	}
+	s.jwksEncoded, err = json.Marshal(jwks)
+	if err != nil {
+		return fmt.Errorf("failed to encode JWKS to JSON: %w", err)
 	}

 	return nil
 }

 func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
-	sessionDurationInMinutes, _ := strconv.Atoi(s.appConfigService.DbConfig.SessionDuration.Value)
-	claim := AccessTokenJWTClaims{
-		RegisteredClaims: jwt.RegisteredClaims{
-			Subject:   user.ID,
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(sessionDurationInMinutes) * time.Minute)),
-			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			Audience:  jwt.ClaimStrings{utils.GetHostFromURL(common.EnvConfig.AppURL)},
-		},
-		IsAdmin: user.IsAdmin,
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Subject(user.ID).
+		Expiration(now.Add(s.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes())).
+		IssuedAt(now).
+		Issuer(common.EnvConfig.AppURL).
+		Build()
 	if err != nil {
-		return "", errors.New("failed to generate key ID: " + err.Error())
+		return "", fmt.Errorf("failed to build token: %w", err)
 	}

-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
-	token.Header["kid"] = kid
+	err = SetAudienceString(token, common.EnvConfig.AppURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
+	}

-	return token.SignedString(s.privateKey)
+	err = SetTokenType(token, AccessTokenJWTType)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
+	}
+
+	err = SetIsAdmin(token, user.IsAdmin)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'isAdmin' claim in token: %w", err)
+	}
+
+	alg, _ := s.privateKey.Algorithm()
+	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	return string(signed), nil
 }

-func (s *JwtService) VerifyAccessToken(tokenString string) (*AccessTokenJWTClaims, error) {
-	token, err := jwt.ParseWithClaims(tokenString, &AccessTokenJWTClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return s.publicKey, nil
-	})
-	if err != nil || !token.Valid {
-		return nil, errors.New("couldn't handle this token")
+func (s *JwtService) VerifyAccessToken(tokenString string) (jwt.Token, error) {
+	alg, _ := s.privateKey.Algorithm()
+	token, err := jwt.ParseString(
+		tokenString,
+		jwt.WithValidate(true),
+		jwt.WithKey(alg, s.privateKey),
+		jwt.WithAcceptableSkew(clockSkew),
+		jwt.WithAudience(common.EnvConfig.AppURL),
+		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithValidator(TokenTypeValidator(AccessTokenJWTType)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse token: %w", err)
 	}

-	claims, isValid := token.Claims.(*AccessTokenJWTClaims)
-	if !isValid {
-		return nil, errors.New("can't parse claims")
-	}
-
-	if !slices.Contains(claims.Audience, utils.GetHostFromURL(common.EnvConfig.AppURL)) {
-		return nil, errors.New("audience doesn't match")
-	}
-	return claims, nil
+	return token, nil
 }

-func (s *JwtService) GenerateIDToken(userClaims map[string]interface{}, clientID string, nonce string) (string, error) {
-	claims := jwt.MapClaims{
-		"aud": clientID,
-		"exp": jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-		"iat": jwt.NewNumericDate(time.Now()),
-		"iss": common.EnvConfig.AppURL,
+func (s *JwtService) GenerateIDToken(userClaims map[string]any, clientID string, nonce string) (string, error) {
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Expiration(now.Add(1 * time.Hour)).
+		IssuedAt(now).
+		Issuer(common.EnvConfig.AppURL).
