release: 0.53.0

fix: handle CORS correctly for endpoints that SPAs need (#513 )
chore(translations): update translations via Crowdin (#517 )
2025-12-07 17:23:19 +03:00 · 2025-05-08 21:56:49 +02:00 · 2025-05-08 21:56:17 +02:00 · 2025-05-08 20:48:45 +02:00 · 2025-05-07 16:48:18 +02:00 · 2025-05-07 16:43:24 +02:00
447 changed files with 23504 additions and 24519 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,32 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/typescript-node
+{
+  "name": "pocket-id",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "image": "mcr.microsoft.com/devcontainers/typescript-node:1-22-bookworm",
+  "features": {
+    "ghcr.io/devcontainers/features/go:1": {},
+    "ghcr.io/devcontainers-extra/features/caddy:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "golang.go",
+        "svelte.svelte-vscode"
+      ]
+    }
+  },
+  // Use 'postCreateCommand' to run commands after the container is created.
+  // Install npm dependencies for the frontend.
+  "postCreateCommand": "npm install --prefix frontend"
+
+
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  // "features": {},
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+  // Configure tool-specific properties.
+  // "customizations": {},
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
+}
--- a/.env.example
+++ b/.env.example
@@ -1,4 +1,4 @@
-# See the README for more information: https://github.com/stonith404/pocket-id?tab=readme-ov-file#environment-variables
+# See the documentation for more information: https://pocket-id.org/docs/configuration/environment-variables
 PUBLIC_APP_URL=http://localhost
 TRUST_PROXY=false
 MAXMIND_LICENSE_KEY=
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,2 +1,2 @@
 # These are supported funding model platforms
-github: stonith404
+github: [stonith404, kmendell]
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -34,4 +34,23 @@ body:
  - type: markdown
    attributes:
      value: |
-        Before submitting, please check if the issues hasn't been raised before.
+        ### Additional Information
+  - type: textarea
+    id: extra-information
+    validations:
+      required: true
+    attributes:
+      label: "Version and Environment"
+      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: log-files
+    validations:
+      required: false
+    attributes:
+      label: "Log Output"
+      description: "Output of log files when the issue occurred to help us diagnose the issue."
+  - type: markdown
+    attributes:
+      value: |
+        **Before submitting, please check if the issue hasn't been raised before.**
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1 +1,5 @@
-blank_issues_enabled: false
+blank_issues_enabled: false
+contact_links:
+  - name: 💬 Discord
+    url: https://discord.gg/8wudU9KaxM
+    about: For help and chatting with the community
--- a/.github/ISSUE_TEMPLATE/language-request.yml
+++ b/.github/ISSUE_TEMPLATE/language-request.yml
@@ -0,0 +1,20 @@
+name: "🌐 Language request"
+description: "You want to contribute to a language that isn't on Crowdin yet?"
+title: "🌐 Language Request: <language name in english>"
+labels: [language-request]
+body:
+  - type: input
+    id: language-name-native
+    attributes:
+      label: "🌐 Language Name (native)"
+      placeholder: "Schweizerdeutsch"
+    validations:
+      required: true
+  - type: input
+    id: language-code
+    attributes:
+      label: "🌐 ISO 639-1 Language Code"
+      description: "You can find your language code [here](https://www.andiamo.co.uk/resources/iso-language-codes/)."
+      placeholder: "de-CH"
+    validations:
+      required: true
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for more information:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://containers.dev/guide/dependabot
+
+version: 2
+updates:
+ - package-ecosystem: "devcontainers"
+   directory: "/"
+   schedule:
+     interval: weekly
--- a/.github/svelte-check-matcher.json
+++ b/.github/svelte-check-matcher.json
@@ -0,0 +1,21 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "svelte-check",
+      "pattern": [
+        {
+          "regexp": "^([^\\s].*):(\\d+):(\\d+)$",
+          "file": 1,
+          "line": 2,
+          "column": 3
+        },
+        {
+          "regexp": "^\\s*(Error|Warning):\\s*(.*)\\s+\\((?:ts|js|svelte)\\)$",
+          "severity": 1,
+          "message": 2,
+          "loop": false
+        }
+      ]
+    }
+  ]
+}
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -0,0 +1,39 @@
+name: Run Backend Linter
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "backend/**"
+
+permissions:
+  # Required: allow read access to the content for analysis.
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+  # Optional: allow write access to checks to allow the action to annotate code in the PR.
+  checks: write
+
+jobs:
+  golangci-lint:
+    name: Run Golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: backend/go.mod
+
+      - name: Run Golangci-lint
+        uses: golangci/golangci-lint-action@dec74fa03096ff515422f71d18d41307cacde373 # v7.0.0
+        with:
+          version: v2.0.2
+          working-directory: backend
+          only-new-issues: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/build-and-push-docker-image.yml
+++ b/.github/workflows/build-and-push-docker-image.yml
@@ -6,7 +6,10 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04 # Using an older version because of https://github.com/actions/runner-images/issues/11471
+    permissions:
+      contents: read
+      packages: write      
    steps:
      - name: checkout code
        uses: actions/checkout@v3
@@ -17,7 +20,6 @@ jobs:
        with:
          images: |
            ghcr.io/${{ github.repository }}
-            ${{ github.repository }}
          tags: |
            type=semver,pattern={{version}},prefix=v
            type=semver,pattern={{major}}.{{minor}},prefix=v
@@ -28,11 +30,6 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
-          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}

      - name: 'Login to GitHub Container Registry'
        uses: docker/login-action@v3
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -2,29 +2,54 @@ name: E2E Tests
 on:
  push:
    branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
  pull_request:
    branches: [main]
+    paths-ignore:
+      - "docs/**"
+      - "**.md"
+      - ".github/**"
+
 jobs:
  build:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
    timeout-minutes: 20
+    permissions:
+      contents: read
+      actions: write
    runs-on: ubuntu-latest
    steps:
+      - uses: actions/checkout@v4
+
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and export
        uses: docker/build-push-action@v6
        with:
-          tags: stonith404/pocket-id:test
+          push: false
+          load: false
+          tags: pocket-id:test
          outputs: type=docker,dest=/tmp/docker-image.tar
+          build-args: BUILD_TAGS=e2etest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

      - name: Upload Docker image artifact
        uses: actions/upload-artifact@v4
        with:
          name: docker-image
          path: /tmp/docker-image.tar
+          retention-days: 1

  test-sqlite:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    permissions:
+      contents: read
+      actions: write
    runs-on: ubuntu-latest
    needs: build
    steps:
@@ -35,42 +60,95 @@ jobs:
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json

+      - name: Cache Playwright Browsers
+        uses: actions/cache@v3
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp
-      - name: Load Docker Image
+
+      - name: Load Docker image
        run: docker load -i /tmp/docker-image.tar

+      - name: Cache LLDAP Docker image
+        uses: actions/cache@v3
+        id: lldap-cache
+        with:
+          path: /tmp/lldap-image.tar
+          key: lldap-stable-${{ runner.os }}
+
+      - name: Pull and save LLDAP image
+        if: steps.lldap-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull nitnelave/lldap:stable
+          docker save nitnelave/lldap:stable > /tmp/lldap-image.tar
+
+      - name: Load LLDAP image from cache
+        if: steps.lldap-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/lldap-image.tar
+
      - name: Install frontend dependencies
        working-directory: ./frontend
        run: npm ci

      - name: Install Playwright Browsers
        working-directory: ./frontend
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: npx playwright install --with-deps chromium

-      - name: Run Docker Container with Sqlite DB
+      - name: Create Docker network
+        run: docker network create pocket-id-network
+
+      - name: Setup and Configure LLDAP Server
+        run: |
+          chmod +x ./scripts/tests/setup-lldap.sh
+          ./scripts/tests/setup-lldap.sh
+
+      - name: Run Docker Container with Sqlite DB and LDAP
        run: |
          docker run -d --name pocket-id-sqlite \
+          --network pocket-id-network \
          -p 80:80 \
          -e APP_ENV=test \
-          stonith404/pocket-id:test
+          pocket-id:test
+
+          docker logs -f pocket-id-sqlite &> /tmp/backend.log &

      - name: Run Playwright tests
        working-directory: ./frontend
        run: npx playwright test

-      - uses: actions/upload-artifact@v4
-        if: always()
+      - name: Upload Frontend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: playwright-report-sqlite
          path: frontend/tests/.report
          include-hidden-files: true
          retention-days: 15

+      - name: Upload Backend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
+        with:
+          name: backend-sqlite
+          path: /tmp/backend.log
+          include-hidden-files: true
+          retention-days: 15
+
  test-postgres:
+    if: github.event.pull_request.head.ref != 'i18n_crowdin'
+    permissions:
+      contents: read
+      actions: write
    runs-on: ubuntu-latest
    needs: build
    steps:
@@ -81,12 +159,56 @@ jobs:
          cache: "npm"
          cache-dependency-path: frontend/package-lock.json

+      - name: Cache Playwright Browsers
+        uses: actions/cache@v3
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+
+      - name: Cache PostgreSQL Docker image
+        uses: actions/cache@v3
+        id: postgres-cache
+        with:
+          path: /tmp/postgres-image.tar
+          key: postgres-17-${{ runner.os }}
+
+      - name: Pull and save PostgreSQL image
+        if: steps.postgres-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull postgres:17
+          docker save postgres:17 > /tmp/postgres-image.tar
+
+      - name: Load PostgreSQL image from cache
+        if: steps.postgres-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/postgres-image.tar
+
+      - name: Cache LLDAP Docker image
+        uses: actions/cache@v3
+        id: lldap-cache
+        with:
+          path: /tmp/lldap-image.tar
+          key: lldap-stable-${{ runner.os }}
+
+      - name: Pull and save LLDAP image
+        if: steps.lldap-cache.outputs.cache-hit != 'true'
+        run: |
+          docker pull nitnelave/lldap:stable
+          docker save nitnelave/lldap:stable > /tmp/lldap-image.tar
+
+      - name: Load LLDAP image from cache
+        if: steps.lldap-cache.outputs.cache-hit == 'true'
+        run: docker load < /tmp/lldap-image.tar
+
      - name: Download Docker image artifact
        uses: actions/download-artifact@v4
        with:
          name: docker-image
          path: /tmp
-      - name: Load Docker Image
+
+      - name: Load Docker image
        run: docker load -i /tmp/docker-image.tar

      - name: Install frontend dependencies
@@ -95,6 +217,7 @@ jobs:

      - name: Install Playwright Browsers
        working-directory: ./frontend
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
        run: npx playwright install --with-deps chromium

      - name: Create Docker network
@@ -110,9 +233,14 @@ jobs:
          -p 5432:5432 \
          postgres:17

+      - name: Setup and Configure LLDAP Server
+        run: |
+          chmod +x ./scripts/tests/setup-lldap.sh
+          ./scripts/tests/setup-lldap.sh
+
      - name: Wait for Postgres to start
        run: |
-          for i in {1..10}; do
+          for i in {1..5}; do
            if docker exec pocket-id-db pg_isready -U postgres; then
              echo "Postgres is ready"
              break
@@ -121,24 +249,36 @@ jobs:
            sleep 2
          done

-      - name: Run Docker Container with Postgres DB
+      - name: Run Docker Container with Postgres DB and LDAP
        run: |
          docker run -d --name pocket-id-postgres \
          --network pocket-id-network \
          -p 80:80 \
          -e APP_ENV=test \
          -e DB_PROVIDER=postgres \
-          -e POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@pocket-id-db:5432/pocket-id \
-          stonith404/pocket-id:test
+          -e DB_CONNECTION_STRING=postgresql://postgres:postgres@pocket-id-db:5432/pocket-id \
+          pocket-id:test
+
+          docker logs -f pocket-id-postgres &> /tmp/backend.log &

      - name: Run Playwright tests
        working-directory: ./frontend
        run: npx playwright test

-      - uses: actions/upload-artifact@v4
-        if: always()
+      - name: Upload Frontend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
        with:
          name: playwright-report-postgres
          path: frontend/tests/.report
          include-hidden-files: true
          retention-days: 15
+
+      - name: Upload Backend Test Report
+        uses: actions/upload-artifact@v4
+        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
+        with:
+          name: backend-postgres
+          path: /tmp/backend.log
+          include-hidden-files: true
+          retention-days: 15
--- a/.github/workflows/svelte-check.yml
+++ b/.github/workflows/svelte-check.yml
@@ -0,0 +1,59 @@
+name: Svelte Check
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "frontend/src/**"
+      - ".github/svelte-check-matcher.json"
+      - "frontend/package.json"
+      - "frontend/package-lock.json"
+      - "frontend/tsconfig.json"
+      - "frontend/svelte.config.js"
+  pull_request:
+    branches: [main]
+    paths:
+      - "frontend/src/**"
+      - ".github/svelte-check-matcher.json"
+      - "frontend/package.json"
+      - "frontend/package-lock.json"
+      - "frontend/tsconfig.json"
+      - "frontend/svelte.config.js"
+  workflow_dispatch:
+
+jobs:
+  type-check:
+    name: Run Svelte Check
+    # Don't run on dependabot branches
+    if: github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+          cache: "npm"
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Build Pocket ID Frontend
+        working-directory: frontend
+        run: npm run build
+
+      - name: Add svelte-check problem matcher
+        run: echo "::add-matcher::.github/svelte-check-matcher.json"
+
+      - name: Run svelte-check
+        working-directory: frontend
+        run: npm run check
--- a/.github/workflows/unit-tests.yml
+++ b/.github/workflows/unit-tests.yml
@@ -0,0 +1,38 @@
+name: Unit Tests
+on:
+  push:
+    branches: [main]
+    paths:
+      - "backend/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "backend/**"
+
+jobs:
+  test-backend:
+    permissions:
+      contents: read
+      actions: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "backend/go.mod"
+          cache-dependency-path: "backend/go.sum"
+      - name: Install dependencies
+        working-directory: backend
+        run: |
+          go get ./...
+      - name: Run backend unit tests
+        working-directory: backend
+        run: |
+          set -e -o pipefail
+          go test -v ./... | tee /tmp/TestResults.log
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: backend-unit-tests
+          path: /tmp/TestResults.log
+          retention-days: 15
--- a/.github/workflows/update-aaguids.yml
+++ b/.github/workflows/update-aaguids.yml
@@ -0,0 +1,38 @@
+name: Update AAGUIDs
+
+on:
+  schedule:
+    - cron: "0 0 * * 1" # Runs every Monday at midnight
+  workflow_dispatch: # Allows manual triggering of the workflow
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-aaguids:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Fetch JSON data
+        run: |
+          curl -o data.json https://raw.githubusercontent.com/pocket-id/passkey-aaguids/refs/heads/main/combined_aaguid.json
+
+      - name: Process JSON data
+        run: |
+          mkdir -p backend/resources
+          jq -c 'map_values(.name)' data.json > backend/resources/aaguids.json
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "chore: update AAGUIDs"
+          title: "chore: update AAGUIDs"
+          body: |
+            This PR updates the AAGUIDs file with the latest data from the [passkey-aaguids](https://github.com/pocket-id/passkey-aaguids) repository.
+          branch: update-aaguids
+          base: main
+          delete-branch: true
--- a/.gitignore
+++ b/.gitignore
@@ -38,11 +38,6 @@ data
 pocket-id-backend
 /backend/GeoLite2-City.mmdb

-# Generated files
-docs/build
-docs/.docusaurus
-docs/.cache-loader
-
 # Misc
 .DS_Store
 .env.local
@@ -53,3 +48,6 @@ docs/.cache-loader
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+
+#Debug
+backend/cmd/__debug_*
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.27.0
+0.53.0
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,5 @@
+{
+  "recommendations": [
+    "inlang.vs-code-extension"
+  ]
+}
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -0,0 +1,42 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Backend",
+      "type": "go",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/backend/cmd/.env",
+      "env": {
+        "APP_ENV": "development"
+      },
+      "mode": "debug",
+      "program": "${workspaceFolder}/backend/cmd/main.go",
+    },
+    {
+      "name": "Frontend",
+      "type": "node",
+      "request": "launch",
+      "envFile": "${workspaceFolder}/frontend/.env",
+      "cwd": "${workspaceFolder}/frontend",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": [
+        "run",
+        "dev"
+      ]
+    }
+  ],
+  "compounds": [
+    {
+      "name": "Development",
+      "configurations": [
+        "Backend",
+        "Frontend"
+      ],
+      "presentation": {
+        "hidden": false,
+        "group": "",
+        "order": 1
+      }
+    }
+  ],
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "go.buildTags": "e2etest"
+}
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -0,0 +1,37 @@
+{
+  // See https://go.microsoft.com/fwlink/?LinkId=733558
+  // for the documentation about the tasks.json format
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "Run Caddy",
+      "type": "shell",
+      "command": "caddy run --config reverse-proxy/Caddyfile",
+      "isBackground": true,
+      "problemMatcher": {
+        "owner": "custom",
+        "pattern": [
+          {
+            "regexp": ".",
+            "file": 1,
+            "location": 2,
+            "message": 3
+          }
+        ],
+        "background": {
+          "activeOnStart": true,
+          "beginsPattern": ".*",
+          "endsPattern": "Caddyfile.*"
+        }
+      },
+      "presentation": {
+        "reveal": "always",
+        "panel": "new"
+      },
+      "runOptions": {
+        "runOn": "folderOpen",
+        "instanceLimit": 1
+      }
+    }
+  ]
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,445 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v0.52.0...v) (2025-05-08)
+
+
+### Features
+
+* add support for `TZ` environment variable ([5e2e947](https://github.com/pocket-id/pocket-id/commit/5e2e947fe09fa881a7bbc70133a243a4baf30e90))
+
+
+### Bug Fixes
+
+* handle CORS correctly for endpoints that SPAs need ([#513](https://github.com/pocket-id/pocket-id/issues/513)) ([63a0c08](https://github.com/pocket-id/pocket-id/commit/63a0c08696938e1cefd12018f4bd38aa1808996a))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.51.1...v) (2025-05-06)
+
+
+### Features
+
+* add healthz endpoint ([#494](https://github.com/pocket-id/pocket-id/issues/494)) ([3c87e4e](https://github.com/pocket-id/pocket-id/commit/3c87e4ec1468c314ac7f8fe831e97b5eead88112))
+* OpenTelemetry tracing and metrics ([#262](https://github.com/pocket-id/pocket-id/issues/262)) ([#495](https://github.com/pocket-id/pocket-id/issues/495)) ([6f54ee5](https://github.com/pocket-id/pocket-id/commit/6f54ee5d668d7a26911db10f2402daf6a1f75f68))
+
+
+### Bug Fixes
+
+* correctly set script permissions inside Docker container ([c55fef0](https://github.com/pocket-id/pocket-id/commit/c55fef057cdcec867af91b29968541983cd80ec0))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.51.0...v) (2025-05-03)
+
+
+### Bug Fixes
+
+* allow LDAP users to update their locale ([0b9cbf4](https://github.com/pocket-id/pocket-id/commit/0b9cbf47e36a332cfd854aa92e761264fb3e4795))
+* last name still showing as required on account form ([#492](https://github.com/pocket-id/pocket-id/issues/492)) ([cf3fe0b](https://github.com/pocket-id/pocket-id/commit/cf3fe0be84f6365f5d4eb08c1b47905962a48a0d))
+* non admin users weren't able to call the end session endpoint ([6bd6cef](https://github.com/pocket-id/pocket-id/commit/6bd6cefaa6dc571a319a6a1c2b2facc2404eadd3))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.50.0...v) (2025-04-28)
+
+
+### Features
+
+* new login code card position for mobile devices ([#452](https://github.com/pocket-id/pocket-id/issues/452)) ([02cacba](https://github.com/pocket-id/pocket-id/commit/02cacba5c5524481684cb0e1790811df113a9481))
+
+
+### Bug Fixes
+
+* do not require PKCE for public clients ([ce24372](https://github.com/pocket-id/pocket-id/commit/ce24372c571cc3b277095dc6a4107663d64f45b3))
+* hide global audit log switch for non admin users ([1efd1d1](https://github.com/pocket-id/pocket-id/commit/1efd1d182dbb6190d3c7e27034426c9e48781b4a))
+* return correct error message if user isn't authorized ([86d2b5f](https://github.com/pocket-id/pocket-id/commit/86d2b5f59f26cb944017826cbd8df915cdc986f1))
+* updating scopes of an authorized client fails with Postgres ([0a24ab8](https://github.com/pocket-id/pocket-id/commit/0a24ab80010eb5a15d99915802c6698274a5c57c))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.49.0...v) (2025-04-27)
+
+
+### Features
+
+* device authorization endpoint ([#270](https://github.com/pocket-id/pocket-id/issues/270)) ([22f7d64](https://github.com/pocket-id/pocket-id/commit/22f7d64bf08a5a1ecbe5eee0052453b730f5c360))
+* make family name optional ([#476](https://github.com/pocket-id/pocket-id/issues/476)) ([630327c](https://github.com/pocket-id/pocket-id/commit/630327c979de2f931b9d1f0ba0b4a4de1af3fc7c))
+
+
+### Bug Fixes
+
+* do not override XDG_DATA_HOME/XDG_CONFIG_HOME if they are already set ([#472](https://github.com/pocket-id/pocket-id/issues/472)) ([22725d3](https://github.com/pocket-id/pocket-id/commit/22725d30f4115ffe17625379f56affedfe116778))
+* pass context to methods that were missing it ([#487](https://github.com/pocket-id/pocket-id/issues/487)) ([4c33793](https://github.com/pocket-id/pocket-id/commit/4c33793678709eb4981be2c1fd5803bace5f5939))
+* prevent deadlock when trying to delete LDAP users ([#471](https://github.com/pocket-id/pocket-id/issues/471)) ([270c303](https://github.com/pocket-id/pocket-id/commit/270c30334dc36f215a67f873283a9d6fcd14d065))
+* rootless Caddy data and configuration ([#470](https://github.com/pocket-id/pocket-id/issues/470)) ([76b753f](https://github.com/pocket-id/pocket-id/commit/76b753f9f2a6a4f1af09359530e30844b03ac39b))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.48.0...v) (2025-04-20)
+
+
+### Features
+
+* add ability to disable API key expiration email ([9122e75](https://github.com/pocket-id/pocket-id/commit/9122e75101ad39a40135ccf931eb2bfd351b5db6))
+* add ability to send login code via email ([#457](https://github.com/pocket-id/pocket-id/issues/457)) ([fe1c4b1](https://github.com/pocket-id/pocket-id/commit/fe1c4b18cdcc46a4256e0c111b34f1ce00f8e0e1))
+* add description to callback URL inputs ([eb689eb](https://github.com/pocket-id/pocket-id/commit/eb689eb56ec9eaf8b0fb1485040e26f841b9225d))
+* send email to user when api key expires within 7 days ([#451](https://github.com/pocket-id/pocket-id/issues/451)) ([26f01f2](https://github.com/pocket-id/pocket-id/commit/26f01f205be01fb8abd8c2e564c90c0fc4480ea5))
+
+
+### Bug Fixes
+
+* disable animations not respected on authorize and logout page ([e571996](https://github.com/pocket-id/pocket-id/commit/e571996cb57d04232c1f47ab337ad656f48bb3cb))
+* hide alternative sign in button if user is already authenticated ([4e05b82](https://github.com/pocket-id/pocket-id/commit/4e05b82f02740a4bae07cec6c6a64acd34ca0fc3))
+* locale change in dropdown doesn't work on first try ([60bad9e](https://github.com/pocket-id/pocket-id/commit/60bad9e9859d81c9967e6939e1ed10a65145a936))
+* remove limit of 20 callback URLs ([c37a3e0](https://github.com/pocket-id/pocket-id/commit/c37a3e0ed177c3bd2b9a618d1f4b0709004478b0))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.47.0...v) (2025-04-18)
+
+
+### Features
+
+* add gif support for logo and background image ([56a8b5d](https://github.com/pocket-id/pocket-id/commit/56a8b5d0c02643f869b77cf8475ddf2f9473880b))
+* disable/enable users ([#437](https://github.com/pocket-id/pocket-id/issues/437)) ([c843a60](https://github.com/pocket-id/pocket-id/commit/c843a60131b813177b1e270c4f5d97613c700efa))
+
+
+### Bug Fixes
+
+* add "type" as reserved claim ([0111a58](https://github.com/pocket-id/pocket-id/commit/0111a58dac0342c5ac2fa25a050e8773810d2b0a))
+* callback URL doesn't get rejected if it starts with a different string ([f0dce41](https://github.com/pocket-id/pocket-id/commit/f0dce41fbc5649b3a8fe65de36ca20efa521b880))
+* profile picture empty for users without first or last name ([#449](https://github.com/pocket-id/pocket-id/issues/449)) ([5a6dfd9](https://github.com/pocket-id/pocket-id/commit/5a6dfd9e505f4c84e91b4b378b082fab10e8a8a8))
+* user querying fails on global audit log page with Postgres ([84f1d5c](https://github.com/pocket-id/pocket-id/commit/84f1d5c906ec3f9a74ad3d2f36526eea847af5dd))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.46.0...v) (2025-04-16)
+
+
+### Features
+
+* add qrcode representation of one time link ([#424](https://github.com/pocket-id/pocket-id/issues/424)) ([#436](https://github.com/pocket-id/pocket-id/issues/436)) ([abf17f6](https://github.com/pocket-id/pocket-id/commit/abf17f62114a2de549b62cec462b9b0659ee23a7))
+* disable animations setting toggle ([#442](https://github.com/pocket-id/pocket-id/issues/442)) ([b45cf68](https://github.com/pocket-id/pocket-id/commit/b45cf68295975f51777dab95950b98b8db0a9ae5))
+
+
+### Bug Fixes
+
+* define token type as claim for better client compatibility ([adf7458](https://github.com/pocket-id/pocket-id/commit/adf74586afb6ef9a00fb122c150b0248c5bc23f0))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.45.0...v) (2025-04-13)
+
+
+### Features
+
+* global audit log ([#320](https://github.com/pocket-id/pocket-id/issues/320)) ([b65e693](https://github.com/pocket-id/pocket-id/commit/b65e693e12be2e7e4cb75a74d6fd43bacb3f6a94))
+* implement token introspection ([#405](https://github.com/pocket-id/pocket-id/issues/405)) ([7e5d16b](https://github.com/pocket-id/pocket-id/commit/7e5d16be9bdfccfa113924547e313886681d11bb))
+* modernize ui ([#381](https://github.com/pocket-id/pocket-id/issues/381)) ([9881a1d](https://github.com/pocket-id/pocket-id/commit/9881a1df9efe32608ab116db71c0e4f66dae171c))
+* **onboarding:** Added button when you don't have a passkey added. ([#426](https://github.com/pocket-id/pocket-id/issues/426)) ([72061ba](https://github.com/pocket-id/pocket-id/commit/72061ba4278a007437cee3a205c3076d58bde644))
+
+
+### Bug Fixes
+
+* add missing rollback for LDAP sync ([658a9ca](https://github.com/pocket-id/pocket-id/commit/658a9ca6dd8d2304ff3639a000bab02e91ff68a6))
+* create reusable default profile pictures ([#406](https://github.com/pocket-id/pocket-id/issues/406)) ([734c681](https://github.com/pocket-id/pocket-id/commit/734c6813eaef166235ae801747e3652d17ae0e2a))
+* ensure file descriptors are closed + other bugs ([#413](https://github.com/pocket-id/pocket-id/issues/413)) ([2f76461](https://github.com/pocket-id/pocket-id/commit/2f7646105e26423f47cbe49dae97e40c4a01a025))
+* ensure indexes on audit_logs table ([#415](https://github.com/pocket-id/pocket-id/issues/415)) ([9e88926](https://github.com/pocket-id/pocket-id/commit/9e88926283a7a663bfc7fd4f4aa16bd02f614176))
+* ignore profile picture cache after profile picture gets updated ([4ba6893](https://github.com/pocket-id/pocket-id/commit/4ba68938dd2a631c633fcb65d8c35cb039d3f59c))
+* improve LDAP error handling ([#425](https://github.com/pocket-id/pocket-id/issues/425)) ([796bc7e](https://github.com/pocket-id/pocket-id/commit/796bc7ed3453839b1dc8d846b71fe9fac9a2d646))
+* use transactions when operations involve multiple database queries ([#392](https://github.com/pocket-id/pocket-id/issues/392)) ([ec626ee](https://github.com/pocket-id/pocket-id/commit/ec626ee7977306539fd1d70cc9091590f0a54af6))
+* use UUID for temporary file names ([ccc18d7](https://github.com/pocket-id/pocket-id/commit/ccc18d716f16a7ef1775d30982e2ba7b5ff159a6))
+
+
+### Performance Improvements
+
+* run async operations in parallel in server load functions ([1762629](https://github.com/pocket-id/pocket-id/commit/17626295964244c5582806bd0f413da2c799d5ad))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.44.0...v) (2025-03-29)
+
+
+### Features
+
+* add support for ECDSA and EdDSA keys ([#359](https://github.com/pocket-id/pocket-id/issues/359)) ([96876a9](https://github.com/pocket-id/pocket-id/commit/96876a99c586508b72c27669ab200ff6a29db771))
+
+
+### Bug Fixes
+
+* ldap users aren't deleted if removed from ldap server ([7e65827](https://github.com/pocket-id/pocket-id/commit/7e658276f04d08a1f5117796e55d45e310204dab))
+* use value receiver for `AuditLogData` ([cbd1bbd](https://github.com/pocket-id/pocket-id/commit/cbd1bbdf741eedd03e93598d67623c75c74b6212))
+* use WAL for SQLite by default and set busy_timeout ([#388](https://github.com/pocket-id/pocket-id/issues/388)) ([519d58d](https://github.com/pocket-id/pocket-id/commit/519d58d88c906abc5139e35933bdeba0396c10a2))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.43.1...v) (2025-03-25)
+
+
+### Features
+
+* add OIDC refresh_token support ([#325](https://github.com/pocket-id/pocket-id/issues/325)) ([b8dcda8](https://github.com/pocket-id/pocket-id/commit/b8dcda80497e554d163a370eff81fe000f8831f4))
+
+
+### Bug Fixes
+
+* hash the refresh token in the DB (security) ([#379](https://github.com/pocket-id/pocket-id/issues/379)) ([8c96381](https://github.com/pocket-id/pocket-id/commit/8c963818bb90c84dac04018eec93790900d4b0ce))
+* skip ldap objects without a valid unique id ([#376](https://github.com/pocket-id/pocket-id/issues/376)) ([cdfe816](https://github.com/pocket-id/pocket-id/commit/cdfe8161d4429bdfe879887fe0b563a67c14f50b))
+* stop container if Caddy, the frontend or the backend fails ([e6f5019](https://github.com/pocket-id/pocket-id/commit/e6f50191cf05a5d0ac0e0000cf66423646f1920e))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.43.0...v) (2025-03-20)
+
+
+### Bug Fixes
+
+* wrong base locale causes crash ([3120ebf](https://github.com/pocket-id/pocket-id/commit/3120ebf239b90f0bc0a0af33f30622e034782398))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.42.1...v) (2025-03-20)
+
+
+### Features
+
+* add support for translations ([#349](https://github.com/pocket-id/pocket-id/issues/349)) ([269b5a3](https://github.com/pocket-id/pocket-id/commit/269b5a3c9249bb8081c74741141d3d5a69ea42a2))
+* **passkeys:** name new passkeys based on agguids ([#332](https://github.com/pocket-id/pocket-id/issues/332)) ([041c565](https://github.com/pocket-id/pocket-id/commit/041c565dc10f15edb3e8ab58e9a4df5e48a2a6d3))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.42.0...v) (2025-03-18)
+
+
+### Bug Fixes
+
+* kid not added to JWTs ([f7e36a4](https://github.com/pocket-id/pocket-id/commit/f7e36a422ea6b5327360c9a13308ae408ff7fffe))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.41.0...v) (2025-03-18)
+
+
+### Features
+
+* store keys as JWK on disk ([#339](https://github.com/pocket-id/pocket-id/issues/339)) ([a7c9741](https://github.com/pocket-id/pocket-id/commit/a7c9741802667811c530ef4e6313b71615ec6a9b))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.40.1...v) (2025-03-18)
+
+
+### Features
+
+* **profile-picture:** allow reset of profile picture ([#355](https://github.com/pocket-id/pocket-id/issues/355)) ([8f14618](https://github.com/pocket-id/pocket-id/commit/8f146188d57b5c08a4c6204674c15379232280d8))
+
+
+### Bug Fixes
+
+* own avatar not loading ([#351](https://github.com/pocket-id/pocket-id/issues/351)) ([0423d35](https://github.com/pocket-id/pocket-id/commit/0423d354f533d2ff4fd431859af3eea7d4d7044f))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.40.0...v) (2025-03-16)
+
+
+### Bug Fixes
+
+* API keys not working if sqlite is used ([8ead0be](https://github.com/pocket-id/pocket-id/commit/8ead0be8cd0cfb542fe488b7251cfd5274975ae1))
+* caching for own profile picture ([e45d9e9](https://github.com/pocket-id/pocket-id/commit/e45d9e970d327a5120ff9fb0c8d42df8af69bb38))
+* email logo icon displaying too big ([#336](https://github.com/pocket-id/pocket-id/issues/336)) ([b483e2e](https://github.com/pocket-id/pocket-id/commit/b483e2e92fdb528e7de026350a727d6970227426))
+* emails are considered as medium spam by rspamd ([#337](https://github.com/pocket-id/pocket-id/issues/337)) ([39b7f66](https://github.com/pocket-id/pocket-id/commit/39b7f6678c98cadcdc3abfbcb447d8eb0daa9eb0))
+* Fixes and performance improvements in utils package ([#331](https://github.com/pocket-id/pocket-id/issues/331)) ([348192b](https://github.com/pocket-id/pocket-id/commit/348192b9d7e2698add97810f8fba53d13d0df018))
+* remove custom claim key restrictions ([9f28503](https://github.com/pocket-id/pocket-id/commit/9f28503d6c73d3521d1309bee055704a0507e9b5))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.39.0...v) (2025-03-13)
+
+
+### Features
+
+* allow setting path where keys are stored ([#327](https://github.com/pocket-id/pocket-id/issues/327)) ([7b654c6](https://github.com/pocket-id/pocket-id/commit/7b654c6bd111ddcddd5e3450cbf326d9cf1777b6))
+
+
+### Bug Fixes
+
+* **docker:** missing write permissions on scripts ([ec4b41a](https://github.com/pocket-id/pocket-id/commit/ec4b41a1d26ea00bb4a95f654ac4cc745b2ce2e8))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.38.0...v) (2025-03-11)
+
+
+### Features
+
+* api key authentication ([#291](https://github.com/pocket-id/pocket-id/issues/291)) ([62915d8](https://github.com/pocket-id/pocket-id/commit/62915d863a4adc09cf467b75c414a045be43c2bb))
+
+
+### Bug Fixes
+
+* alternative login method link on mobile ([9ef2ddf](https://github.com/pocket-id/pocket-id/commit/9ef2ddf7963c6959992f3a5d6816840534e926e9))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.37.0...v) (2025-03-10)
+
+
+### Features
+
+* add env variable to disable update check ([31198fe](https://github.com/pocket-id/pocket-id/commit/31198feec2ae77dd6673c42b42002871ddd02d37))
+
+
+### Bug Fixes
+
+* redirection not correctly if signing in with email code ([e5ec264](https://github.com/pocket-id/pocket-id/commit/e5ec264bfd535752565bcc107099a9df5cb8aba7))
+* typo in account settings ([#307](https://github.com/pocket-id/pocket-id/issues/307)) ([c822192](https://github.com/pocket-id/pocket-id/commit/c8221921245deb3008f655740d1a9460dcdab2fc))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.36.0...v) (2025-03-10)
+
+
+### Features
+
+* **account:** add ability to sign in with login code ([#271](https://github.com/pocket-id/pocket-id/issues/271)) ([eb1426e](https://github.com/pocket-id/pocket-id/commit/eb1426ed2684b5ddd185db247a8e082b28dfd014))
+* increase default item count per page ([a9713cf](https://github.com/pocket-id/pocket-id/commit/a9713cf6a1e3c879dc773889b7983e51bbe3c45b))
+
+
+### Bug Fixes
+
+* add back setup page ([6a8dd84](https://github.com/pocket-id/pocket-id/commit/6a8dd84ca9396ff3369385af22f7e1f081bec2b2))
+* add timeout to update check ([04efc36](https://github.com/pocket-id/pocket-id/commit/04efc3611568a0b0127b542b8cc252d9e783af46))
+* make sorting consistent around tables ([8e344f1](https://github.com/pocket-id/pocket-id/commit/8e344f1151628581b637692a1de0e48e7235a22d))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.6...v) (2025-03-06)
+
+
+### Features
+
+* display groups on the account page ([#296](https://github.com/pocket-id/pocket-id/issues/296)) ([0f14a93](https://github.com/pocket-id/pocket-id/commit/0f14a93e1d6a723b0994ba475b04702646f04464))
+* enable sd_notify support ([#277](https://github.com/pocket-id/pocket-id/issues/277)) ([91f254c](https://github.com/pocket-id/pocket-id/commit/91f254c7bb067646c42424c5c62ebcd90a0c8792))
+
+
+### Bug Fixes
+
+* default sorting on tables ([#299](https://github.com/pocket-id/pocket-id/issues/299)) ([ff34e3b](https://github.com/pocket-id/pocket-id/commit/ff34e3b925321c80e9d7d42d0fd50e397d198435))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.5...v) (2025-03-03)
+
+
+### Bug Fixes
+
+* support `LOGIN` authentication method for SMTP ([#292](https://github.com/pocket-id/pocket-id/issues/292)) ([2d733fc](https://github.com/pocket-id/pocket-id/commit/2d733fc79faefca23d54b22768029c3ba3427410))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.4...v) (2025-03-03)
+
+
+### Bug Fixes
+
+* profile picture orientation if image is rotated with EXIF ([1026ee4](https://github.com/pocket-id/pocket-id/commit/1026ee4f5b5c7fda78b65c94a5d0f899525defd1))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.3...v) (2025-03-01)
+
+
+### Bug Fixes
+
+* add `groups` scope and claim to well known endpoint ([4bafee4](https://github.com/pocket-id/pocket-id/commit/4bafee4f58f5a76898cf66d6192916d405eea389))
+* profile picture of other user can't be updated ([#273](https://github.com/pocket-id/pocket-id/issues/273)) ([ef25f6b](https://github.com/pocket-id/pocket-id/commit/ef25f6b6b84b52f1310d366d40aa3769a6fe9bef))
+* support POST for OIDC userinfo endpoint ([1652cc6](https://github.com/pocket-id/pocket-id/commit/1652cc65f3f966d018d81a1ae22abb5ff1b4c47b))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.2...v) (2025-02-25)
+
+
+### Bug Fixes
+
+* add option to manually select SMTP TLS method ([#268](https://github.com/pocket-id/pocket-id/issues/268)) ([01a9de0](https://github.com/pocket-id/pocket-id/commit/01a9de0b04512c62d0f223de33d711f93c49b9cc))
+* **ldap:** sync error if LDAP user collides with an existing user ([fde951b](https://github.com/pocket-id/pocket-id/commit/fde951b543281fedf9f602abae26b50881e3d157))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.1...v) (2025-02-24)
+
+
+### Bug Fixes
+
+* delete profile picture if user gets deleted ([9a167d4](https://github.com/pocket-id/pocket-id/commit/9a167d4076872e5e3e5d78d2a66ef7203ca5261b))
+* updating profile picture of other user updates own profile picture ([887c5e4](https://github.com/pocket-id/pocket-id/commit/887c5e462a50c8fb579ca6804f1a643d8af78fe8))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.35.0...v) (2025-02-22)
+
+
+### Bug Fixes
+
+* add validation that `PUBLIC_APP_URL` can't contain a path ([a6ae7ae](https://github.com/pocket-id/pocket-id/commit/a6ae7ae28713f7fc8018ae2aa7572986df3e1a5b))
+* binary profile picture can't be imported from LDAP ([840a672](https://github.com/pocket-id/pocket-id/commit/840a672fc35ca8476caf86d7efaba9d54bce86aa))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.34.0...v) (2025-02-19)
+
+
+### Features
+
+* add ability to upload a profile picture ([#244](https://github.com/pocket-id/pocket-id/issues/244)) ([652ee6a](https://github.com/pocket-id/pocket-id/commit/652ee6ad5d6c46f0d35c955ff7bb9bdac6240ca6))
+
+
+### Bug Fixes
+
+* app config strings starting with a number are parsed incorrectly ([816c198](https://github.com/pocket-id/pocket-id/commit/816c198a42c189cb1f2d94885d2e3623e47e2848))
+* emails do not get rendered correctly in Gmail ([dca9e7a](https://github.com/pocket-id/pocket-id/commit/dca9e7a11a3ba5d3b43a937f11cb9d16abad2db5))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.33.0...v) (2025-02-16)
+
+
+### Features
+
+* add LDAP group membership attribute ([#236](https://github.com/pocket-id/pocket-id/issues/236)) ([39b46e9](https://github.com/pocket-id/pocket-id/commit/39b46e99a9b930ea39cf640c3080530cfff5be6e))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.32.0...v) (2025-02-14)
+
+
+### Features
+
+* add end session endpoint ([#232](https://github.com/pocket-id/pocket-id/issues/232)) ([7550333](https://github.com/pocket-id/pocket-id/commit/7550333fe2ff6424f3168f63c5179d76767532fd))
+
+
+### Bug Fixes
+
+* alignment of OIDC client details ([c3980d3](https://github.com/pocket-id/pocket-id/commit/c3980d3d28a7158a4dc9369af41f185b891e485e))
+* layout of OIDC client details page on mobile ([3de1301](https://github.com/pocket-id/pocket-id/commit/3de1301fa84b3ab4fff4242d827c7794d44910f2))
+* show  "Sync Now" and "Test Email" button even if UI config is disabled ([4d0fff8](https://github.com/pocket-id/pocket-id/commit/4d0fff821e2245050ce631b4465969510466dfae))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.31.0...v) (2025-02-13)
+
+
+### Features
+
+* add ability to set custom Geolite DB URL ([2071d00](https://github.com/pocket-id/pocket-id/commit/2071d002fc5c3b5ff7a3fca6a5c99f5517196853))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.30.0...v) (2025-02-12)
+
+
+### Features
+
+* add ability to override the UI configuration with environment variables ([4e85842](https://github.com/pocket-id/pocket-id/commit/4e858420e9d9713e19f3b35c45c882403717f72f))
+* add warning for only having one passkey configured ([#220](https://github.com/pocket-id/pocket-id/issues/220)) ([39e403d](https://github.com/pocket-id/pocket-id/commit/39e403d00f3870f9e960427653a1d9697da27a6f))
+* display source in user and group table ([#225](https://github.com/pocket-id/pocket-id/issues/225)) ([9ed2adb](https://github.com/pocket-id/pocket-id/commit/9ed2adb0f8da13725fd9a4ef6a7798c377d13513))
+
+
+### Bug Fixes
+
+* user linking in ldap group sync ([#222](https://github.com/pocket-id/pocket-id/issues/222)) ([2d78349](https://github.com/pocket-id/pocket-id/commit/2d78349b381d7ca10f47d3c03cef685a576b1b49))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.29.0...v) (2025-02-08)
+
+
+### Features
+
+* add custom ldap search filters ([#216](https://github.com/pocket-id/pocket-id/issues/216)) ([626f87d](https://github.com/pocket-id/pocket-id/commit/626f87d59211f4129098b91dc1d020edb4aca692))
+* update host configuration to allow external access ([#218](https://github.com/pocket-id/pocket-id/issues/218)) ([bea1158](https://github.com/pocket-id/pocket-id/commit/bea115866fd8e4b15d3281c422d2fb72312758b1))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v0.28.1...v) (2025-02-05)
+
+
+### Features
+
+* add JSON support in custom claims ([15cde6a](https://github.com/pocket-id/pocket-id/commit/15cde6ac66bc857ac28df545a37c1f4341977595))
+* add option to disable Caddy in the Docker container ([e864d5d](https://github.com/pocket-id/pocket-id/commit/e864d5dcbff1ef28dc6bf120e4503093a308c5c8))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.28.0...v) (2025-02-04)
+
+
+### Bug Fixes
+
+* don't return error page if version info fetching failed ([d06257e](https://github.com/stonith404/pocket-id/commit/d06257ec9b5e46e25e40c174b4bef02dca0a1ea3))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.2...v) (2025-02-03)
+
+
+### Features
+
+* allow LDAP users and groups to be deleted if LDAP gets disabled ([9ab1787](https://github.com/stonith404/pocket-id/commit/9ab178712aa3cc71546a89226e67b7ba91245251))
+* map allowed groups to OIDC clients ([#202](https://github.com/stonith404/pocket-id/issues/202)) ([13b02a0](https://github.com/stonith404/pocket-id/commit/13b02a072f20ce10e12fd8b897cbf42a908f3291))
+
+
+### Bug Fixes
+
+* **caddy:** trusted_proxies for IPv6 enabled hosts ([#189](https://github.com/stonith404/pocket-id/issues/189)) ([37a835b](https://github.com/stonith404/pocket-id/commit/37a835b44e308622f6862de494738dd2bfb58ef0))
+* missing user service dependency ([61e71ad](https://github.com/stonith404/pocket-id/commit/61e71ad43b8f0f498133d3eb2381382e7bc642b9))
+* non LDAP user group can't be updated after update ([ecd74b7](https://github.com/stonith404/pocket-id/commit/ecd74b794f1ffb7da05bce0046fb8d096b039409))
+* use cursor pointer on clickable elements ([7798580](https://github.com/stonith404/pocket-id/commit/77985800ae9628104e03e7f2e803b7ed9eaaf4e0))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.1...v) (2025-01-27)
+
+
+### Bug Fixes
+
+* smtp hello for tls connections ([#180](https://github.com/stonith404/pocket-id/issues/180)) ([781ff7a](https://github.com/stonith404/pocket-id/commit/781ff7ae7b84b13892e7a565b7a78f20c52ee2c9))
+
+## [](https://github.com/stonith404/pocket-id/compare/v0.27.0...v) (2025-01-24)
+
+
+### Bug Fixes
+
+* add `__HOST` prefix to cookies ([#175](https://github.com/stonith404/pocket-id/issues/175)) ([164ce6a](https://github.com/stonith404/pocket-id/commit/164ce6a3d7fa8ae5275c94302952cf318e3b3113))
+* send hostname derived from `PUBLIC_APP_URL` with SMTP EHLO command ([397544c](https://github.com/stonith404/pocket-id/commit/397544c0f3f2b49f1f34ae53e6b9daf194d1ae28))
+* use OS hostname for SMTP EHLO message ([47c39f6](https://github.com/stonith404/pocket-id/commit/47c39f6d382c496cb964262adcf76cc8dbb96da3))
+
 ## [](https://github.com/stonith404/pocket-id/compare/v0.26.0...v) (2025-01-22)