+		Build()
+	if err != nil {
+		return "", fmt.Errorf("failed to build token: %w", err)
+	}
+
+	err = SetAudienceString(token, clientID)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
+	}
+
+	err = SetTokenType(token, IDTokenJWTType)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
 	}

 	for k, v := range userClaims {
-		claims[k] = v
-	}
-
-	if nonce != "" {
-		claims["nonce"] = nonce
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
-	if err != nil {
-		return "", errors.New("failed to generate key ID: " + err.Error())
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	token.Header["kid"] = kid
-
-	return token.SignedString(s.privateKey)
-}
-
-func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string) (string, error) {
-	claim := jwt.RegisteredClaims{
-		Subject:   user.ID,
-		ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-		IssuedAt:  jwt.NewNumericDate(time.Now()),
-		Audience:  jwt.ClaimStrings{clientID},
-		Issuer:    common.EnvConfig.AppURL,
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
-	if err != nil {
-		return "", errors.New("failed to generate key ID: " + err.Error())
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
-	token.Header["kid"] = kid
-
-	return token.SignedString(s.privateKey)
-}
-
-func (s *JwtService) VerifyOauthAccessToken(tokenString string) (*jwt.RegisteredClaims, error) {
-	token, err := jwt.ParseWithClaims(tokenString, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return s.publicKey, nil
-	})
-	if err != nil || !token.Valid {
-		return nil, errors.New("couldn't handle this token")
-	}
-
-	claims, isValid := token.Claims.(*jwt.RegisteredClaims)
-	if !isValid {
-		return nil, errors.New("can't parse claims")
-	}
-
-	return claims, nil
-}
-
-// GetJWK returns the JSON Web Key (JWK) for the public key.
-func (s *JwtService) GetJWK() (JWK, error) {
-	if s.publicKey == nil {
-		return JWK{}, errors.New("public key is not initialized")
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
-	if err != nil {
-		return JWK{}, err
-	}
-
-	jwk := JWK{
-		Kid: kid,
-		Kty: "RSA",
-		Use: "sig",
-		Alg: "RS256",
-		N:   base64.RawURLEncoding.EncodeToString(s.publicKey.N.Bytes()),
-		E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(s.publicKey.E)).Bytes()),
-	}
-
-	return jwk, nil
-}
-
-// GenerateKeyID generates a Key ID for the public key using the first 8 bytes of the SHA-256 hash of the public key.
-func (s *JwtService) generateKeyID(publicKey *rsa.PublicKey) (string, error) {
-	pubASN1, err := x509.MarshalPKIXPublicKey(publicKey)
-	if err != nil {
-		return "", errors.New("failed to marshal public key: " + err.Error())
-	}
-
-	// Compute SHA-256 hash of the public key
-	hash := sha256.New()
-	hash.Write(pubASN1)
-	hashed := hash.Sum(nil)
-
-	// Truncate the hash to the first 8 bytes for a shorter Key ID
-	shortHash := hashed[:8]
-
-	// Return Base64 encoded truncated hash as Key ID
-	return base64.RawURLEncoding.EncodeToString(shortHash), nil
-}
-
-// generateKeys generates a new RSA key pair and saves them to the specified paths.
-func (s *JwtService) generateKeys() error {
-	if err := os.MkdirAll(filepath.Dir(privateKeyPath), 0700); err != nil {
-		return errors.New("failed to create directories for keys: " + err.Error())
-	}
-
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return errors.New("failed to generate private key: " + err.Error())
-	}
-	s.privateKey = privateKey
-
-	if err := s.savePEMKey(privateKeyPath, x509.MarshalPKCS1PrivateKey(privateKey), "RSA PRIVATE KEY"); err != nil {
-		return err
-	}
-
-	publicKey := &privateKey.PublicKey
-	s.publicKey = publicKey
-
-	if err := s.savePEMKey(publicKeyPath, x509.MarshalPKCS1PublicKey(publicKey), "RSA PUBLIC KEY"); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// savePEMKey saves a PEM encoded key to a file.
-func (s *JwtService) savePEMKey(path string, keyBytes []byte, keyType string) error {
-	keyFile, err := os.Create(path)
-	if err != nil {
-		return errors.New("failed to create key file: " + err.Error())
-	}
-	defer keyFile.Close()
-
-	keyPEM := pem.EncodeToMemory(&pem.Block{
-		Type:  keyType,
-		Bytes: keyBytes,
-	})
-
-	if _, err := keyFile.Write(keyPEM); err != nil {
-		return errors.New("failed to write key file: " + err.Error())
-	}
-
-	return nil
-}
-
-// loadKeys loads RSA keys from the given paths.