--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -31,8 +31,15 @@ Before you submit the pull request for review please ensure that
 - You run `npm run format` to format the code

 ## Setup project
+Pocket ID consists of a frontend, backend and a reverse proxy. There are two ways to get the development environment setup:

-Pocket ID consists of a frontend, backend and a reverse proxy.
+## 1. Using DevContainers
+1. Make sure you have [Dev Containers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) extension installed
+2. Clone and open the repo in VS Code
+3. VS Code will detect .devcontainer and will prompt you to open the folder in devcontainer
+4. If the auto prompt does not work, hit `F1` and select `Dev Containers: Open Folder in Container.`, then select the pocket-id repo root folder and it'll open in container.
+
+## 2. Manual

 ### Backend

@@ -42,7 +49,7 @@ The backend is built with [Gin](https://gin-gonic.com) and written in Go.

 1. Open the `backend` folder
 2. Copy the `.env.example` file to `.env` and change the `APP_ENV` to `development`
-3. Start the backend with `go run cmd/main.go`
+3. Start the backend with `go run -tags e2etest ./cmd`

 ### Frontend

@@ -55,19 +62,23 @@ The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in Ty
 3. Install the dependencies with `npm install`
 4. Start the frontend with `npm run dev`

-You're all set!
-
 ### Reverse Proxy
 We use [Caddy](https://caddyserver.com) as a reverse proxy. You can use any other reverse proxy if you want but you have to configure it yourself.

 #### Setup
 Run `caddy run --config reverse-proxy/Caddyfile` in the root folder.

+You're all set!
+
+## Debugging
+1. The VS Code is currently setup to auto launch caddy on opening the folder. (Defined in [tasks.json](.vscode/tasks.json))
+2. Press `F5` to start a debug session. This will launch both frontend and backend and attach debuggers to those process. (Defined in [launch.json](.vscode/launch.json))
+
 ### Testing

 We are using [Playwright](https://playwright.dev) for end-to-end testing.

 The tests can be run like this:
 1. Start the backend normally
-2. Start the frontend in production mode with `npm run build && node build/index.js`
+2. Start the frontend in production mode with `npm run build && node --env-file=.env build/index.js`
 3. Run the tests with `npm run test`
--- a/23
+++ b/23
@@ -1,5 +1,9 @@
+# Tags passed to "go build"
+ARG BUILD_TAGS=""
+ARG VERSION="unknown"
+
 # Stage 1: Build Frontend
-FROM node:20-alpine AS frontend-builder
+FROM node:22-alpine AS frontend-builder
 WORKDIR /app/frontend
 COPY ./frontend/package*.json ./
 RUN npm ci
@@ -8,7 +12,8 @@ RUN npm run build
 RUN npm prune --production

 # Stage 2: Build Backend
-FROM golang:1.23-alpine AS backend-builder
+FROM golang:1.24-alpine AS backend-builder
+ARG BUILD_TAGS
 WORKDIR /app/backend
 COPY ./backend/go.mod ./backend/go.sum ./
 RUN go mod download
@@ -17,10 +22,16 @@ RUN apk add --no-cache gcc musl-dev

 COPY ./backend ./
 WORKDIR /app/backend/cmd
-RUN CGO_ENABLED=1 GOOS=linux go build -o /app/backend/pocket-id-backend .
+RUN CGO_ENABLED=1 \
+  GOOS=linux \
+  go build \
+  -tags "${BUILD_TAGS}" \
+  -ldflags="-X github.com/pocket-id/pocket-id/backend/internal/common.Version=${VERSION}" \
+  -o /app/backend/pocket-id-backend \
+  .

 # Stage 3: Production Image
-FROM node:20-alpine
+FROM node:22-alpine
 # Delete default node user
 RUN deluser --remove-home node

@@ -35,10 +46,10 @@ COPY --from=frontend-builder /app/frontend/package.json ./frontend/package.json
 COPY --from=backend-builder /app/backend/pocket-id-backend ./backend/pocket-id-backend

 COPY ./scripts ./scripts
-RUN chmod +x ./scripts/*.sh
+RUN find ./scripts -name "*.sh" -exec chmod +x {} \;

 EXPOSE 80
 ENV APP_ENV=production

 ENTRYPOINT ["sh", "./scripts/docker/create-user.sh"]
-CMD ["sh", "./scripts/docker/entrypoint.sh"]
+CMD ["sh", "./scripts/docker/entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 Pocket ID is a simple OIDC provider that allows users to authenticate with their passkeys to your services.

-→ Try out the [Demo](https://pocket-id.eliasschneider.com)
+→ Try out the [Demo](https://demo.pocket-id.org)

 <img src="https://github.com/user-attachments/assets/96ac549d-b897-404a-8811-f42b16ea58e2" width="1200"/>

@@ -14,7 +14,7 @@ Additionally, what makes Pocket ID special is that it only supports [passkey](ht

 Pocket ID can be set up in multiple ways. The easiest and recommended way is to use Docker.

-Visit the [documentation](https://stonith404.github.io/pocket-id) for the setup guide and more information.
+Visit the [documentation](https://docs.pocket-id.org) for the setup guide and more information.

 ## Contribute

--- a/backend/.env.example
+++ b/backend/.env.example
@@ -1,8 +1,10 @@
 APP_ENV=production
 PUBLIC_APP_URL=http://localhost
+# /!\ If PUBLIC_APP_URL is not a localhost address, it must be HTTPS
 DB_PROVIDER=sqlite
+# MAXMIND_LICENSE_KEY=fixme # needed for IP geolocation in the audit log
 SQLITE_DB_PATH=data/pocket-id.db
 POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id
 UPLOAD_PATH=data/uploads
 PORT=8080
-HOST=localhost
+HOST=0.0.0.0
--- a/backend/.golangci.yml
+++ b/backend/.golangci.yml
@@ -0,0 +1,64 @@
+version: "2"
+run:
+  tests: true
+  timeout: 5m
+linters:
+  default: none
+  enable:
+    - asasalint
+    - asciicheck
+    - bidichk
+    - bodyclose
+    - contextcheck
+    - copyloopvar
+    - durationcheck
+    - errcheck
+    - errchkjson
+    - errorlint
+    - exhaustive
+    - gocheckcompilerdirectives
+    - gochecksumtype
+    - gocognit
+    - gocritic
+    - gosec
+    - gosmopolitan
+    - govet
+    - ineffassign
+    - loggercheck
+    - makezero
+    - musttag
+    - nilerr
+    - nilnesserr
+    - noctx
+    - protogetter
+    - reassign
+    - recvcheck
+    - rowserrcheck
+    - spancheck
+    - sqlclosecheck
+    - staticcheck
+    - testifylint
+    - unused
+    - usestdlibvars
+    - zerologlint
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - internal/service/test_service.go
+formatters:
+  enable:
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -1,9 +1,20 @@
 package main

 import (
-	"github.com/stonith404/pocket-id/backend/internal/bootstrap"
+	"log"
+
+	_ "time/tzdata"
+
+	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 )

+// @title Pocket ID API
+// @version 1.0
+// @description.markdown
+
 func main() {
-	bootstrap.Bootstrap()
+	err := bootstrap.Bootstrap()
+	if err != nil {
+		log.Fatal(err.Error())
+	}
 }
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,73 +1,126 @@
-module github.com/stonith404/pocket-id/backend
+module github.com/pocket-id/pocket-id/backend

-go 1.23.1
+go 1.24.0

 require (
-	github.com/caarlos0/env/v11 v11.2.2
+	github.com/caarlos0/env/v11 v11.3.1
+	github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec
+	github.com/disintegration/imaging v1.6.2
+	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
+	github.com/emersion/go-smtp v0.21.3
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/gin-gonic/gin v1.10.0
-	github.com/go-co-op/gocron/v2 v2.12.1
-	github.com/go-playground/validator/v10 v10.22.1
+	github.com/go-co-op/gocron/v2 v2.15.0
+	github.com/go-ldap/ldap/v3 v3.4.10
+	github.com/go-playground/validator/v10 v10.25.0
 	github.com/go-webauthn/webauthn v0.11.2
-	github.com/golang-jwt/jwt/v5 v5.2.1
-	github.com/golang-migrate/migrate/v4 v4.18.1
+	github.com/golang-migrate/migrate/v4 v4.18.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
+	github.com/lestrrat-go/jwx/v3 v3.0.0-beta1
 	github.com/mileusna/useragent v1.3.5
-	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1
-	golang.org/x/crypto v0.31.0
-	golang.org/x/time v0.6.0
+	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
+	github.com/prometheus/client_golang v1.22.0
+	github.com/stretchr/testify v1.10.0
+	go.opentelemetry.io/contrib/exporters/autoexport v0.59.0
+	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0
+	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/otel/metric v1.35.0
+	go.opentelemetry.io/otel/sdk v1.35.0
+	go.opentelemetry.io/otel/sdk/metric v1.35.0
+	go.opentelemetry.io/otel/trace v1.35.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/image v0.24.0
+	golang.org/x/time v0.9.0
 	gorm.io/driver/postgres v1.5.11
-	gorm.io/driver/sqlite v1.5.6
+	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
 )

 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/bytedance/sonic v1.12.3 // indirect
-	github.com/bytedance/sonic/loader v0.2.0 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
-	github.com/cloudwego/iasm v0.2.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.5 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bytedance/sonic v1.12.10 // indirect
+	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
+	github.com/disintegration/gift v1.1.2 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gin-contrib/sse v1.0.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
-	github.com/go-ldap/ldap/v3 v3.4.10 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/x v0.1.14 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/google/go-tpm v0.9.1 // indirect
+	github.com/go-webauthn/x v0.1.16 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/google/go-tpm v0.9.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.5.5 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.7.2 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc/v3 v3.0.0-beta1 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.23 // indirect
+	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.57.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/log v0.10.0 // indirect
+	go.opentelemetry.io/otel/sdk/log v0.10.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.10.0 // indirect
-	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	golang.org/x/arch v0.14.0 // indirect
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
+	google.golang.org/grpc v1.71.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -4,24 +4,37 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
-github.com/bytedance/sonic v1.12.3 h1:W2MGa7RCU1QTeYRTPE3+88mVC0yXmsRQRChiyVocVjU=
-github.com/bytedance/sonic v1.12.3/go.mod h1:B8Gt/XvtZ3Fqj+iSKMypzymZxw/FVwgIGKzMzT9r/rk=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bytedance/sonic v1.12.10 h1:uVCQr6oS5669E9ZVW0HyksTLfNS7Q/9hV6IVS4nEMsI=
+github.com/bytedance/sonic v1.12.10/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/bytedance/sonic/loader v0.2.0 h1:zNprn+lsIP06C/IqCHs3gPQIvnvpKbbxyXQP1iU4kWM=
-github.com/bytedance/sonic/loader v0.2.0/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
-github.com/caarlos0/env/v11 v11.2.2 h1:95fApNrUyueipoZN/EhA8mMxiNxrBwDa+oAZrMWl3Kg=
-github.com/caarlos0/env/v11 v11.2.2/go.mod h1:JBfcdeQiBoI3Zh1QRAWfe+tpiNTmDtcCj/hHHHMx0vc=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
-github.com/cloudwego/iasm v0.2.0 h1:1KNIy1I1H9hNNFEEH3DVnI4UujN+1zjpuk6gwHLTssg=
+github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
+github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
+github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
+github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dhui/dktest v0.4.3 h1:wquqUxAFdcUgabAVLvSCOKOlag5cIZuaOjYIBOWdsR0=
-github.com/dhui/dktest v0.4.3/go.mod h1:zNK8IwktWzQRm6I/l2Wjp7MakiyaFWv4G1hjmodmMTs=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
+github.com/dhui/dktest v0.4.4 h1:+I4s6JRE1yGuqflzwqG+aIaMdgXIorCf5P98JnaAWa8=
+github.com/dhui/dktest v0.4.4/go.mod h1:4+22R4lgsdAXrDyaH4Nqx2JEz2hLp49MqQmm9HLCQhM=
+github.com/disintegration/gift v1.1.2 h1:9ZyHJr+kPamiH10FX3Pynt1AxFUob812bU9Wt4GMzhs=
+github.com/disintegration/gift v1.1.2/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec h1:YrB6aVr9touOt75I9O1SiancmR2GMg45U9UYf0gtgWg=
+github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec/go.mod h1:K0KBFIr1gWu/C1Gp10nFAcAE4hsB7JxE6OgLijrJ8Sk=
+github.com/disintegration/imaging v1.6.2 h1:w1LecBlG2Lnp8B3jk5zSuNqd7b4DXhcjwek1ei82L+c=
+github.com/disintegration/imaging v1.6.2/go.mod h1:44/5580QXChDfwIclfc/PCwrr44amcmDAg8hxG0Ewe4=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v27.2.0+incompatible h1:Rk9nIVdfH3+Vz4cyI/uhbINhEZ/oLmc+CBXmH6fbNk4=
@@ -30,22 +43,27 @@ github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21 h1:OJyUGMJTzHTd1XQp98QTaHernxMYzRaOasRir9hUlFQ=
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-smtp v0.21.3 h1:7uVwagE8iPYE48WhNsng3RRpCUpFvNl39JGNSIyGVMY=
+github.com/emersion/go-smtp v0.21.3/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gabriel-vasile/mimetype v1.4.5 h1:J7wGKdGu33ocBOhGy0z653k/lFKLFDPJMG8Gql0kxn4=
-github.com/gabriel-vasile/mimetype v1.4.5/go.mod h1:ibHel+/kbxn9x2407k1izTA1S81ku1z/DlgOW2QE0M4=
-github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
+github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
+github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
 github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
 github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
 github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-co-op/gocron/v2 v2.12.1 h1:dCIIBFbzhWKdgXeEifBjHPzgQ1hoWhjS4289Hjjy1uw=
-github.com/go-co-op/gocron/v2 v2.12.1/go.mod h1:xY7bJxGazKam1cz04EebrlP4S9q4iWdiAylMGP3jY9w=
+github.com/go-co-op/gocron/v2 v2.15.0 h1:Kpvo71VSihE+RImmpA+3ta5CcMhoRzMGw4dJawrj4zo=
+github.com/go-co-op/gocron/v2 v2.15.0/go.mod h1:ZF70ZwEqz0OO4RBXE1sNxnANy/zvwLcattWEFsqpKig=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -56,49 +74,61 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
-github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/go-playground/validator/v10 v10.25.0 h1:5Dh7cjvzR7BRZadnsVOzPhWsrwUr0nmsZJxEAnFLNO8=
+github.com/go-playground/validator/v10 v10.25.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
 github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
 github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
-github.com/go-webauthn/x v0.1.14 h1:1wrB8jzXAofojJPAaRxnZhRgagvLGnLjhCAwg3kTpT0=
-github.com/go-webauthn/x v0.1.14/go.mod h1:UuVvFZ8/NbOnkDz3y1NaxtUN87pmtpC1PQ+/5BBQRdc=
-github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
-github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
+github.com/go-webauthn/x v0.1.16 h1:EaVXZntpyHviN9ykjdRBQIw9B0Ed3LO5FW7mDiMQEa8=
+github.com/go-webauthn/x v0.1.16/go.mod h1:jhYjfwe/AVYaUs2mUXArj7vvZj+SpooQPyyQGNab+Us=
+github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
+github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.18.1 h1:JML/k+t4tpHCpQTCAD62Nu43NUFzHY4CV3uAuvHGC+Y=
-github.com/golang-migrate/migrate/v4 v4.18.1/go.mod h1:HAX6m3sQgcdO81tdjn5exv20+3Kb13cmGli1hrD6hks=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
+github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-tpm v0.9.1 h1:0pGc4X//bAlmZzMKf8iz6IsDo1nYTbYJ6FZN/rg4zdM=
-github.com/google/go-tpm v0.9.1/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
+github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
-github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
-github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
-github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
 github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
 github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
 github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
@@ -106,26 +136,40 @@ github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.8 h1:+StwCXwm9PdpiEkPyzBXIy+M9KUb4ODm0Zarf1kS5BM=
-github.com/klauspost/cpuid/v2 v2.2.8/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
+github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
+github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc/v3 v3.0.0-beta1 h1:pzDjP9dSONCFQC/AE3mWUnHILGiYPiMKzQIS+weKJXA=
+github.com/lestrrat-go/httprc/v3 v3.0.0-beta1/go.mod h1:wdsgouffPvWPEYh8t7PRH/PidR5sfVqt0na4Nhj60Ms=
+github.com/lestrrat-go/jwx/v3 v3.0.0-beta1 h1:Iqjb8JvWjh34Jv8DeM2wQ1aG5fzFBzwQu7rlqwuJB0I=
+github.com/lestrrat-go/jwx/v3 v3.0.0-beta1/go.mod h1:ak32WoNtHE0aLowVWBcCvXngcAnW4tuC0YhFwOr/kwc=
+github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
+github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.23 h1:gbShiuAP1W5j9UOksQ06aiiqPMxYecovVGwmTxWtuw0=
-github.com/mattn/go-sqlite3 v1.14.23/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mileusna/useragent v1.3.5 h1:SJM5NzBmh/hO+4LGeATKpaEX9+b4vcGg2qXGLiNGDws=
 github.com/mileusna/useragent v1.3.5/go.mod h1:3d8TOmwL/5I8pJjyVDteHtgDGcefrFUX4ccGOMKNYYc=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -141,35 +185,48 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1 h1:UihPOz+oIJ5X0JsO7wEkL50fheCODsoZ9r86mJWfNMc=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.1/go.mod h1:vPpFrres6g9B5+meBwAd9xnp335KFcLEFW7EqJxBHy0=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2 h1:jG+FaCBv3h6GD5F+oenTfe3+0NmX8sCKjni5k3A5Dek=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2/go.mod h1:rHaQJ5SjfCdL4sqCKa3FhklRcaXga2/qyvmQuA+ZJ6M=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
+github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
@@ -177,32 +234,74 @@ github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZ
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 h1:HY2hJ7yn3KuEBBBsKxvF3ViSmzLwsgeNvD+0utRMgzc=
+go.opentelemetry.io/contrib/bridges/prometheus v0.59.0/go.mod h1:H4H7vs8766kwFnOZVEGMJFVF+phpBSmTckvvNRdJeDI=
+go.opentelemetry.io/contrib/exporters/autoexport v0.59.0 h1:dKhAFwh7SSoOw+gwMtSv+XLkUGTFAwAGMT3X3XSE4FA=
+go.opentelemetry.io/contrib/exporters/autoexport v0.59.0/go.mod h1:fPl+qlrhRdRntIpPs9JoQ0iBKAsnH5VkgppU1f9kyF4=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0 h1:jj/B7eX95/mOxim9g9laNZkOHKz/XCHG0G410SntRy4=
+go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0/go.mod h1:ZvRTVaYYGypytG0zRp2A60lpj//cMq3ZnxYdZaljVBM=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
-go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
-go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
-go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
-go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
-go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
-go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0 h1:5dTKu4I5Dn4P2hxyW3l3jTaZx9ACgg0ECos1eAVrheY=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0/go.mod h1:P5HcUI8obLrCCmM3sbVBohZFH34iszk/+CPWuakZWL8=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0 h1:q/heq5Zh8xV1+7GoMGJpTxM2Lhq5+bFxB29tshuRuw0=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0/go.mod h1:leO2CSTg0Y+LyvmR7Wm4pUxE8KAmaM2GCVx7O+RATLA=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0 h1:QcFwRrZLc82r8wODjvyCbP7Ifp3UANaBSmhDSFjnqSc=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.35.0/go.mod h1:CXIWhUomyWBG/oY2/r/kLp6K/cmx9e/7DLpBuuGdLCA=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0 h1:0NIXxOCFx+SKbhCVxwl3ETG8ClLPAa0KuKV6p3yhxP8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.35.0/go.mod h1:ChZSJbbfbl/DcRZNc9Gqh6DYGlfjw4PvO1pEOZH1ZsE=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
+go.opentelemetry.io/otel/exporters/prometheus v0.57.0 h1:AHh/lAP1BHrY5gBwk8ncc25FXWm/gmmY3BX258z5nuk=
+go.opentelemetry.io/otel/exporters/prometheus v0.57.0/go.mod h1:QpFWz1QxqevfjwzYdbMb4Y1NnlJvqSGwyuU0B4iuc9c=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0 h1:GKCEAZLEpEf78cUvudQdTg0aET2ObOZRB2HtXA0qPAI=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0/go.mod h1:9/zqSWLCmHT/9Jo6fYeUDRRogOLL60ABLsHWS99lF8s=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 h1:PB3Zrjs1sG1GBX51SXyTSoOTqcDglmsk7nT6tkKPb/k=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0/go.mod h1:U2R3XyVPzn0WX7wOIypPuptulsMcPDPs/oiSVOMVnHY=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 h1:T0Ec2E+3YZf5bgTNQVet8iTDW7oIk03tXHq+wkwIDnE=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0/go.mod h1:30v2gqH+vYGJsesLWFov8u47EpYTcIQcBjKpI6pJThg=
+go.opentelemetry.io/otel/log v0.10.0 h1:1CXmspaRITvFcjA4kyVszuG4HjA61fPDxMb7q3BuyF0=
+go.opentelemetry.io/otel/log v0.10.0/go.mod h1:PbVdm9bXKku/gL0oFfUF4wwsQsOPlpo4VEqjvxih+FM=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/log v0.10.0 h1:lR4teQGWfeDVGoute6l0Ou+RpFqQ9vaPdrNJlST0bvw=
+go.opentelemetry.io/otel/sdk/log v0.10.0/go.mod h1:A+V1UTWREhWAittaQEG4bYm4gAZa6xnvVu+xKrIRkzo=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.10.0 h1:S3huipmSclq3PJMNe76NGwkBR504WFkQ5dhzWzP8ZW8=
-golang.org/x/arch v0.10.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/arch v0.14.0 h1:z9JUEZWr8x4rR0OU6c4/4t6E6jOZ8/QBS2bBYBm4tx4=
+golang.org/x/arch v0.14.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
+golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -218,20 +317,18 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -243,10 +340,9 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -264,12 +360,11 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -277,8 +372,14 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -288,8 +389,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
 gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
-gorm.io/driver/sqlite v1.5.6 h1:fO/X46qn5NUEEOZtnjJRWRzZMe8nqJiQ9E+0hi+hKQE=
-gorm.io/driver/sqlite v1.5.6/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
+gorm.io/driver/sqlite v1.5.7 h1:8NvsrhP0ifM7LX9G4zPB97NwovUakUxc+2V2uuf3Z1I=
+gorm.io/driver/sqlite v1.5.7/go.mod h1:U+J8craQU6Fzkcvu8oLeAQmi50TkwPEhHDEjQZXDah4=
 gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
--- a/backend/internal/bootstrap/application_images_bootstrap.go
+++ b/backend/internal/bootstrap/application_images_bootstrap.go
@@ -1,13 +1,14 @@
 package bootstrap

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/resources"
 	"log"
 	"os"
 	"path"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
 )

 // initApplicationImages copies the images from the images directory to the application-images directory
@@ -37,7 +38,6 @@ func initApplicationImages() {
 			log.Fatalf("Error copying file: %v", err)
 		}
 	}
-
 }

 func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
@@ -54,6 +54,11 @@ func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
 }

 func getImageNameWithoutExtension(fileName string) string {
-	splitted := strings.Split(fileName, ".")
-	return strings.Join(splitted[:len(splitted)-1], ".")
+	idx := strings.LastIndexByte(fileName, '.')
+	if idx < 1 {
+		// No dot found, or fileName starts with a dot
+		return fileName
+	}
+
+	return fileName[:idx]
 }
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -1,14 +1,76 @@
 package bootstrap

 import (
+	"context"
+	"fmt"
+	"log"
+	"time"
+
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/signals"
 )

-func Bootstrap() {
-	db := newDatabase()
-	appConfigService := service.NewAppConfigService(db)
+func Bootstrap() error {
+	// Get a context that is canceled when the application is stopping
+	ctx := signals.SignalContext(context.Background())

 	initApplicationImages()
-	initRouter(db, appConfigService)
+
+	// Perform migrations for changes
+	migrateConfigDBConnstring()
+	migrateKey()
+
+	// Initialize the tracer and metrics exporter
+	shutdownFns, httpClient, err := initOtel(ctx, common.EnvConfig.MetricsEnabled, common.EnvConfig.TracingEnabled)
+	if err != nil {
+		return fmt.Errorf("failed to initialize OpenTelemetry: %w", err)
+	}
+
+	// Connect to the database
+	db := newDatabase()
+
+	// Create all services
+	svc, err := initServices(ctx, db, httpClient)
+	if err != nil {
+		return fmt.Errorf("failed to initialize services: %w", err)
+	}
+
+	// Init the job scheduler
+	scheduler, err := job.NewScheduler()
+	if err != nil {
+		return fmt.Errorf("failed to create job scheduler: %w", err)
+	}
+	err = registerScheduledJobs(ctx, db, svc, scheduler)
+	if err != nil {
+		return fmt.Errorf("failed to register scheduled jobs: %w", err)
+	}
+
+	// Init the router
+	router := initRouter(db, svc)
+
+	// Run all background serivces
+	// This call blocks until the context is canceled
+	err = utils.
+		NewServiceRunner(router, scheduler.Run).
+		Run(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to run services: %w", err)
+	}
+
+	// Invoke all shutdown functions
+	// We give these a timeout of 5s
+	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer shutdownCancel()
+	err = utils.
+		NewServiceRunner(shutdownFns...).
+		Run(shutdownCtx)
+	if err != nil {
+		log.Printf("Error shutting down services: %v", err)
+	}
+
+	return nil
 }
--- a/backend/internal/bootstrap/config_migration.go
+++ b/backend/internal/bootstrap/config_migration.go
@@ -0,0 +1,34 @@
+package bootstrap
+
+import (
+	"log"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+)
+
+// Performs the migration of the database connection string
+// See: https://github.com/pocket-id/pocket-id/pull/388
+func migrateConfigDBConnstring() {
+	switch common.EnvConfig.DbProvider {
+	case common.DbProviderSqlite:
+		// Check if we're using the deprecated SqliteDBPath env var
+		if common.EnvConfig.SqliteDBPath != "" {
+			connString := "file:" + common.EnvConfig.SqliteDBPath + "?_journal_mode=WAL&_busy_timeout=2500&_txlock=immediate"
+			common.EnvConfig.DbConnectionString = connString
+			common.EnvConfig.SqliteDBPath = ""
+
+			log.Printf("[WARN] Env var 'SQLITE_DB_PATH' is deprecated - use 'DB_CONNECTION_STRING' instead with the value: '%s'", connString)
+		}
+	case common.DbProviderPostgres:
+		// Check if we're using the deprecated PostgresConnectionString alias
+		if common.EnvConfig.PostgresConnectionString != "" {
+			common.EnvConfig.DbConnectionString = common.EnvConfig.PostgresConnectionString
+			common.EnvConfig.PostgresConnectionString = ""
+
+			log.Print("[WARN] Env var 'POSTGRES_CONNECTION_STRING' is deprecated - use 'DB_CONNECTION_STRING' instead with the same value")
+		}
+	default:
+		// We don't do anything here in the default case
+		// This is an error, but will be handled later on
+	}
+}
--- a/backend/internal/bootstrap/db_bootstrap.go
+++ b/backend/internal/bootstrap/db_bootstrap.go
@@ -3,20 +3,22 @@ package bootstrap
 import (
 	"errors"
 	"fmt"
+	"log"
+	"os"
+	"strings"
+	"time"
+
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database"
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/resources"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/resources"
 	"gorm.io/driver/postgres"
 	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
-	"log"
-	"os"
-	"time"
 )

 func newDatabase() (db *gorm.DB) {
@@ -37,6 +39,7 @@ func newDatabase() (db *gorm.DB) {
 	case common.DbProviderPostgres:
 		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
 	default:
+		// Should never happen at this point
 		log.Fatalf("unsupported database provider: %s", common.EnvConfig.DbProvider)
 	}
 	if err != nil {
@@ -55,17 +58,17 @@ func migrateDatabase(driver database.Driver) error {
 	// Use the embedded migrations
 	source, err := iofs.New(resources.FS, "migrations/"+string(common.EnvConfig.DbProvider))
 	if err != nil {
-		return fmt.Errorf("failed to create embedded migration source: %v", err)
+		return fmt.Errorf("failed to create embedded migration source: %w", err)
 	}

 	m, err := migrate.NewWithInstance("iofs", source, "pocket-id", driver)
 	if err != nil {
-		return fmt.Errorf("failed to create migration instance: %v", err)
+		return fmt.Errorf("failed to create migration instance: %w", err)
 	}

 	err = m.Up()
 	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
-		return fmt.Errorf("failed to apply migrations: %v", err)
+		return fmt.Errorf("failed to apply migrations: %w", err)
 	}

 	return nil
@@ -77,9 +80,18 @@ func connectDatabase() (db *gorm.DB, err error) {
 	// Choose the correct database provider
 	switch common.EnvConfig.DbProvider {
 	case common.DbProviderSqlite:
-		dialector = sqlite.Open(common.EnvConfig.SqliteDBPath)
+		if common.EnvConfig.DbConnectionString == "" {
+			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for SQLite database")
+		}
+		if !strings.HasPrefix(common.EnvConfig.DbConnectionString, "file:") {
+			return nil, errors.New("invalid value for env var 'DB_CONNECTION_STRING': does not begin with 'file:'")
+		}
+		dialector = sqlite.Open(common.EnvConfig.DbConnectionString)
 	case common.DbProviderPostgres:
-		dialector = postgres.Open(common.EnvConfig.PostgresConnectionString)
+		if common.EnvConfig.DbConnectionString == "" {
+			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for Postgres database")
+		}
+		dialector = postgres.Open(common.EnvConfig.DbConnectionString)
 	default:
 		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
 	}
@@ -90,14 +102,14 @@ func connectDatabase() (db *gorm.DB, err error) {
 			Logger:         getLogger(),
 		})
 		if err == nil {
-			break
-		} else {
-			log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
-			time.Sleep(3 * time.Second)
+			return db, nil
 		}
+
+		log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
+		time.Sleep(3 * time.Second)
 	}