-func (s *JwtService) loadKeys() error {
-	if _, err := os.Stat(privateKeyPath); os.IsNotExist(err) {
-		if err := s.generateKeys(); err != nil {
-			return err
+		err = token.Set(k, v)
+		if err != nil {
+			return "", fmt.Errorf("failed to set claim '%s': %w", k, err)
 		}
 	}

-	privateKeyBytes, err := os.ReadFile(privateKeyPath)
-	if err != nil {
-		return fmt.Errorf("can't read jwt private key: %w", err)
-	}
-	s.privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
-	if err != nil {
-		return fmt.Errorf("can't parse jwt private key: %w", err)
+	if nonce != "" {
+		err = token.Set("nonce", nonce)
+		if err != nil {
+			return "", fmt.Errorf("failed to set claim 'nonce': %w", err)
+		}
 	}

-	publicKeyBytes, err := os.ReadFile(publicKeyPath)
+	alg, _ := s.privateKey.Algorithm()
+	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
 	if err != nil {
-		return fmt.Errorf("can't read jwt public key: %w", err)
+		return "", fmt.Errorf("failed to sign token: %w", err)
 	}
-	s.publicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
+
+	return string(signed), nil
+}
+
+func (s *JwtService) VerifyIdToken(tokenString string, acceptExpiredTokens bool) (jwt.Token, error) {
+	alg, _ := s.privateKey.Algorithm()
+
+	opts := make([]jwt.ParseOption, 0)
+
+	// These options are always present
+	opts = append(opts,
+		jwt.WithValidate(true),
+		jwt.WithKey(alg, s.privateKey),
+		jwt.WithAcceptableSkew(clockSkew),
+		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithValidator(TokenTypeValidator(IDTokenJWTType)),
+	)
+
+	// By default, jwt.Parse includes 3 default validators for "nbf", "iat", and "exp"
+	// In case we want to accept expired tokens (during logout), we need to set the validators explicitly without validating "exp"
+	if acceptExpiredTokens {
+		// This is equivalent to the default validators except it doesn't validate "exp"
+		opts = append(opts,
+			jwt.WithResetValidators(true),
+			jwt.WithValidator(jwt.IsIssuedAtValid()),
+			jwt.WithValidator(jwt.IsNbfValid()),
+		)
+	}
+
+	token, err := jwt.ParseString(tokenString, opts...)
 	if err != nil {
-		return fmt.Errorf("can't parse jwt public key: %w", err)
+		return nil, fmt.Errorf("failed to parse token: %w", err)
+	}
+
+	return token, nil
+}
+
+func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string) (string, error) {
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Subject(user.ID).
+		Expiration(now.Add(1 * time.Hour)).
+		IssuedAt(now).
+		Issuer(common.EnvConfig.AppURL).
+		Build()
+	if err != nil {
+		return "", fmt.Errorf("failed to build token: %w", err)
+	}
+
+	err = SetAudienceString(token, clientID)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
+	}
+
+	err = SetTokenType(token, OAuthAccessTokenJWTType)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
+	}
+
+	alg, _ := s.privateKey.Algorithm()
+	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	return string(signed), nil
+}
+
+func (s *JwtService) VerifyOauthAccessToken(tokenString string) (jwt.Token, error) {
+	alg, _ := s.privateKey.Algorithm()
+	token, err := jwt.ParseString(
+		tokenString,
+		jwt.WithValidate(true),
+		jwt.WithKey(alg, s.privateKey),
+		jwt.WithAcceptableSkew(clockSkew),
+		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithValidator(TokenTypeValidator(OAuthAccessTokenJWTType)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse token: %w", err)
+	}
+
+	return token, nil
+}
+
+// GetPublicJWK returns the JSON Web Key (JWK) for the public key.
+func (s *JwtService) GetPublicJWK() (jwk.Key, error) {
+	if s.privateKey == nil {
+		return nil, errors.New("key is not initialized")
+	}
+
+	pubKey, err := s.privateKey.PublicKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key: %w", err)
+	}
+
+	EnsureAlgInKey(pubKey)
+
+	return pubKey, nil
+}
+
+// GetPublicJWKSAsJSON returns the JSON Web Key Set (JWKS) for the public key, encoded as JSON.