-	return db, err
+	return nil, err
 }

 func getLogger() logger.Interface {
--- a/backend/internal/bootstrap/e2etest_router_bootstrap.go
+++ b/backend/internal/bootstrap/e2etest_router_bootstrap.go
@@ -0,0 +1,21 @@
+//go:build e2etest
+
+package bootstrap
+
+import (
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// When building for E2E tests, add the e2etest controller
+func init() {
+	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services){
+		func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
+			testService := service.NewTestService(db, svc.appConfigService, svc.jwtService, svc.ldapService)
+			controller.NewTestController(apiGroup, testService)
+		},
+	}
+}
--- a/backend/internal/bootstrap/jwk_migration.go
+++ b/backend/internal/bootstrap/jwk_migration.go
@@ -0,0 +1,136 @@
+package bootstrap
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+
+	"github.com/lestrrat-go/jwx/v3/jwk"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+const (
+	privateKeyFilePem = "jwt_private_key.pem"
+)
+
+func migrateKey() {
+	err := migrateKeyInternal(common.EnvConfig.KeysPath)
+	if err != nil {
+		log.Fatalf("failed to perform migration of keys: %v", err)
+	}
+}
+
+func migrateKeyInternal(basePath string) error {
+	// First, check if there's already a JWK stored
+	jwkPath := filepath.Join(basePath, service.PrivateKeyFile)
+	ok, err := utils.FileExists(jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (JWK) exists at path '%s': %w", jwkPath, err)
+	}
+	if ok {
+		// There's already a key as JWK, so we don't do anything else here
+		return nil
+	}
+
+	// Check if there's a PEM file
+	pemPath := filepath.Join(basePath, privateKeyFilePem)
+	ok, err = utils.FileExists(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (PEM) exists at path '%s': %w", pemPath, err)
+	}
+	if !ok {
+		// No file to migrate, return
+		return nil
+	}
+
+	// Load and validate the key
+	key, err := loadKeyPEM(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to load private key file (PEM) at path '%s': %w", pemPath, err)
+	}
+	err = service.ValidateKey(key)
+	if err != nil {
+		return fmt.Errorf("key object is invalid: %w", err)
+	}
+
+	// Save the key as JWK
+	err = service.SaveKeyJWK(key, jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to save private key file at path '%s': %w", jwkPath, err)
+	}
+
+	// Finally, delete the PEM file
+	err = os.Remove(pemPath)
+	if err != nil {
+		return fmt.Errorf("failed to remove migrated key at path '%s': %w", pemPath, err)
+	}
+
+	return nil
+}
+
+func loadKeyPEM(path string) (jwk.Key, error) {
+	// Load the key from disk and parse it
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read key data: %w", err)
+	}
+
+	key, err := jwk.ParseKey(data, jwk.WithPEM(true))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse key: %w", err)
+	}
+
+	// Populate the key ID using the "legacy" algorithm
+	keyId, err := generateKeyID(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate key ID: %w", err)
+	}
+	err = key.Set(jwk.KeyIDKey, keyId)
+	if err != nil {
+		return nil, fmt.Errorf("failed to set key ID: %w", err)
+	}
+
+	// Populate other required fields
+	_ = key.Set(jwk.KeyUsageKey, service.KeyUsageSigning)
+	service.EnsureAlgInKey(key)
+
+	return key, nil
+}
+
+// generateKeyID generates a Key ID for the public key using the first 8 bytes of the SHA-256 hash of the public key's PKIX-serialized structure.
+// This is used for legacy keys, imported from PEM.
+func generateKeyID(key jwk.Key) (string, error) {
+	// Export the public key and serialize it to PKIX (not in a PEM block)
+	// This is for backwards-compatibility with the algorithm used before the switch to JWK
+	pubKey, err := key.PublicKey()
+	if err != nil {
+		return "", fmt.Errorf("failed to get public key: %w", err)
+	}
+	var pubKeyRaw any
+	err = jwk.Export(pubKey, &pubKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to export public key: %w", err)
+	}
+	pubASN1, err := x509.MarshalPKIXPublicKey(pubKeyRaw)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal public key: %w", err)
+	}
+
+	// Compute SHA-256 hash of the public key
+	hash := sha256.New()
+	hash.Write(pubASN1)
+	hashed := hash.Sum(nil)
+
+	// Truncate the hash to the first 8 bytes for a shorter Key ID
+	shortHash := hashed[:8]
+
+	// Return Base64 encoded truncated hash as Key ID
+	return base64.RawURLEncoding.EncodeToString(shortHash), nil
+}
--- a/backend/internal/bootstrap/jwk_migration_test.go
+++ b/backend/internal/bootstrap/jwk_migration_test.go
@@ -0,0 +1,190 @@
+package bootstrap
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+)
+
+func TestMigrateKey(t *testing.T) {
+	// Create a temporary directory for testing
+	tempDir := t.TempDir()
+
+	t.Run("no keys exist", func(t *testing.T) {
+		// Test when no keys exist
+		err := migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+	})
+
+	t.Run("jwk already exists", func(t *testing.T) {
+		// Create a JWK file
+		jwkPath := filepath.Join(tempDir, service.PrivateKeyFile)
+		key, err := createTestRSAKey()
+		require.NoError(t, err)
+		err = service.SaveKeyJWK(key, jwkPath)
+		require.NoError(t, err)
+
+		// Run migration - should do nothing
+		err = migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+
+		// Check the file still exists
+		exists, err := utils.FileExists(jwkPath)
+		require.NoError(t, err)
+		assert.True(t, exists)
+
+		// Delete for next test
+		err = os.Remove(jwkPath)
+		require.NoError(t, err)
+	})
+
+	t.Run("migrate pem to jwk", func(t *testing.T) {
+		// Create a PEM file
+		pemPath := filepath.Join(tempDir, privateKeyFilePem)
+		jwkPath := filepath.Join(tempDir, service.PrivateKeyFile)
+
+		// Generate RSA key and save as PEM
+		createRSAPrivateKeyPEM(t, pemPath)
+
+		// Run migration
+		err := migrateKeyInternal(tempDir)
+		require.NoError(t, err)
+
+		// Check PEM file is gone
+		exists, err := utils.FileExists(pemPath)
+		require.NoError(t, err)
+		assert.False(t, exists)
+
+		// Check JWK file exists
+		exists, err = utils.FileExists(jwkPath)
+		require.NoError(t, err)
+		assert.True(t, exists)
+
+		// Verify the JWK can be loaded
+		data, err := os.ReadFile(jwkPath)
+		require.NoError(t, err)
+
+		_, err = jwk.ParseKey(data)
+		require.NoError(t, err)
+	})
+}
+
+func TestLoadKeyPEM(t *testing.T) {
+	// Create a temporary directory for testing
+	tempDir := t.TempDir()
+
+	t.Run("successfully load PEM key", func(t *testing.T) {
+		pemPath := filepath.Join(tempDir, "test_key.pem")
+
+		// Generate RSA key and save as PEM
+		createRSAPrivateKeyPEM(t, pemPath)
+
+		// Load the key
+		key, err := loadKeyPEM(pemPath)
+		require.NoError(t, err)
+
+		// Verify key properties
+		assert.NotEmpty(t, key)
+
+		// Check key ID is set
+		var keyID string
+		err = key.Get(jwk.KeyIDKey, &keyID)
+		require.NoError(t, err)
+		assert.NotEmpty(t, keyID)
+
+		// Check algorithm is set
+		var alg jwa.SignatureAlgorithm
+		err = key.Get(jwk.AlgorithmKey, &alg)
+		require.NoError(t, err)
+		assert.NotEmpty(t, alg)
+
+		// Check key usage is set
+		var keyUsage string
+		err = key.Get(jwk.KeyUsageKey, &keyUsage)
+		require.NoError(t, err)
+		assert.Equal(t, service.KeyUsageSigning, keyUsage)
+	})
+
+	t.Run("file not found", func(t *testing.T) {
+		key, err := loadKeyPEM(filepath.Join(tempDir, "nonexistent.pem"))
+		require.Error(t, err)
+		assert.Nil(t, key)
+	})
+
+	t.Run("invalid file content", func(t *testing.T) {
+		invalidPath := filepath.Join(tempDir, "invalid.pem")
+		err := os.WriteFile(invalidPath, []byte("not a valid PEM"), 0600)
+		require.NoError(t, err)
+
+		key, err := loadKeyPEM(invalidPath)
+		require.Error(t, err)
+		assert.Nil(t, key)
+	})
+}
+
+func TestGenerateKeyID(t *testing.T) {
+	key, err := createTestRSAKey()
+	require.NoError(t, err)
+
+	keyID, err := generateKeyID(key)
+	require.NoError(t, err)
+
+	// Key ID should be non-empty
+	assert.NotEmpty(t, keyID)
+
+	// Generate another key ID to prove it depends on the key
+	key2, err := createTestRSAKey()
+	require.NoError(t, err)
+
+	keyID2, err := generateKeyID(key2)
+	require.NoError(t, err)
+
+	// The two key IDs should be different
+	assert.NotEqual(t, keyID, keyID2)
+}
+
+// Helper functions
+
+func createTestRSAKey() (jwk.Key, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := jwk.Import(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return key, nil
+}
+
+// createRSAPrivateKeyPEM generates an RSA private key and returns its PEM-encoded form
+func createRSAPrivateKeyPEM(t *testing.T, pemPath string) ([]byte, *rsa.PrivateKey) {
+	// Generate RSA key
+	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	// Encode to PEM format
+	pemData := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privKey),
+	})
+
+	err = os.WriteFile(pemPath, pemData, 0600)
+	require.NoError(t, err)
+
+	return pemData, privKey
+}
--- a/backend/internal/bootstrap/otel_boostrap.go
+++ b/backend/internal/bootstrap/otel_boostrap.go
@@ -0,0 +1,107 @@
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"go.opentelemetry.io/contrib/exporters/autoexport"
+	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
+	"go.opentelemetry.io/otel"
+	metricnoop "go.opentelemetry.io/otel/metric/noop"
+	"go.opentelemetry.io/otel/propagation"
+	"go.opentelemetry.io/otel/sdk/metric"
+	"go.opentelemetry.io/otel/sdk/resource"
+	sdktrace "go.opentelemetry.io/otel/sdk/trace"
+	semconv "go.opentelemetry.io/otel/semconv/v1.30.0"
+	tracenoop "go.opentelemetry.io/otel/trace/noop"
+)
+
+func defaultResource() (*resource.Resource, error) {
+	return resource.Merge(
+		resource.Default(),
+		resource.NewSchemaless(
+			semconv.ServiceName("pocket-id-backend"),
+			semconv.ServiceVersion(common.Version),
+		),
+	)
+}
+
+func initOtel(ctx context.Context, metrics, traces bool) (shutdownFns []utils.Service, httpClient *http.Client, err error) {
+	resource, err := defaultResource()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create OpenTelemetry resource: %w", err)
+	}
+
+	shutdownFns = make([]utils.Service, 0, 2)
+
+	httpClient = &http.Client{}
+	defaultTransport, ok := http.DefaultTransport.(*http.Transport)
+	if !ok {
+		// Indicates a development-time error
+		panic("Default transport is not of type *http.Transport")
+	}
+	httpClient.Transport = defaultTransport.Clone()
+
+	if traces {
+		tr, err := autoexport.NewSpanExporter(ctx)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to initialize OpenTelemetry span exporter: %w", err)
+		}
+		tp := sdktrace.NewTracerProvider(
+			sdktrace.WithResource(resource),
+			sdktrace.WithBatcher(tr),
+		)
+
+		otel.SetTracerProvider(tp)
+		otel.SetTextMapPropagator(
+			propagation.NewCompositeTextMapPropagator(
+				propagation.TraceContext{},
+				propagation.Baggage{},
+			),
+		)
+
+		shutdownFns = append(shutdownFns, func(shutdownCtx context.Context) error { //nolint:contextcheck
+			tpCtx, tpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
+			defer tpCancel()
+			shutdownErr := tp.Shutdown(tpCtx)
+			if shutdownErr != nil {
+				return fmt.Errorf("failed to gracefully shut down traces exporter: %w", shutdownErr)
+			}
+			return nil
+		})
+
+		httpClient.Transport = otelhttp.NewTransport(httpClient.Transport)
+	} else {
+		otel.SetTracerProvider(tracenoop.NewTracerProvider())
+	}
+
+	if metrics {
+		mr, err := autoexport.NewMetricReader(ctx)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to initialize OpenTelemetry metric reader: %w", err)
+		}
+		mp := metric.NewMeterProvider(
+			metric.WithResource(resource),
+			metric.WithReader(mr),
+		)
+
+		otel.SetMeterProvider(mp)
+		shutdownFns = append(shutdownFns, func(shutdownCtx context.Context) error { //nolint:contextcheck
+			mpCtx, mpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
+			defer mpCancel()
+			shutdownErr := mp.Shutdown(mpCtx)
+			if shutdownErr != nil {
+				return fmt.Errorf("failed to gracefully shut down metrics exporter: %w", shutdownErr)
+			}
+			return nil
+		})
+	} else {
+		otel.SetMeterProvider(metricnoop.NewMeterProvider())
+	}
+
+	return shutdownFns, httpClient, nil
+}
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -1,20 +1,37 @@
 package bootstrap

 import (
+	"context"
+	"fmt"
 	"log"
+	"net"
+	"net/http"
 	"time"

 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/controller"
-	"github.com/stonith404/pocket-id/backend/internal/job"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/controller"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
 )

-func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
+// This is used to register additional controllers for tests
+var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services)
+
+func initRouter(db *gorm.DB, svc *services) utils.Service {
+	runner, err := initRouterInternal(db, svc)
+	if err != nil {
+		log.Fatalf("failed to init router: %v", err)
+	}
+	return runner
+}
+
+func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
 	case "production":
@@ -28,59 +45,97 @@ func initRouter(db *gorm.DB, appConfigService *service.AppConfigService) {
 	r := gin.Default()
 	r.Use(gin.Logger())

-	// Initialize services
-	emailService, err := service.NewEmailService(appConfigService, db)
-	if err != nil {
-		log.Fatalf("Unable to create email service: %s", err)
+	if common.EnvConfig.TracingEnabled {
+		r.Use(otelgin.Middleware("pocket-id-backend"))
 	}

-	geoLiteService := service.NewGeoLiteService()
-	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
-	jwtService := service.NewJwtService(appConfigService)
-	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
-	userService := service.NewUserService(db, jwtService, auditLogService, emailService)
-	customClaimService := service.NewCustomClaimService(db)
-	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
-	testService := service.NewTestService(db, appConfigService)
-	userGroupService := service.NewUserGroupService(db)
-	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
-
-	rateLimitMiddleware := middleware.NewRateLimitMiddleware()
+	rateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60)

 	// Setup global middleware
 	r.Use(middleware.NewCorsMiddleware().Add())
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())
-	r.Use(rateLimitMiddleware.Add(rate.Every(time.Second), 60))
-	r.Use(middleware.NewJwtAuthMiddleware(jwtService, true).Add(false))
-
-	job.RegisterLdapJobs(ldapService, appConfigService)
-	job.RegisterDbCleanupJobs(db)

 	// Initialize middleware for specific routes
-	jwtAuthMiddleware := middleware.NewJwtAuthMiddleware(jwtService, false)
+	authMiddleware := middleware.NewAuthMiddleware(svc.apiKeyService, svc.userService, svc.jwtService)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()

 	// Set up API routes
-	apiGroup := r.Group("/api")
-	controller.NewWebauthnController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), webauthnService, appConfigService)
-	controller.NewOidcController(apiGroup, jwtAuthMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
-	controller.NewUserController(apiGroup, jwtAuthMiddleware, middleware.NewRateLimitMiddleware(), userService, appConfigService)
-	controller.NewAppConfigController(apiGroup, jwtAuthMiddleware, appConfigService, emailService, ldapService)
-	controller.NewAuditLogController(apiGroup, auditLogService, jwtAuthMiddleware)
-	controller.NewUserGroupController(apiGroup, jwtAuthMiddleware, userGroupService)
-	controller.NewCustomClaimController(apiGroup, jwtAuthMiddleware, customClaimService)
+	apiGroup := r.Group("/api", rateLimitMiddleware)
+	controller.NewApiKeyController(apiGroup, authMiddleware, svc.apiKeyService)
+	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.webauthnService, svc.appConfigService)
+	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, svc.oidcService, svc.jwtService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.appConfigService)
+	controller.NewAppConfigController(apiGroup, authMiddleware, svc.appConfigService, svc.emailService, svc.ldapService)
+	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
+	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
+	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)

 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {
-		controller.NewTestController(apiGroup, testService)
+		for _, f := range registerTestControllers {
+			f(apiGroup, db, svc)
+		}
 	}

 	// Set up base routes
-	baseGroup := r.Group("/")
-	controller.NewWellKnownController(baseGroup, jwtService)
+	baseGroup := r.Group("/", rateLimitMiddleware)
+	controller.NewWellKnownController(baseGroup, svc.jwtService)