+// The value is cached since the key is static.
+func (s *JwtService) GetPublicJWKSAsJSON() ([]byte, error) {
+	if len(s.jwksEncoded) == 0 {
+		return nil, errors.New("key is not initialized")
+	}
+
+	return s.jwksEncoded, nil
+}
+
+// GetKeyAlg returns the algorithm of the key
+func (s *JwtService) GetKeyAlg() (jwa.KeyAlgorithm, error) {
+	if len(s.jwksEncoded) == 0 {
+		return nil, errors.New("key is not initialized")
+	}
+
+	alg, ok := s.privateKey.Algorithm()
+	if !ok || alg == nil {
+		return nil, errors.New("failed to retrieve algorithm for key")
+	}
+
+	return alg, nil
+}
+
+func (s *JwtService) loadKeyJWK(path string) (jwk.Key, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read key data: %w", err)
+	}
+
+	key, err := jwk.ParseKey(data)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse key: %w", err)
+	}
+
+	return key, nil
+}
+
+// EnsureAlgInKey ensures that the key contains an "alg" parameter, set depending on the key type
+func EnsureAlgInKey(key jwk.Key) {
+	_, ok := key.Algorithm()
+	if ok {
+		// Algorithm is already set
+		return
+	}
+
+	switch key.KeyType() {
+	case jwa.RSA():
+		// Default to RS256 for RSA keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.RS256())
+	case jwa.EC():
+		// Default to ES256 for ECDSA keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.ES256())
+	case jwa.OKP():
+		// Default to EdDSA for OKP keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.EdDSA())
+	}
+}
+
+func (s *JwtService) generateNewRSAKey() (jwk.Key, error) {
+	// We generate RSA keys only
+	rawKey, err := rsa.GenerateKey(rand.Reader, RsaKeySize)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate RSA private key: %w", err)
+	}
+
+	// Import the raw key
+	return importRawKey(rawKey)
+}
+
+func importRawKey(rawKey any) (jwk.Key, error) {
+	key, err := jwk.Import(rawKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to import generated private key: %w", err)
+	}
+
+	// Generate the key ID
+	kid, err := generateRandomKeyID()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate key ID: %w", err)
+	}
+	_ = key.Set(jwk.KeyIDKey, kid)
+
+	// Set other required fields
+	_ = key.Set(jwk.KeyUsageKey, KeyUsageSigning)
+	EnsureAlgInKey(key)
+
+	return key, err
+}
+
+// SaveKeyJWK saves a JWK to a file
+func SaveKeyJWK(key jwk.Key, path string) error {
+	dir := filepath.Dir(path)
+	err := os.MkdirAll(dir, 0700)
+	if err != nil {
+		return fmt.Errorf("failed to create directory '%s' for key file: %w", dir, err)
+	}
+
+	keyFile, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return fmt.Errorf("failed to create key file: %w", err)
+	}
+	defer keyFile.Close()
+
+	// Write the JSON file to disk
+	enc := json.NewEncoder(keyFile)
+	enc.SetEscapeHTML(false)
+	err = enc.Encode(key)
+	if err != nil {
+		return fmt.Errorf("failed to write key file: %w", err)
 	}

 	return nil
 }
+
+// generateRandomKeyID generates a random key ID.