-	// Run the server
-	if err := r.Run(common.EnvConfig.Host + ":" + common.EnvConfig.Port); err != nil {
-		log.Fatal(err)
+	// Set up healthcheck routes
+	// These are not rate-limited
+	controller.NewHealthzController(r)
+
+	// Set up the server
+	srv := &http.Server{
+		Addr:              net.JoinHostPort(common.EnvConfig.Host, common.EnvConfig.Port),
+		MaxHeaderBytes:    1 << 20,
+		ReadHeaderTimeout: 10 * time.Second,
+		Handler:           r,
 	}
+
+	// Set up the listener
+	listener, err := net.Listen("tcp", srv.Addr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create TCP listener: %w", err)
+	}
+
+	// Service runner function
+	runFn := func(ctx context.Context) error {
+		log.Printf("Server listening on %s", srv.Addr)
+
+		// Start the server in a background goroutine
+		go func() {
+			defer listener.Close()
+
+			// Next call blocks until the server is shut down
+			srvErr := srv.Serve(listener)
+			if srvErr != http.ErrServerClosed {
+				log.Fatalf("Error starting app server: %v", srvErr)
+			}
+		}()
+
+		// Notify systemd that we are ready
+		err = systemd.SdNotifyReady()
+		if err != nil {
+			// Log the error only
+			log.Printf("[WARN] Unable to notify systemd that the service is ready: %v", err)
+		}
+
+		// Block until the context is canceled
+		<-ctx.Done()
+
+		// Handle graceful shutdown
+		// Note we use the background context here as ctx has been canceled already
+		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
+		shutdownErr := srv.Shutdown(shutdownCtx) //nolint:contextcheck
+		shutdownCancel()
+		if shutdownErr != nil {
+			// Log the error only (could be context canceled)
+			log.Printf("[WARN] App server shutdown error: %v", shutdownErr)
+		}
+
+		return nil
+	}
+
+	return runFn, nil
 }
--- a/backend/internal/bootstrap/scheduler_bootstrap.go
+++ b/backend/internal/bootstrap/scheduler_bootstrap.go
@@ -0,0 +1,35 @@
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/job"
+)
+
+func registerScheduledJobs(ctx context.Context, db *gorm.DB, svc *services, scheduler *job.Scheduler) error {
+	err := scheduler.RegisterLdapJobs(ctx, svc.ldapService, svc.appConfigService)
+	if err != nil {
+		return fmt.Errorf("failed to register LDAP jobs in scheduler: %w", err)
+	}
+	err = scheduler.RegisterGeoLiteUpdateJobs(ctx, svc.geoLiteService)
+	if err != nil {
+		return fmt.Errorf("failed to register GeoLite DB update service: %w", err)
+	}
+	err = scheduler.RegisterDbCleanupJobs(ctx, db)
+	if err != nil {
+		return fmt.Errorf("failed to register DB cleanup jobs in scheduler: %w", err)
+	}
+	err = scheduler.RegisterFileCleanupJobs(ctx, db)
+	if err != nil {
+		return fmt.Errorf("failed to register file cleanup jobs in scheduler: %w", err)
+	}
+	err = scheduler.RegisterApiKeyExpiryJob(ctx, svc.apiKeyService, svc.appConfigService)
+	if err != nil {
+		return fmt.Errorf("failed to register API key expiration jobs in scheduler: %w", err)
+	}
+
+	return nil
+}
--- a/backend/internal/bootstrap/services_bootstrap.go
+++ b/backend/internal/bootstrap/services_bootstrap.go
@@ -0,0 +1,52 @@
+package bootstrap
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type services struct {
+	appConfigService   *service.AppConfigService
+	emailService       *service.EmailService
+	geoLiteService     *service.GeoLiteService
+	auditLogService    *service.AuditLogService
+	jwtService         *service.JwtService
+	webauthnService    *service.WebAuthnService
+	userService        *service.UserService
+	customClaimService *service.CustomClaimService
+	oidcService        *service.OidcService
+	userGroupService   *service.UserGroupService
+	ldapService        *service.LdapService
+	apiKeyService      *service.ApiKeyService
+}
+
+// Initializes all services
+// The context should be used by services only for initialization, and not for running
+func initServices(initCtx context.Context, db *gorm.DB, httpClient *http.Client) (svc *services, err error) {
+	svc = &services{}
+
+	svc.appConfigService = service.NewAppConfigService(initCtx, db)
+
+	svc.emailService, err = service.NewEmailService(db, svc.appConfigService)
+	if err != nil {
+		return nil, fmt.Errorf("unable to create email service: %w", err)
+	}
+
+	svc.geoLiteService = service.NewGeoLiteService(httpClient)
+	svc.auditLogService = service.NewAuditLogService(db, svc.appConfigService, svc.emailService, svc.geoLiteService)
+	svc.jwtService = service.NewJwtService(svc.appConfigService)
+	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService)
+	svc.customClaimService = service.NewCustomClaimService(db)
+	svc.oidcService = service.NewOidcService(db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService)
+	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
+	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
+	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
+	svc.webauthnService = service.NewWebAuthnService(db, svc.jwtService, svc.auditLogService, svc.appConfigService)
+
+	return svc, nil
+}
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -2,6 +2,7 @@ package common

 import (
 	"log"
+	"net/url"

 	"github.com/caarlos0/env/v11"
 	_ "github.com/joho/godotenv/autoload"
@@ -10,50 +11,80 @@ import (
 type DbProvider string

 const (
-	DbProviderSqlite   DbProvider = "sqlite"
-	DbProviderPostgres DbProvider = "postgres"
+	// TracerName should be passed to otel.Tracer, trace.SpanFromContext when creating custom spans.
+	TracerName = "github.com/pocket-id/pocket-id/backend/tracing"
+	// MeterName should be passed to otel.Meter when create custom metrics.
+	MeterName = "github.com/pocket-id/pocket-id/backend/metrics"
+)
+
+const (
+	DbProviderSqlite      DbProvider = "sqlite"
+	DbProviderPostgres    DbProvider = "postgres"
+	MaxMindGeoLiteCityUrl string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
 )

 type EnvConfigSchema struct {
 	AppEnv                   string     `env:"APP_ENV"`
 	AppURL                   string     `env:"PUBLIC_APP_URL"`
 	DbProvider               DbProvider `env:"DB_PROVIDER"`
-	SqliteDBPath             string     `env:"SQLITE_DB_PATH"`
-	PostgresConnectionString string     `env:"POSTGRES_CONNECTION_STRING"`
+	DbConnectionString       string     `env:"DB_CONNECTION_STRING"`
+	SqliteDBPath             string     `env:"SQLITE_DB_PATH"`             // Deprecated: use "DB_CONNECTION_STRING" instead
+	PostgresConnectionString string     `env:"POSTGRES_CONNECTION_STRING"` // Deprecated: use "DB_CONNECTION_STRING" instead
 	UploadPath               string     `env:"UPLOAD_PATH"`
+	KeysPath                 string     `env:"KEYS_PATH"`
 	Port                     string     `env:"BACKEND_PORT"`
 	Host                     string     `env:"HOST"`
 	MaxMindLicenseKey        string     `env:"MAXMIND_LICENSE_KEY"`
 	GeoLiteDBPath            string     `env:"GEOLITE_DB_PATH"`
+	GeoLiteDBUrl             string     `env:"GEOLITE_DB_URL"`
+	UiConfigDisabled         bool       `env:"PUBLIC_UI_CONFIG_DISABLED"`
+	MetricsEnabled           bool       `env:"METRICS_ENABLED"`
+	TracingEnabled           bool       `env:"TRACING_ENABLED"`
 }

 var EnvConfig = &EnvConfigSchema{
 	AppEnv:                   "production",
 	DbProvider:               "sqlite",
-	SqliteDBPath:             "data/pocket-id.db",
+	DbConnectionString:       "file:data/pocket-id.db?_journal_mode=WAL&_busy_timeout=2500&_txlock=immediate",
+	SqliteDBPath:             "",
 	PostgresConnectionString: "",
 	UploadPath:               "data/uploads",
+	KeysPath:                 "data/keys",
 	AppURL:                   "http://localhost",
 	Port:                     "8080",
-	Host:                     "localhost",
+	Host:                     "0.0.0.0",
 	MaxMindLicenseKey:        "",
 	GeoLiteDBPath:            "data/GeoLite2-City.mmdb",
+	GeoLiteDBUrl:             MaxMindGeoLiteCityUrl,
+	UiConfigDisabled:         false,
+	MetricsEnabled:           false,
+	TracingEnabled:           false,
 }

 func init() {
 	if err := env.ParseWithOptions(EnvConfig, env.Options{}); err != nil {
 		log.Fatal(err)
 	}
+
 	// Validate the environment variables
-	if EnvConfig.DbProvider != DbProviderSqlite && EnvConfig.DbProvider != DbProviderPostgres {
+	switch EnvConfig.DbProvider {
+	case DbProviderSqlite:
+		if EnvConfig.DbConnectionString == "" {
+			log.Fatal("Missing required env var 'DB_CONNECTION_STRING' for SQLite database")
+		}
+	case DbProviderPostgres:
+		if EnvConfig.DbConnectionString == "" {
+			log.Fatal("Missing required env var 'DB_CONNECTION_STRING' for Postgres database")
+		}
+	default:
 		log.Fatal("Invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
 	}

-	if EnvConfig.DbProvider == DbProviderPostgres && EnvConfig.PostgresConnectionString == "" {
-		log.Fatal("Missing POSTGRES_CONNECTION_STRING environment variable")
+	parsedAppUrl, err := url.Parse(EnvConfig.AppURL)
+	if err != nil {
+		log.Fatal("PUBLIC_APP_URL is not a valid URL")
 	}
-
-	if EnvConfig.DbProvider == DbProviderSqlite && EnvConfig.SqliteDBPath == "" {
-		log.Fatal("Missing SQLITE_DB_PATH environment variable")
+	if parsedAppUrl.Path != "" {
+		log.Fatal("PUBLIC_APP_URL must not contain a path")
 	}
 }
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -1,6 +1,7 @@
 package common

 import (
+	"errors"
 	"fmt"
 	"net/http"
 )
@@ -17,10 +18,16 @@ type AlreadyInUseError struct {
 }

 func (e *AlreadyInUseError) Error() string {
-	return fmt.Sprintf("%s is already in use", e.Property)
+	return e.Property + " is already in use"
 }
 func (e *AlreadyInUseError) HttpStatusCode() int { return 400 }

+func (e *AlreadyInUseError) Is(target error) bool {
+	// Ignore the field property when checking if an error is of the type AlreadyInUseError
+	x := &AlreadyInUseError{}
+	return errors.As(target, &x)
+}
+
 type SetupAlreadyCompletedError struct{}

 func (e *SetupAlreadyCompletedError) Error() string       { return "setup already completed" }
@@ -31,6 +38,13 @@ type TokenInvalidOrExpiredError struct{}
 func (e *TokenInvalidOrExpiredError) Error() string       { return "token is invalid or expired" }
 func (e *TokenInvalidOrExpiredError) HttpStatusCode() int { return 400 }

+type TokenInvalidError struct{}
+
+func (e *TokenInvalidError) Error() string {
+	return "Token is invalid"
+}
+func (e *TokenInvalidError) HttpStatusCode() int { return 400 }
+
 type OidcMissingAuthorizationError struct{}

 func (e *OidcMissingAuthorizationError) Error() string       { return "missing authorization" }
@@ -68,11 +82,6 @@ type FileTypeNotSupportedError struct{}
 func (e *FileTypeNotSupportedError) Error() string       { return "file type not supported" }
 func (e *FileTypeNotSupportedError) HttpStatusCode() int { return 400 }

-type InvalidCredentialsError struct{}
-
-func (e *InvalidCredentialsError) Error() string       { return "no user found with provided credentials" }
-func (e *InvalidCredentialsError) HttpStatusCode() int { return 400 }
-
 type FileTooLargeError struct {
 	MaxSize string
 }
@@ -87,6 +96,11 @@ type NotSignedInError struct{}
 func (e *NotSignedInError) Error() string       { return "You are not signed in" }
 func (e *NotSignedInError) HttpStatusCode() int { return http.StatusUnauthorized }

+type MissingAccessToken struct{}
+
+func (e *MissingAccessToken) Error() string       { return "Missing access token" }
+func (e *MissingAccessToken) HttpStatusCode() int { return http.StatusUnauthorized }
+
 type MissingPermissionError struct{}

 func (e *MissingPermissionError) Error() string {
@@ -176,3 +190,157 @@ func (e *LdapUserGroupUpdateError) Error() string {
 	return "LDAP user groups can't be updated"
 }
 func (e *LdapUserGroupUpdateError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcAccessDeniedError struct{}
+
+func (e *OidcAccessDeniedError) Error() string {
+	return "You're not allowed to access this service"
+}
+func (e *OidcAccessDeniedError) HttpStatusCode() int { return http.StatusForbidden }
+
+type OidcClientIdNotMatchingError struct{}
+
+func (e *OidcClientIdNotMatchingError) Error() string {
+	return "Client id in request doesn't match client id in token"
+}
+func (e *OidcClientIdNotMatchingError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcNoCallbackURLError struct{}
+
+func (e *OidcNoCallbackURLError) Error() string {
+	return "No callback URL provided"
+}
+func (e *OidcNoCallbackURLError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type UiConfigDisabledError struct{}
+
+func (e *UiConfigDisabledError) Error() string {
+	return "The configuration can't be changed since the UI configuration is disabled"
+}
+func (e *UiConfigDisabledError) HttpStatusCode() int { return http.StatusForbidden }
+
+type InvalidUUIDError struct{}
+
+func (e *InvalidUUIDError) Error() string {
+	return "Invalid UUID"
+}
+func (e *InvalidUUIDError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OneTimeAccessDisabledError struct{}
+
+func (e *OneTimeAccessDisabledError) Error() string {
+	return "One-time access is disabled"
+}
+func (e *OneTimeAccessDisabledError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type InvalidAPIKeyError struct{}
+
+func (e *InvalidAPIKeyError) Error() string {
+	return "Invalid Api Key"
+}
+func (e *InvalidAPIKeyError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type NoAPIKeyProvidedError struct{}
+
+func (e *NoAPIKeyProvidedError) Error() string {
+	return "No API Key Provided"
+}
+func (e *NoAPIKeyProvidedError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type APIKeyNotFoundError struct{}
+
+func (e *APIKeyNotFoundError) Error() string {
+	return "API Key Not Found"
+}
+func (e *APIKeyNotFoundError) HttpStatusCode() int { return http.StatusUnauthorized }
+
+type APIKeyExpirationDateError struct{}
+
+func (e *APIKeyExpirationDateError) Error() string {
+	return "API Key expiration time must be in the future"
+}
+func (e *APIKeyExpirationDateError) HttpStatusCode() int { return http.StatusBadRequest }
+
+type OidcInvalidRefreshTokenError struct{}
+
+func (e *OidcInvalidRefreshTokenError) Error() string {
+	return "refresh token is invalid or expired"
+}
+func (e *OidcInvalidRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingRefreshTokenError struct{}
+
+func (e *OidcMissingRefreshTokenError) Error() string {
+	return "refresh token is required"
+}
+func (e *OidcMissingRefreshTokenError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcMissingAuthorizationCodeError struct{}
+
+func (e *OidcMissingAuthorizationCodeError) Error() string {
+	return "authorization code is required"
+}
+func (e *OidcMissingAuthorizationCodeError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type UserDisabledError struct{}
+
+func (e *UserDisabledError) Error() string {
+	return "User account is disabled"
+}
+func (e *UserDisabledError) HttpStatusCode() int {
+	return http.StatusForbidden
+}
+
+type ValidationError struct {
+	Message string
+}
+
+func (e *ValidationError) Error() string {
+	return e.Message
+}
+
+func (e *ValidationError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcDeviceCodeExpiredError struct{}
+
+func (e *OidcDeviceCodeExpiredError) Error() string {
+	return "device code has expired"
+}
+func (e *OidcDeviceCodeExpiredError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcInvalidDeviceCodeError struct{}
+
+func (e *OidcInvalidDeviceCodeError) Error() string {
+	return "invalid device code"
+}
+func (e *OidcInvalidDeviceCodeError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
+
+type OidcSlowDownError struct{}
+
+func (e *OidcSlowDownError) Error() string {
+	return "polling too frequently"
+}
+func (e *OidcSlowDownError) HttpStatusCode() int {
+	return http.StatusTooManyRequests
+}
+
+type OidcAuthorizationPendingError struct{}
+
+func (e *OidcAuthorizationPendingError) Error() string {
+	return "authorization is still pending"
+}
+func (e *OidcAuthorizationPendingError) HttpStatusCode() int {
+	return http.StatusBadRequest
+}
--- a/backend/internal/common/version.go
+++ b/backend/internal/common/version.go
@@ -0,0 +1,6 @@
+package common
+
+// Version contains the Pocket ID version.
+//
+// It can be set at build time using -ldflags.
+var Version = "unknown"
--- a/backend/internal/controller/api_key_controller.go
+++ b/backend/internal/controller/api_key_controller.go
@@ -0,0 +1,125 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// swag init -g cmd/main.go -o ./docs/swagger --parseDependency
+
+// ApiKeyController manages API keys for authenticated users
+type ApiKeyController struct {
+	apiKeyService *service.ApiKeyService
+}
+
+// NewApiKeyController creates a new controller for API key management
+// @Summary API key management controller
+// @Description Initializes API endpoints for managing API keys
+// @Tags API Keys
+func NewApiKeyController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, apiKeyService *service.ApiKeyService) {
+	uc := &ApiKeyController{apiKeyService: apiKeyService}
+
+	apiKeyGroup := group.Group("/api-keys")
+	apiKeyGroup.Use(authMiddleware.WithAdminNotRequired().Add())
+	{
+		apiKeyGroup.GET("", uc.listApiKeysHandler)
+		apiKeyGroup.POST("", uc.createApiKeyHandler)
+		apiKeyGroup.DELETE("/:id", uc.revokeApiKeyHandler)
+	}
+}
+
+// listApiKeysHandler godoc
+// @Summary List API keys
+// @Description Get a paginated list of API keys belonging to the current user
+// @Tags API Keys
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.ApiKeyDto]
+// @Router /api/api-keys [get]
+func (c *ApiKeyController) listApiKeysHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := ctx.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	apiKeys, pagination, err := c.apiKeyService.ListApiKeys(ctx.Request.Context(), userID, sortedPaginationRequest)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	var apiKeysDto []dto.ApiKeyDto
+	if err := dto.MapStructList(apiKeys, &apiKeysDto); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, dto.Paginated[dto.ApiKeyDto]{
+		Data:       apiKeysDto,
+		Pagination: pagination,
+	})
+}
+
+// createApiKeyHandler godoc
+// @Summary Create API key
+// @Description Create a new API key for the current user
+// @Tags API Keys
+// @Param api_key body dto.ApiKeyCreateDto true "API key information"
+// @Success 201 {object} dto.ApiKeyResponseDto "Created API key with token"
+// @Router /api/api-keys [post]
+func (c *ApiKeyController) createApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+
+	var input dto.ApiKeyCreateDto
+	if err := ctx.ShouldBindJSON(&input); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	apiKey, token, err := c.apiKeyService.CreateApiKey(ctx.Request.Context(), userID, input)
+	if err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	var apiKeyDto dto.ApiKeyDto
+	if err := dto.MapStruct(apiKey, &apiKeyDto); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.JSON(http.StatusCreated, dto.ApiKeyResponseDto{
+		ApiKey: apiKeyDto,
+		Token:  token,
+	})
+}
+
+// revokeApiKeyHandler godoc
+// @Summary Revoke API key
+// @Description Revoke (delete) an existing API key by ID
+// @Tags API Keys
+// @Param id path string true "API Key ID"
+// @Success 204 "No Content"
+// @Router /api/api-keys/{id} [delete]
+func (c *ApiKeyController) revokeApiKeyHandler(ctx *gin.Context) {
+	userID := ctx.GetString("userID")
+	apiKeyID := ctx.Param("id")
+
+	if err := c.apiKeyService.RevokeApiKey(ctx.Request.Context(), userID, apiKeyID); err != nil {
+		_ = ctx.Error(err)
+		return
+	}
+
+	ctx.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/app_config_controller.go
+++ b/backend/internal/controller/app_config_controller.go
@@ -1,19 +1,24 @@
 package controller

 import (
-	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

+// NewAppConfigController creates a new controller for application configuration endpoints
+// @Summary Create a new application configuration controller
+// @Description Initialize routes for application configuration
+// @Tags Application Configuration
 func NewAppConfigController(
 	group *gin.RouterGroup,
-	jwtAuthMiddleware *middleware.JwtAuthMiddleware,
+	authMiddleware *middleware.AuthMiddleware,
 	appConfigService *service.AppConfigService,
 	emailService *service.EmailService,
 	ldapService *service.LdapService,
@@ -25,18 +30,18 @@ func NewAppConfigController(
 		ldapService:      ldapService,
 	}
 	group.GET("/application-configuration", acc.listAppConfigHandler)
-	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllAppConfigHandler)
-	group.PUT("/application-configuration", acc.updateAppConfigHandler)
+	group.GET("/application-configuration/all", authMiddleware.Add(), acc.listAllAppConfigHandler)
+	group.PUT("/application-configuration", authMiddleware.Add(), acc.updateAppConfigHandler)

 	group.GET("/application-configuration/logo", acc.getLogoHandler)
 	group.GET("/application-configuration/background-image", acc.getBackgroundImageHandler)
 	group.GET("/application-configuration/favicon", acc.getFaviconHandler)
-	group.PUT("/application-configuration/logo", jwtAuthMiddleware.Add(true), acc.updateLogoHandler)
-	group.PUT("/application-configuration/favicon", jwtAuthMiddleware.Add(true), acc.updateFaviconHandler)
-	group.PUT("/application-configuration/background-image", jwtAuthMiddleware.Add(true), acc.updateBackgroundImageHandler)
+	group.PUT("/application-configuration/logo", authMiddleware.Add(), acc.updateLogoHandler)
+	group.PUT("/application-configuration/favicon", authMiddleware.Add(), acc.updateFaviconHandler)
+	group.PUT("/application-configuration/background-image", authMiddleware.Add(), acc.updateBackgroundImageHandler)