+func generateRandomKeyID() (string, error) {
+	buf := make([]byte, 8)
+	_, err := io.ReadFull(rand.Reader, buf)
+	if err != nil {
+		return "", fmt.Errorf("failed to read random bytes: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(buf), nil
+}
+
+// GetIsAdmin returns the value of the "isAdmin" claim in the token
+func GetIsAdmin(token jwt.Token) (bool, error) {
+	if !token.Has(IsAdminClaim) {
+		return false, nil
+	}
+	var isAdmin bool
+	err := token.Get(IsAdminClaim, &isAdmin)
+	return isAdmin, err
+}
+
+// SetTokenType sets the "type" claim in the token
+func SetTokenType(token jwt.Token, tokenType string) error {
+	if tokenType == "" {
+		return nil
+	}
+	return token.Set(TokenTypeClaim, tokenType)
+}
+
+// SetIsAdmin sets the "isAdmin" claim in the token
+func SetIsAdmin(token jwt.Token, isAdmin bool) error {
+	// Only set if true
+	if !isAdmin {
+		return nil
+	}
+	return token.Set(IsAdminClaim, isAdmin)
+}
+
+// SetAudienceString sets the "aud" claim with a value that is a string, and not an array
+// This is permitted by RFC 7519, and it's done here for backwards-compatibility
+func SetAudienceString(token jwt.Token, audience string) error {
+	return token.Set(jwt.AudienceKey, audience)
+}
+
+// TokenTypeValidator is a validator function that checks the "type" claim in the token
+func TokenTypeValidator(expectedTokenType string) jwt.ValidatorFunc {
+	return func(_ context.Context, t jwt.Token) error {
+		var tokenType string
+		err := t.Get(TokenTypeClaim, &tokenType)
+		if err != nil {
+			return fmt.Errorf("failed to get token type claim: %w", err)
+		}
+		if tokenType != expectedTokenType {
+			return fmt.Errorf("invalid token type: expected %s, got %s", expectedTokenType, tokenType)
+		}
+		return nil
+	}
+}
--- a/backend/internal/service/jwt_service_test.go
+++ b/backend/internal/service/jwt_service_test.go
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -0,0 +1,417 @@
+package service
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/go-ldap/ldap/v3"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"gorm.io/gorm"
+)
+
+type LdapService struct {
+	db               *gorm.DB
+	appConfigService *AppConfigService
+	userService      *UserService
+	groupService     *UserGroupService
+}
+
+func NewLdapService(db *gorm.DB, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
+	return &LdapService{
+		db:               db,
+		appConfigService: appConfigService,
+		userService:      userService,
+		groupService:     groupService,
+	}
+}
+
+func (s *LdapService) createClient() (*ldap.Conn, error) {
+	dbConfig := s.appConfigService.GetDbConfig()
+
+	if !dbConfig.LdapEnabled.IsTrue() {
+		return nil, fmt.Errorf("LDAP is not enabled")
+	}
+
+	// Setup LDAP connection
+	client, err := ldap.DialURL(dbConfig.LdapUrl.Value, ldap.DialWithTLSConfig(&tls.Config{
+		InsecureSkipVerify: dbConfig.LdapSkipCertVerify.IsTrue(), //nolint:gosec
+	}))
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to LDAP: %w", err)
+	}
+
+	// Bind as service account
+	err = client.Bind(dbConfig.LdapBindDn.Value, dbConfig.LdapBindPassword.Value)
+	if err != nil {
+		return nil, fmt.Errorf("failed to bind to LDAP: %w", err)
+	}
+	return client, nil
+}
+
+func (s *LdapService) SyncAll(ctx context.Context) error {
+	// Start a transaction
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
+	// Setup LDAP connection
+	client, err := s.createClient()
+	if err != nil {
+		return fmt.Errorf("failed to create LDAP client: %w", err)
+	}
+	defer client.Close()
+
+	err = s.SyncUsers(ctx, tx, client)
+	if err != nil {
+		return fmt.Errorf("failed to sync users: %w", err)
+	}
+
+	err = s.SyncGroups(ctx, tx, client)
+	if err != nil {
+		return fmt.Errorf("failed to sync groups: %w", err)
+	}
+
+	// Commit the changes
+	err = tx.Commit().Error
+	if err != nil {
+		return fmt.Errorf("failed to commit changes to database: %w", err)
+	}
+
+	return nil
+}
+
+//nolint:gocognit
+func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
+	dbConfig := s.appConfigService.GetDbConfig()
+
+	searchAttrs := []string{
+		dbConfig.LdapAttributeGroupName.Value,
+		dbConfig.LdapAttributeGroupUniqueIdentifier.Value,
+		dbConfig.LdapAttributeGroupMember.Value,
+	}
+
+	searchReq := ldap.NewSearchRequest(
+		dbConfig.LdapBase.Value,
+		ldap.ScopeWholeSubtree,
+		0, 0, 0, false,
+		dbConfig.LdapUserGroupSearchFilter.Value,
+		searchAttrs,
+		[]ldap.Control{},
+	)
+	result, err := client.Search(searchReq)
+	if err != nil {
+		return fmt.Errorf("failed to query LDAP: %w", err)
+	}
+
+	// Create a mapping for groups that exist
+	ldapGroupIDs := make(map[string]struct{}, len(result.Entries))
+
+	for _, value := range result.Entries {
+		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value)
+
+		// Skip groups without a valid LDAP ID
+		if ldapId == "" {
+			log.Printf("Skipping LDAP group without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeGroupUniqueIdentifier.Value)
+			continue
+		}
+
+		ldapGroupIDs[ldapId] = struct{}{}
+
+		// Try to find the group in the database
+		var databaseGroup model.UserGroup
+		err = tx.
+			WithContext(ctx).
+			Where("ldap_id = ?", ldapId).
+			First(&databaseGroup).
+			Error
+		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+			// This could error with ErrRecordNotFound and we want to ignore that here
+			return fmt.Errorf("failed to query for LDAP group ID '%s': %w", ldapId, err)
+		}
+
+		// Get group members and add to the correct Group
+		groupMembers := value.GetAttributeValues(dbConfig.LdapAttributeGroupMember.Value)
+		membersUserId := make([]string, 0, len(groupMembers))
+		for _, member := range groupMembers {
+			ldapId := getDNProperty("uid", member)
+			if ldapId == "" {
+				continue
+			}
+
+			var databaseUser model.User
+			err = tx.
+				WithContext(ctx).
+				Where("username = ? AND ldap_id IS NOT NULL", ldapId).
+				First(&databaseUser).
+				Error
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				// The user collides with a non-LDAP user, so we skip it
+				continue
+			} else if err != nil {
+				return fmt.Errorf("failed to query for existing user '%s': %w", ldapId, err)
+			}
+
+			membersUserId = append(membersUserId, databaseUser.ID)
+		}
+
+		syncGroup := dto.UserGroupCreateDto{
+			Name:         value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
+			FriendlyName: value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
+			LdapID:       value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value),
+		}
+
+		if databaseGroup.ID == "" {
+			newGroup, err := s.groupService.createInternal(ctx, syncGroup, tx)
+			if err != nil {
+				return fmt.Errorf("failed to create group '%s': %w", syncGroup.Name, err)
+			}
+
+			_, err = s.groupService.updateUsersInternal(ctx, newGroup.ID, membersUserId, tx)
+			if err != nil {
+				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
+			}
+		} else {
+			_, err = s.groupService.updateInternal(ctx, databaseGroup.ID, syncGroup, true, tx)
+			if err != nil {
+				return fmt.Errorf("failed to update group '%s': %w", syncGroup.Name, err)
+			}
+
+			_, err = s.groupService.updateUsersInternal(ctx, databaseGroup.ID, membersUserId, tx)
+			if err != nil {
+				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
+			}
+		}
+	}
+
+	// Get all LDAP groups from the database
+	var ldapGroupsInDb []model.UserGroup
+	err = tx.
+		WithContext(ctx).
+		Find(&ldapGroupsInDb, "ldap_id IS NOT NULL").
+		Select("ldap_id").
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to fetch groups from database: %w", err)
+	}
+
+	// Delete groups that no longer exist in LDAP
+	for _, group := range ldapGroupsInDb {
+		if _, exists := ldapGroupIDs[*group.LdapID]; exists {
+			continue
+		}
+
+		err = tx.
+			WithContext(ctx).
+			Delete(&model.UserGroup{}, "ldap_id = ?", group.LdapID).
+			Error
+		if err != nil {
+			return fmt.Errorf("failed to delete group '%s': %w", group.Name, err)
+		}
+
+		log.Printf("Deleted group '%s'", group.Name)
+	}
+
+	return nil
+}
+
+//nolint:gocognit
+func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
+	dbConfig := s.appConfigService.GetDbConfig()
+
+	searchAttrs := []string{
+		"memberOf",
+		"sn",
+		"cn",
+		dbConfig.LdapAttributeUserUniqueIdentifier.Value,
+		dbConfig.LdapAttributeUserUsername.Value,
+		dbConfig.LdapAttributeUserEmail.Value,
+		dbConfig.LdapAttributeUserFirstName.Value,
+		dbConfig.LdapAttributeUserLastName.Value,
+		dbConfig.LdapAttributeUserProfilePicture.Value,
+	}
+
+	// Filters must start and finish with ()!