-	group.POST("/application-configuration/test-email", jwtAuthMiddleware.Add(true), acc.testEmailHandler)
-	group.POST("/application-configuration/sync-ldap", jwtAuthMiddleware.Add(true), acc.syncLdapHandler)
+	group.POST("/application-configuration/test-email", authMiddleware.Add(), acc.testEmailHandler)
+	group.POST("/application-configuration/sync-ldap", authMiddleware.Add(), acc.syncLdapHandler)
 }

 type AppConfigController struct {
@@ -45,162 +50,254 @@ type AppConfigController struct {
 	ldapService      *service.LdapService
 }

+// listAppConfigHandler godoc
+// @Summary List public application configurations
+// @Description Get all public application configurations
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.PublicAppConfigVariableDto
+// @Failure 500 {object} object "{"error": "error message"}"
+// @Router /application-configuration [get]
 func (acc *AppConfigController) listAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(false)
-	if err != nil {
-		c.Error(err)
-		return
-	}
+	configuration := acc.appConfigService.ListAppConfig(false)

 	var configVariablesDto []dto.PublicAppConfigVariableDto
 	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
-		c.Error(err)
-		return
-	}
-
-	c.JSON(200, configVariablesDto)
-}
-
-func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
-	configuration, err := acc.appConfigService.ListAppConfig(true)
-	if err != nil {
-		c.Error(err)
-		return
-	}
-
-	var configVariablesDto []dto.AppConfigVariableDto
-	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
-		c.Error(err)
-		return
-	}
-
-	c.JSON(200, configVariablesDto)
-}
-
-func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
-	var input dto.AppConfigUpdateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
-		return
-	}
-
-	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(input)
-	if err != nil {
-		c.Error(err)
-		return
-	}
-
-	var configVariablesDto []dto.AppConfigVariableDto
-	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, configVariablesDto)
 }

+// listAllAppConfigHandler godoc
+// @Summary List all application configurations
+// @Description Get all application configurations including private ones
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Security BearerAuth
+// @Router /application-configuration/all [get]
+func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
+	configuration := acc.appConfigService.ListAppConfig(true)
+
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(configuration, &configVariablesDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, configVariablesDto)
+}
+
+// updateAppConfigHandler godoc
+// @Summary Update application configurations
+// @Description Update application configuration settings
+// @Tags Application Configuration
+// @Accept json
+// @Produce json
+// @Param body body dto.AppConfigUpdateDto true "Application Configuration"
+// @Success 200 {array} dto.AppConfigVariableDto
+// @Security BearerAuth
+// @Router /api/application-configuration [put]
+func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
+	var input dto.AppConfigUpdateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	savedConfigVariables, err := acc.appConfigService.UpdateAppConfig(c.Request.Context(), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var configVariablesDto []dto.AppConfigVariableDto
+	if err := dto.MapStructList(savedConfigVariables, &configVariablesDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, configVariablesDto)
+}
+
+// getLogoHandler godoc
+// @Summary Get logo image
+// @Description Get the logo image for the application
+// @Tags Application Configuration
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Produce image/png
+// @Produce image/jpeg
+// @Produce image/svg+xml
+// @Success 200 {file} binary "Logo image"
+// @Router /api/application-configuration/logo [get]
 func (acc *AppConfigController) getLogoHandler(c *gin.Context) {
-	lightLogo := c.DefaultQuery("light", "true") == "true"
+	dbConfig := acc.appConfigService.GetDbConfig()

-	var imageName string
-	var imageType string
+	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))

+	var imageName, imageType string
 	if lightLogo {
 		imageName = "logoLight"
-		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+		imageType = dbConfig.LogoLightImageType.Value
 	} else {
 		imageName = "logoDark"
-		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+		imageType = dbConfig.LogoDarkImageType.Value
 	}

 	acc.getImage(c, imageName, imageType)
 }

+// getFaviconHandler godoc
+// @Summary Get favicon
+// @Description Get the favicon for the application
+// @Tags Application Configuration
+// @Produce image/x-icon
+// @Success 200 {file} binary "Favicon image"
+// @Failure 404 {object} object "{"error": "File not found"}"
+// @Router /api/application-configuration/favicon [get]
 func (acc *AppConfigController) getFaviconHandler(c *gin.Context) {
 	acc.getImage(c, "favicon", "ico")
 }

+// getBackgroundImageHandler godoc
+// @Summary Get background image
+// @Description Get the background image for the application
+// @Tags Application Configuration
+// @Produce image/png
+// @Produce image/jpeg
+// @Success 200 {file} binary "Background image"
+// @Failure 404 {object} object "{"error": "File not found"}"
+// @Router /api/application-configuration/background-image [get]
 func (acc *AppConfigController) getBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	imageType := acc.appConfigService.GetDbConfig().BackgroundImageType.Value
 	acc.getImage(c, "background", imageType)
 }

+// updateLogoHandler godoc
+// @Summary Update logo
+// @Description Update the application logo
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param light query boolean false "Light mode logo (true) or dark mode logo (false)"
+// @Param file formData file true "Logo image file"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/logo [put]
 func (acc *AppConfigController) updateLogoHandler(c *gin.Context) {
-	lightLogo := c.DefaultQuery("light", "true") == "true"
+	dbConfig := acc.appConfigService.GetDbConfig()

-	var imageName string
-	var imageType string
+	lightLogo, _ := strconv.ParseBool(c.DefaultQuery("light", "true"))

+	var imageName, imageType string
 	if lightLogo {
 		imageName = "logoLight"
-		imageType = acc.appConfigService.DbConfig.LogoLightImageType.Value
+		imageType = dbConfig.LogoLightImageType.Value
 	} else {
 		imageName = "logoDark"
-		imageType = acc.appConfigService.DbConfig.LogoDarkImageType.Value
+		imageType = dbConfig.LogoDarkImageType.Value
 	}

 	acc.updateImage(c, imageName, imageType)
 }

+// updateFaviconHandler godoc
+// @Summary Update favicon
+// @Description Update the application favicon
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param file formData file true "Favicon file (.ico)"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/favicon [put]
 func (acc *AppConfigController) updateFaviconHandler(c *gin.Context) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	fileType := utils.GetFileExtension(file.Filename)
 	if fileType != "ico" {
-		c.Error(&common.WrongFileTypeError{ExpectedFileType: ".ico"})
+		_ = c.Error(&common.WrongFileTypeError{ExpectedFileType: ".ico"})
 		return
 	}
 	acc.updateImage(c, "favicon", "ico")
 }

+// updateBackgroundImageHandler godoc
+// @Summary Update background image
+// @Description Update the application background image
+// @Tags Application Configuration
+// @Accept multipart/form-data
+// @Param file formData file true "Background image file"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/background-image [put]
 func (acc *AppConfigController) updateBackgroundImageHandler(c *gin.Context) {
-	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	imageType := acc.appConfigService.GetDbConfig().BackgroundImageType.Value
 	acc.updateImage(c, "background", imageType)
 }

+// getImage is a helper function to serve image files
 func (acc *AppConfigController) getImage(c *gin.Context, name string, imageType string) {
-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
+	imagePath := common.EnvConfig.UploadPath + "/application-images/" + name + "." + imageType
 	mimeType := utils.GetImageMimeType(imageType)

 	c.Header("Content-Type", mimeType)
 	c.File(imagePath)
 }

+// updateImage is a helper function to update image files
 func (acc *AppConfigController) updateImage(c *gin.Context, imageName string, oldImageType string) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	err = acc.appConfigService.UpdateImage(file, imageName, oldImageType)
+	err = acc.appConfigService.UpdateImage(c.Request.Context(), file, imageName, oldImageType)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// syncLdapHandler godoc
+// @Summary Synchronize LDAP
+// @Description Manually trigger LDAP synchronization
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/sync-ldap [post]
 func (acc *AppConfigController) syncLdapHandler(c *gin.Context) {
-	err := acc.ldapService.SyncAll()
+	err := acc.ldapService.SyncAll(c.Request.Context())
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }
+
+// testEmailHandler godoc
+// @Summary Send test email
+// @Description Send a test email to verify email configuration
+// @Tags Application Configuration
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/application-configuration/test-email [post]
 func (acc *AppConfigController) testEmailHandler(c *gin.Context) {
 	userID := c.GetString("userID")

-	err := acc.emailService.SendTestEmail(userID)
+	err := acc.emailService.SendTestEmail(c.Request.Context(), userID)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

--- a/backend/internal/controller/audit_log_controller.go
+++ b/backend/internal/controller/audit_log_controller.go
@@ -1,40 +1,60 @@
 package controller

 import (
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"

+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

-func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, jwtAuthMiddleware *middleware.JwtAuthMiddleware) {
+// NewAuditLogController creates a new controller for audit log management
+// @Summary Audit log controller
+// @Description Initializes API endpoints for accessing audit logs
+// @Tags Audit Logs
+func NewAuditLogController(group *gin.RouterGroup, auditLogService *service.AuditLogService, authMiddleware *middleware.AuthMiddleware) {
 	alc := AuditLogController{
 		auditLogService: auditLogService,
 	}

-	group.GET("/audit-logs", jwtAuthMiddleware.Add(false), alc.listAuditLogsForUserHandler)
+	group.GET("/audit-logs/all", authMiddleware.Add(), alc.listAllAuditLogsHandler)
+	group.GET("/audit-logs", authMiddleware.WithAdminNotRequired().Add(), alc.listAuditLogsForUserHandler)
+	group.GET("/audit-logs/filters/client-names", authMiddleware.Add(), alc.listClientNamesHandler)
+	group.GET("/audit-logs/filters/users", authMiddleware.Add(), alc.listUserNamesWithIdsHandler)
 }

 type AuditLogController struct {
 	auditLogService *service.AuditLogService
 }

+// listAuditLogsForUserHandler godoc
+// @Summary List audit logs
+// @Description Get a paginated list of audit logs for the current user
+// @Tags Audit Logs
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.AuditLogDto]
+// @Router /api/audit-logs [get]
 func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	var sortedPaginationRequest utils.SortedPaginationRequest
-	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		c.Error(err)
+
+	err := c.ShouldBindQuery(&sortedPaginationRequest)
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}

 	userID := c.GetString("userID")

 	// Fetch audit logs for the user
-	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(userID, sortedPaginationRequest)
+	logs, pagination, err := alc.auditLogService.ListAuditLogsForUser(c.Request.Context(), userID, sortedPaginationRequest)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -42,7 +62,7 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 	var logsDtos []dto.AuditLogDto
 	err = dto.MapStructList(logs, &logsDtos)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -52,8 +72,91 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 		logsDtos[i] = logsDto
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       logsDtos,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
+		Data:       logsDtos,
+		Pagination: pagination,
 	})
 }
+
+// listAllAuditLogsHandler godoc
+// @Summary List all audit logs
+// @Description Get a paginated list of all audit logs (admin only)
+// @Tags Audit Logs
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Param user_id query string false "Filter by user ID"
+// @Param event query string false "Filter by event type"
+// @Param client_name query string false "Filter by client name"
+// @Success 200 {object} dto.Paginated[dto.AuditLogDto]
+// @Router /api/audit-logs/all [get]
+func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
+	var sortedPaginationRequest utils.SortedPaginationRequest
+	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var filters dto.AuditLogFilterDto
+	if err := c.ShouldBindQuery(&filters); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	logs, pagination, err := alc.auditLogService.ListAllAuditLogs(c.Request.Context(), sortedPaginationRequest, filters)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var logsDtos []dto.AuditLogDto
+	err = dto.MapStructList(logs, &logsDtos)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	for i, logsDto := range logsDtos {
+		logsDto.Device = alc.auditLogService.DeviceStringFromUserAgent(logs[i].UserAgent)
+		logsDto.Username = logs[i].User.Username
+		logsDtos[i] = logsDto
+	}
+
+	c.JSON(http.StatusOK, dto.Paginated[dto.AuditLogDto]{
+		Data:       logsDtos,
+		Pagination: pagination,
+	})
+}
+
+// listClientNamesHandler godoc
+// @Summary List client names
+// @Description Get a list of all client names for audit log filtering
+// @Tags Audit Logs
+// @Success 200 {array} string "List of client names"
+// @Router /api/audit-logs/filters/client-names [get]
+func (alc *AuditLogController) listClientNamesHandler(c *gin.Context) {
+	names, err := alc.auditLogService.ListClientNames(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, names)
+}
+
+// listUserNamesWithIdsHandler godoc
+// @Summary List users with IDs
+// @Description Get a list of all usernames with their IDs for audit log filtering
+// @Tags Audit Logs
+// @Success 200 {object} map[string]string "Map of user IDs to usernames"
+// @Router /api/audit-logs/filters/users [get]
+func (alc *AuditLogController) listUserNamesWithIdsHandler(c *gin.Context) {
+	users, err := alc.auditLogService.ListUsernamesWithIds(c.Request.Context())
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, users)
+}
--- a/backend/internal/controller/custom_claim_controller.go
+++ b/backend/internal/controller/custom_claim_controller.go
@@ -1,76 +1,118 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

-func NewCustomClaimController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, customClaimService *service.CustomClaimService) {
+// NewCustomClaimController creates a new controller for custom claim management
+// @Summary Custom claim management controller
+// @Description Initializes all custom claim-related API endpoints
+// @Tags Custom Claims
+func NewCustomClaimController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, customClaimService *service.CustomClaimService) {
 	wkc := &CustomClaimController{customClaimService: customClaimService}
-	group.GET("/custom-claims/suggestions", jwtAuthMiddleware.Add(true), wkc.getSuggestionsHandler)
-	group.PUT("/custom-claims/user/:userId", jwtAuthMiddleware.Add(true), wkc.UpdateCustomClaimsForUserHandler)
-	group.PUT("/custom-claims/user-group/:userGroupId", jwtAuthMiddleware.Add(true), wkc.UpdateCustomClaimsForUserGroupHandler)
+
+	customClaimsGroup := group.Group("/custom-claims")
+	customClaimsGroup.Use(authMiddleware.Add())
+	{
+		customClaimsGroup.GET("/suggestions", wkc.getSuggestionsHandler)
+		customClaimsGroup.PUT("/user/:userId", wkc.UpdateCustomClaimsForUserHandler)
+		customClaimsGroup.PUT("/user-group/:userGroupId", wkc.UpdateCustomClaimsForUserGroupHandler)
+	}
 }

 type CustomClaimController struct {
 	customClaimService *service.CustomClaimService
 }

+// getSuggestionsHandler godoc
+// @Summary Get custom claim suggestions
+// @Description Get a list of suggested custom claim names
+// @Tags Custom Claims
+// @Produce json
+// @Success 200 {array} string "List of suggested custom claim names"
+// @Failure 401 {object} object "Unauthorized"
+// @Failure 403 {object} object "Forbidden"
+// @Failure 500 {object} object "Internal server error"
+// @Security BearerAuth
+// @Router /api/custom-claims/suggestions [get]
 func (ccc *CustomClaimController) getSuggestionsHandler(c *gin.Context) {
-	claims, err := ccc.customClaimService.GetSuggestions()
+	claims, err := ccc.customClaimService.GetSuggestions(c.Request.Context())
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, claims)
 }

+// UpdateCustomClaimsForUserHandler godoc
+// @Summary Update custom claims for a user
+// @Description Update or create custom claims for a specific user
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userId path string true "User ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Router /api/custom-claims/user/{userId} [put]
 func (ccc *CustomClaimController) UpdateCustomClaimsForUserHandler(c *gin.Context) {
 	var input []dto.CustomClaimCreateDto

 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	userId := c.Param("userId")
-	claims, err := ccc.customClaimService.UpdateCustomClaimsForUser(userId, input)
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUser(c.Request.Context(), userId, input)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var customClaimsDto []dto.CustomClaimDto
 	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, customClaimsDto)
 }

+// UpdateCustomClaimsForUserGroupHandler godoc
+// @Summary Update custom claims for a user group
+// @Description Update or create custom claims for a specific user group
+// @Tags Custom Claims
+// @Accept json
+// @Produce json
+// @Param userGroupId path string true "User Group ID"
+// @Param claims body []dto.CustomClaimCreateDto true "List of custom claims to set for the user group"
+// @Success 200 {array} dto.CustomClaimDto "Updated custom claims"
+// @Security BearerAuth
+// @Router /api/custom-claims/user-group/{userGroupId} [put]
 func (ccc *CustomClaimController) UpdateCustomClaimsForUserGroupHandler(c *gin.Context) {
 	var input []dto.CustomClaimCreateDto

 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	userId := c.Param("userGroupId")
-	claims, err := ccc.customClaimService.UpdateCustomClaimsForUserGroup(userId, input)
+	userGroupId := c.Param("userGroupId")
+	claims, err := ccc.customClaimService.UpdateCustomClaimsForUserGroup(c.Request.Context(), userGroupId, input)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var customClaimsDto []dto.CustomClaimDto
 	if err := dto.MapStructList(claims, &customClaimsDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

--- a/backend/internal/controller/e2etest_controller.go
+++ b/backend/internal/controller/e2etest_controller.go
@@ -1,9 +1,13 @@
+//go:build e2etest
+
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
@@ -18,24 +22,36 @@ type TestController struct {

 func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 	if err := tc.TestService.ResetDatabase(); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	if err := tc.TestService.ResetApplicationImages(); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	if err := tc.TestService.SeedDatabase(); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	if err := tc.TestService.ResetAppConfig(); err != nil {
-		c.Error(err)
+	if err := tc.TestService.ResetAppConfig(c.Request.Context()); err != nil {
+		_ = c.Error(err)
 		return
 	}