+	searchReq := ldap.NewSearchRequest(
+		dbConfig.LdapBase.Value,
+		ldap.ScopeWholeSubtree,
+		0, 0, 0, false,
+		dbConfig.LdapUserSearchFilter.Value,
+		searchAttrs,
+		[]ldap.Control{},
+	)
+
+	result, err := client.Search(searchReq)
+	if err != nil {
+		return fmt.Errorf("failed to query LDAP: %w", err)
+	}
+
+	// Create a mapping for users that exist
+	ldapUserIDs := make(map[string]struct{}, len(result.Entries))
+
+	for _, value := range result.Entries {
+		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value)
+
+		// Skip users without a valid LDAP ID
+		if ldapId == "" {
+			log.Printf("Skipping LDAP user without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeUserUniqueIdentifier.Value)
+			continue
+		}
+
+		ldapUserIDs[ldapId] = struct{}{}
+
+		// Get the user from the database
+		var databaseUser model.User
+		err = tx.
+			WithContext(ctx).
+			Where("ldap_id = ?", ldapId).
+			First(&databaseUser).
+			Error
+		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+			// This could error with ErrRecordNotFound and we want to ignore that here
+			return fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
+		}
+
+		// Check if user is admin by checking if they are in the admin group
+		isAdmin := false
+		for _, group := range value.GetAttributeValues("memberOf") {
+			if getDNProperty("cn", group) == dbConfig.LdapAttributeAdminGroup.Value {
+				isAdmin = true
+				break
+			}
+		}
+
+		newUser := dto.UserCreateDto{
+			Username:  value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value),
+			Email:     value.GetAttributeValue(dbConfig.LdapAttributeUserEmail.Value),
+			FirstName: value.GetAttributeValue(dbConfig.LdapAttributeUserFirstName.Value),
+			LastName:  value.GetAttributeValue(dbConfig.LdapAttributeUserLastName.Value),
+			IsAdmin:   isAdmin,
+			LdapID:    ldapId,
+		}
+
+		if databaseUser.ID == "" {
+			_, err = s.userService.createUserInternal(ctx, newUser, true, tx)
+			if errors.Is(err, &common.AlreadyInUseError{}) {
+				log.Printf("Skipping creating LDAP user '%s': %v", newUser.Username, err)
+				continue
+			} else if err != nil {
+				return fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
+			}
+		} else {
+			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, newUser, false, true, tx)
+			if errors.Is(err, &common.AlreadyInUseError{}) {
+				log.Printf("Skipping updating LDAP user '%s': %v", newUser.Username, err)
+				continue
+			} else if err != nil {
+				return fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
+			}
+		}
+
+		// Save profile picture
+		pictureString := value.GetAttributeValue(dbConfig.LdapAttributeUserProfilePicture.Value)
+		if pictureString != "" {
+			err = s.saveProfilePicture(ctx, databaseUser.ID, pictureString)
+			if err != nil {
+				// This is not a fatal error
+				log.Printf("Error saving profile picture for user %s: %v", newUser.Username, err)
+			}
+		}
+	}
+
+	// Get all LDAP users from the database
+	var ldapUsersInDb []model.User
+	err = tx.
+		WithContext(ctx).
+		Find(&ldapUsersInDb, "ldap_id IS NOT NULL").
+		Select("ldap_id").
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to fetch users from database: %w", err)
+	}
+
+	// Delete users that no longer exist in LDAP
+	for _, user := range ldapUsersInDb {
+		if _, exists := ldapUserIDs[*user.LdapID]; exists {
+			continue
+		}
+
+		err = s.userService.deleteUserInternal(ctx, user.ID, true, tx)
+		if err != nil {
+			return fmt.Errorf("failed to delete user '%s': %w", user.Username, err)
+		}
+
+		log.Printf("Deleted user '%s'", user.Username)
+	}
+
+	return nil
+}
+
+func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId string, pictureString string) error {
+	var reader io.Reader
+
+	_, err := url.ParseRequestURI(pictureString)
+	if err == nil {
+		ctx, cancel := context.WithTimeout(parentCtx, 5*time.Second)
+		defer cancel()
+
+		var req *http.Request
+		req, err = http.NewRequestWithContext(ctx, http.MethodGet, pictureString, nil)
+		if err != nil {
+			return fmt.Errorf("failed to create request: %w", err)
+		}
+
+		var res *http.Response
+		res, err = http.DefaultClient.Do(req)
+		if err != nil {
+			return fmt.Errorf("failed to download profile picture: %w", err)
+		}
+		defer res.Body.Close()
+
+		reader = res.Body
+	} else if decodedPhoto, err := base64.StdEncoding.DecodeString(pictureString); err == nil {
+		// If the photo is a base64 encoded string, decode it
+		reader = bytes.NewReader(decodedPhoto)
+	} else {
+		// If the photo is a string, we assume that it's a binary string
+		reader = bytes.NewReader([]byte(pictureString))
+	}
+
+	// Update the profile picture
+	err = s.userService.UpdateProfilePicture(userId, reader)
+	if err != nil {
+		return fmt.Errorf("failed to update profile picture: %w", err)
+	}
+
+	return nil
+}
+
+// getDNProperty returns the value of a property from a LDAP identifier
+// See: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names
+func getDNProperty(property string, str string) string {
+	// Example format is "CN=username,ou=people,dc=example,dc=com"
+	// First we split at the comma
+	property = strings.ToLower(property)
+	l := len(property) + 1
+	for _, v := range strings.Split(str, ",") {
+		v = strings.TrimSpace(v)
+		if len(v) > l && strings.ToLower(v)[0:l] == property+"=" {
+			return v[l:]
+		}
+	}
+
+	// CN not found, return an empty string
+	return ""
+}
--- a/backend/internal/service/ldap_service_test.go
+++ b/backend/internal/service/ldap_service_test.go
@@ -0,0 +1,73 @@
+package service
+
+import (
+	"testing"
+)
+
+func TestGetDNProperty(t *testing.T) {
+	tests := []struct {
+		name           string
+		property       string
+		dn             string
+		expectedResult string
+	}{
+		{
+			name:           "simple case",
+			property:       "cn",
+			dn:             "cn=username,ou=people,dc=example,dc=com",
+			expectedResult: "username",
+		},
+		{
+			name:           "property not found",
+			property:       "uid",
+			dn:             "cn=username,ou=people,dc=example,dc=com",
+			expectedResult: "",
+		},
+		{
+			name:           "mixed case property",
+			property:       "CN",
+			dn:             "cn=username,ou=people,dc=example,dc=com",
+			expectedResult: "username",
+		},
+		{
+			name:           "mixed case DN",
+			property:       "cn",
+			dn:             "CN=username,OU=people,DC=example,DC=com",
+			expectedResult: "username",
+		},
+		{
+			name:           "spaces in DN",
+			property:       "cn",
+			dn:             "cn=username, ou=people, dc=example, dc=com",
+			expectedResult: "username",
+		},
+		{
+			name:           "value with special characters",
+			property:       "cn",
+			dn:             "cn=user.name+123,ou=people,dc=example,dc=com",
+			expectedResult: "user.name+123",
+		},
+		{
+			name:           "empty DN",
+			property:       "cn",
+			dn:             "",
+			expectedResult: "",
+		},
+		{
+			name:           "empty property",
+			property:       "",
+			dn:             "cn=username,ou=people,dc=example,dc=com",
+			expectedResult: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := getDNProperty(tt.property, tt.dn)
+			if result != tt.expectedResult {
+				t.Errorf("getDNProperty(%q, %q) = %q, want %q",
+					tt.property, tt.dn, result, tt.expectedResult)
+			}
+		})
+	}
+}
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .10.0
 .47.0