+	if err := tc.TestService.SetLdapTestConfig(c.Request.Context()); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	if err := tc.TestService.SyncLdap(c.Request.Context()); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	tc.TestService.SetJWTKeys()
+
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/healthz_controller.go
+++ b/backend/internal/controller/healthz_controller.go
@@ -0,0 +1,29 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+// NewHealthzController creates a new controller for the healthcheck endpoints
+// @Summary Healthcheck controller
+// @Description Initializes healthcheck endpoints
+// @Tags Health
+func NewHealthzController(r *gin.Engine) {
+	hc := &HealthzController{}
+
+	r.GET("/healthz", hc.healthzHandler)
+}
+
+type HealthzController struct{}
+
+// healthzHandler godoc
+// @Summary Responds to healthchecks
+// @Description Responds with a successful status code to healthcheck requests
+// @Tags Health
+// @Success 204 ""
+// @Router /healthz [get]
+func (hc *HealthzController) healthzHandler(c *gin.Context) {
+	c.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -1,34 +1,56 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"errors"
+	"log"
 	"net/http"
+	"net/url"
 	"strings"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

-func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
+// NewOidcController creates a new controller for OIDC related endpoints
+// @Summary OIDC controller
+// @Description Initializes all OIDC-related API endpoints for authentication and client management
+// @Tags OIDC
+func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService, jwtService *service.JwtService) {
 	oc := &OidcController{oidcService: oidcService, jwtService: jwtService}

-	group.POST("/oidc/authorize", jwtAuthMiddleware.Add(false), oc.authorizeHandler)
-	group.POST("/oidc/authorize/new-client", jwtAuthMiddleware.Add(false), oc.authorizeNewClientHandler)
+	group.POST("/oidc/authorize", authMiddleware.WithAdminNotRequired().Add(), oc.authorizeHandler)
+	group.POST("/oidc/authorization-required", authMiddleware.WithAdminNotRequired().Add(), oc.authorizationConfirmationRequiredHandler)
+
 	group.POST("/oidc/token", oc.createTokensHandler)
 	group.GET("/oidc/userinfo", oc.userInfoHandler)
+	group.POST("/oidc/userinfo", oc.userInfoHandler)
+	group.POST("/oidc/end-session", authMiddleware.WithAdminNotRequired().WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.GET("/oidc/end-session", authMiddleware.WithAdminNotRequired().WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.POST("/oidc/introspect", oc.introspectTokenHandler)

-	group.GET("/oidc/clients", jwtAuthMiddleware.Add(true), oc.listClientsHandler)
-	group.POST("/oidc/clients", jwtAuthMiddleware.Add(true), oc.createClientHandler)
-	group.GET("/oidc/clients/:id", oc.getClientHandler)
-	group.PUT("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.updateClientHandler)
-	group.DELETE("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.deleteClientHandler)
+	group.GET("/oidc/clients", authMiddleware.Add(), oc.listClientsHandler)
+	group.POST("/oidc/clients", authMiddleware.Add(), oc.createClientHandler)
+	group.GET("/oidc/clients/:id", authMiddleware.Add(), oc.getClientHandler)
+	group.GET("/oidc/clients/:id/meta", oc.getClientMetaDataHandler)
+	group.PUT("/oidc/clients/:id", authMiddleware.Add(), oc.updateClientHandler)
+	group.DELETE("/oidc/clients/:id", authMiddleware.Add(), oc.deleteClientHandler)

-	group.POST("/oidc/clients/:id/secret", jwtAuthMiddleware.Add(true), oc.createClientSecretHandler)
+	group.PUT("/oidc/clients/:id/allowed-user-groups", authMiddleware.Add(), oc.updateAllowedUserGroupsHandler)
+	group.POST("/oidc/clients/:id/secret", authMiddleware.Add(), oc.createClientSecretHandler)

 	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
 	group.DELETE("/oidc/clients/:id/logo", oc.deleteClientLogoHandler)
-	group.POST("/oidc/clients/:id/logo", jwtAuthMiddleware.Add(true), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
+	group.POST("/oidc/clients/:id/logo", authMiddleware.Add(), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
+
+	group.POST("/oidc/device/authorize", oc.deviceAuthorizationHandler)
+	group.POST("/oidc/device/verify", authMiddleware.WithAdminNotRequired().Add(), oc.verifyDeviceCodeHandler)
+	group.GET("/oidc/device/info", authMiddleware.WithAdminNotRequired().Add(), oc.getDeviceCodeInfoHandler)
 }

 type OidcController struct {
@@ -36,16 +58,26 @@ type OidcController struct {
 	jwtService  *service.JwtService
 }

+// authorizeHandler godoc
+// @Summary Authorize OIDC client
+// @Description Start the OIDC authorization process for a client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param request body dto.AuthorizeOidcClientRequestDto true "Authorization request parameters"
+// @Success 200 {object} dto.AuthorizeOidcClientResponseDto "Authorization code and callback URL"
+// @Security BearerAuth
+// @Router /api/oidc/authorize [post]
 func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	var input dto.AuthorizeOidcClientRequestDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	code, callbackURL, err := oc.oidcService.Authorize(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	code, callbackURL, err := oc.oidcService.Authorize(c.Request.Context(), input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -57,195 +89,450 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }

-func (oc *OidcController) authorizeNewClientHandler(c *gin.Context) {
-	var input dto.AuthorizeOidcClientRequestDto
+// authorizationConfirmationRequiredHandler godoc
+// @Summary Check if authorization confirmation is required
+// @Description Check if the user needs to confirm authorization for the client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param request body dto.AuthorizationRequiredDto true "Authorization check parameters"
+// @Success 200 {object} object "{ \"authorizationRequired\": true/false }"
+// @Security BearerAuth
+// @Router /api/oidc/authorization-required [post]
+func (oc *OidcController) authorizationConfirmationRequiredHandler(c *gin.Context) {
+	var input dto.AuthorizationRequiredDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	code, callbackURL, err := oc.oidcService.AuthorizeNewClient(input, c.GetString("userID"), c.ClientIP(), c.Request.UserAgent())
+	hasAuthorizedClient, err := oc.oidcService.HasAuthorizedClient(c.Request.Context(), input.ClientID, c.GetString("userID"), input.Scope)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	response := dto.AuthorizeOidcClientResponseDto{
-		Code:        code,
-		CallbackURL: callbackURL,
-	}
-
-	c.JSON(http.StatusOK, response)
+	c.JSON(http.StatusOK, gin.H{"authorizationRequired": !hasAuthorizedClient})
 }

+// createTokensHandler godoc
+// @Summary Create OIDC tokens
+// @Description Exchange authorization code or refresh token for access tokens
+// @Tags OIDC
+// @Produce json
+// @Param client_id formData string false "Client ID (if not using Basic Auth)"
+// @Param client_secret formData string false "Client secret (if not using Basic Auth)"
+// @Param code formData string false "Authorization code (required for 'authorization_code' grant)"
+// @Param grant_type formData string true "Grant type ('authorization_code' or 'refresh_token')"
+// @Param code_verifier formData string false "PKCE code verifier (for authorization_code with PKCE)"
+// @Param refresh_token formData string false "Refresh token (required for 'refresh_token' grant)"
+// @Success 200 {object} dto.OidcTokenResponseDto "Token response with access_token and optional id_token and refresh_token"
+// @Router /api/oidc/token [post]
 func (oc *OidcController) createTokensHandler(c *gin.Context) {
-	// Disable cors for this endpoint
-	c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
-
 	var input dto.OidcCreateTokensDto
-
 	if err := c.ShouldBind(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	clientID := input.ClientID
-	clientSecret := input.ClientSecret
+	// Validate that code is provided for authorization_code grant type
+	if input.GrantType == "authorization_code" && input.Code == "" {
+		_ = c.Error(&common.OidcMissingAuthorizationCodeError{})
+		return
+	}
+
+	// Validate that refresh_token is provided for refresh_token grant type
+	if input.GrantType == "refresh_token" && input.RefreshToken == "" {
+		_ = c.Error(&common.OidcMissingRefreshTokenError{})
+		return
+	}

 	// Client id and secret can also be passed over the Authorization header
-	if clientID == "" && clientSecret == "" {
-		clientID, clientSecret, _ = c.Request.BasicAuth()
+	if input.ClientID == "" && input.ClientSecret == "" {
+		input.ClientID, input.ClientSecret, _ = c.Request.BasicAuth()
 	}

-	idToken, accessToken, err := oc.oidcService.CreateTokens(input.Code, input.GrantType, clientID, clientSecret, input.CodeVerifier)
-	if err != nil {
-		c.Error(err)
+	idToken, accessToken, refreshToken, expiresIn, err :=
+		oc.oidcService.CreateTokens(c.Request.Context(), input)
+
+	switch {
+	case errors.Is(err, &common.OidcAuthorizationPendingError{}):
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "authorization_pending",
+		})
+		return
+	case errors.Is(err, &common.OidcSlowDownError{}):
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "slow_down",
+		})
+		return
+	case err != nil:
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{"id_token": idToken, "access_token": accessToken, "token_type": "Bearer"})
+	response := dto.OidcTokenResponseDto{
+		AccessToken: accessToken,
+		TokenType:   "Bearer",
+		ExpiresIn:   expiresIn,
+	}
+
+	// Include ID token only for authorization_code grant
+	if idToken != "" {
+		response.IdToken = idToken
+	}
+
+	// Include refresh token if generated
+	if refreshToken != "" {
+		response.RefreshToken = refreshToken
+	}
+
+	c.JSON(http.StatusOK, response)
 }

+// userInfoHandler godoc
+// @Summary Get user information
+// @Description Get user information based on the access token
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Success 200 {object} object "User claims based on requested scopes"
+// @Security OAuth2AccessToken
+// @Router /api/oidc/userinfo [get]
 func (oc *OidcController) userInfoHandler(c *gin.Context) {
-	token := strings.Split(c.GetHeader("Authorization"), " ")[1]
-	jwtClaims, err := oc.jwtService.VerifyOauthAccessToken(token)
-	if err != nil {
-		c.Error(err)
+	_, authToken, ok := strings.Cut(c.GetHeader("Authorization"), " ")
+	if !ok || authToken == "" {
+		_ = c.Error(&common.MissingAccessToken{})
 		return
 	}
-	userID := jwtClaims.Subject
-	clientId := jwtClaims.Audience[0]
-	claims, err := oc.oidcService.GetUserClaimsForClient(userID, clientId)
+
+	token, err := oc.jwtService.VerifyOauthAccessToken(authToken)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
+		return
+	}
+	userID, ok := token.Subject()
+	if !ok {
+		_ = c.Error(&common.TokenInvalidError{})
+		return
+	}
+	clientID, ok := token.Audience()
+	if !ok || len(clientID) != 1 {
+		_ = c.Error(&common.TokenInvalidError{})
+		return
+	}
+	claims, err := oc.oidcService.GetUserClaimsForClient(c.Request.Context(), userID, clientID[0])
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, claims)
 }

-func (oc *OidcController) getClientHandler(c *gin.Context) {
-	clientId := c.Param("id")
-	client, err := oc.oidcService.GetClient(clientId)
+// EndSessionHandler godoc
+// @Summary End OIDC session
+// @Description End user session and handle OIDC logout
+// @Tags OIDC
+// @Accept application/x-www-form-urlencoded
+// @Produce html
+// @Param id_token_hint query string false "ID token"
+// @Param post_logout_redirect_uri query string false "URL to redirect to after logout"
+// @Param state query string false "State parameter to include in the redirect"
+// @Success 302 "Redirect to post-logout URL or application logout page"
+// @Router /api/oidc/end-session [get]
+func (oc *OidcController) EndSessionHandler(c *gin.Context) {
+	var input dto.OidcLogoutDto
+
+	// Bind query parameters to the struct
+	switch c.Request.Method {
+	case http.MethodGet:
+		if err := c.ShouldBindQuery(&input); err != nil {
+			_ = c.Error(err)
+			return
+		}
+	case http.MethodPost:
+		// Bind form parameters to the struct
+		if err := c.ShouldBind(&input); err != nil {
+			_ = c.Error(err)
+			return
+		}
+	}
+
+	callbackURL, err := oc.oidcService.ValidateEndSession(c.Request.Context(), input, c.GetString("userID"))
 	if err != nil {
-		c.Error(err)
+		// If the validation fails, the user has to confirm the logout manually and doesn't get redirected
+		log.Printf("Error getting logout callback URL, the user has to confirm the logout manually: %v", err)
+		c.Redirect(http.StatusFound, common.EnvConfig.AppURL+"/logout")
 		return
 	}

-	// Return a different DTO based on the user's role
-	if c.GetBool("userIsAdmin") {
-		clientDto := dto.OidcClientDto{}
-		err = dto.MapStruct(client, &clientDto)
-		if err == nil {
-			c.JSON(http.StatusOK, clientDto)
-			return
-		}
-	} else {
-		clientDto := dto.PublicOidcClientDto{}
-		err = dto.MapStruct(client, &clientDto)
-		if err == nil {
-			c.JSON(http.StatusOK, clientDto)
-			return
-		}
+	// The validation was successful, so we can log out and redirect the user to the callback URL without confirmation
+	cookie.AddAccessTokenCookie(c, 0, "")
+
+	logoutCallbackURL, _ := url.Parse(callbackURL)
+	if input.State != "" {
+		q := logoutCallbackURL.Query()
+		q.Set("state", input.State)
+		logoutCallbackURL.RawQuery = q.Encode()
 	}

-	c.Error(err)
+	c.Redirect(http.StatusFound, logoutCallbackURL.String())
 }

+// EndSessionHandler godoc (POST method)
+// @Summary End OIDC session (POST method)
+// @Description End user session and handle OIDC logout using POST
+// @Tags OIDC
+// @Accept application/x-www-form-urlencoded
+// @Produce html
+// @Param id_token_hint formData string false "ID token"
+// @Param post_logout_redirect_uri formData string false "URL to redirect to after logout"
+// @Param state formData string false "State parameter to include in the redirect"
+// @Success 302 "Redirect to post-logout URL or application logout page"
+// @Router /api/oidc/end-session [post]
+func (oc *OidcController) EndSessionHandlerPost(c *gin.Context) {
+	// Implementation is the same as GET
+}
+
+// introspectToken godoc
+// @Summary Introspect OIDC tokens
+// @Description Pass an access_token to verify if it is considered valid.
+// @Tags OIDC
+// @Produce json
+// @Param token formData string true "The token to be introspected."
+// @Success 200 {object} dto.OidcIntrospectionResponseDto "Response with the introspection result."
+// @Router /api/oidc/introspect [post]
+func (oc *OidcController) introspectTokenHandler(c *gin.Context) {
+	var input dto.OidcIntrospectDto
+	if err := c.ShouldBind(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	// Client id and secret have to be passed over the Authorization header. This kind of
+	// authentication allows us to keep the endpoint protected (since it could be used to
+	// find valid tokens) while still allowing it to be used by an application that is
+	// supposed to interact with our IdP (since that needs to have a client_id
+	// and client_secret anyway).
+	clientID, clientSecret, _ := c.Request.BasicAuth()
+
+	response, err := oc.oidcService.IntrospectToken(c.Request.Context(), clientID, clientSecret, input.Token)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+// getClientMetaDataHandler godoc
+// @Summary Get client metadata
+// @Description Get OIDC client metadata for discovery and configuration
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} dto.OidcClientMetaDataDto "Client metadata"
+// @Router /api/oidc/clients/{id}/meta [get]
+func (oc *OidcController) getClientMetaDataHandler(c *gin.Context) {
+	clientId := c.Param("id")
+	client, err := oc.oidcService.GetClient(c.Request.Context(), clientId)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	clientDto := dto.OidcClientMetaDataDto{}
+	err = dto.MapStruct(client, &clientDto)
+	if err == nil {
+		c.JSON(http.StatusOK, clientDto)
+		return
+	}
+
+	_ = c.Error(err)
+}
+
+// getClientHandler godoc
+// @Summary Get OIDC client
+// @Description Get detailed information about an OIDC client
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} dto.OidcClientWithAllowedUserGroupsDto "Client information"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [get]
+func (oc *OidcController) getClientHandler(c *gin.Context) {
+	clientId := c.Param("id")
+	client, err := oc.oidcService.GetClient(c.Request.Context(), clientId)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	clientDto := dto.OidcClientWithAllowedUserGroupsDto{}
+	err = dto.MapStruct(client, &clientDto)
+	if err == nil {
+		c.JSON(http.StatusOK, clientDto)
+		return
+	}
+
+	_ = c.Error(err)
+}
+
+// listClientsHandler godoc
+// @Summary List OIDC clients
+// @Description Get a paginated list of OIDC clients with optional search and sorting
+// @Tags OIDC
+// @Param search query string false "Search term to filter clients by name"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("name")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.OidcClientDto]
+// @Security BearerAuth
+// @Router /api/oidc/clients [get]
 func (oc *OidcController) listClientsHandler(c *gin.Context) {
 	searchTerm := c.Query("search")
 	var sortedPaginationRequest utils.SortedPaginationRequest
 	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	clients, pagination, err := oc.oidcService.ListClients(searchTerm, sortedPaginationRequest)
+	clients, pagination, err := oc.oidcService.ListClients(c.Request.Context(), searchTerm, sortedPaginationRequest)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var clientsDto []dto.OidcClientDto
 	if err := dto.MapStructList(clients, &clientsDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       clientsDto,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.OidcClientDto]{
+		Data:       clientsDto,
+		Pagination: pagination,
 	})
 }

+// createClientHandler godoc
+// @Summary Create OIDC client
+// @Description Create a new OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param client body dto.OidcClientCreateDto true "Client information"
+// @Success 201 {object} dto.OidcClientWithAllowedUserGroupsDto "Created client"
+// @Security BearerAuth
+// @Router /api/oidc/clients [post]
 func (oc *OidcController) createClientHandler(c *gin.Context) {
 	var input dto.OidcClientCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	client, err := oc.oidcService.CreateClient(input, c.GetString("userID"))
+	client, err := oc.oidcService.CreateClient(c.Request.Context(), input, c.GetString("userID"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusCreated, clientDto)
 }

+// deleteClientHandler godoc
+// @Summary Delete OIDC client
+// @Description Delete an OIDC client by ID
+// @Tags OIDC
+// @Param id path string true "Client ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [delete]
 func (oc *OidcController) deleteClientHandler(c *gin.Context) {
-	err := oc.oidcService.DeleteClient(c.Param("id"))
+	err := oc.oidcService.DeleteClient(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// updateClientHandler godoc
+// @Summary Update OIDC client
+// @Description Update an existing OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param id path string true "Client ID"
+// @Param client body dto.OidcClientCreateDto true "Client information"
+// @Success 200 {object} dto.OidcClientWithAllowedUserGroupsDto "Updated client"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id} [put]
 func (oc *OidcController) updateClientHandler(c *gin.Context) {
 	var input dto.OidcClientCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	client, err := oc.oidcService.UpdateClient(c.Param("id"), input)
+	client, err := oc.oidcService.UpdateClient(c.Request.Context(), c.Param("id"), input)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	var clientDto dto.OidcClientDto
+	var clientDto dto.OidcClientWithAllowedUserGroupsDto
 	if err := dto.MapStruct(client, &clientDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, clientDto)
 }

+// createClientSecretHandler godoc
+// @Summary Create client secret
+// @Description Generate a new secret for an OIDC client
+// @Tags OIDC
+// @Produce json
+// @Param id path string true "Client ID"
+// @Success 200 {object} object "{ \"secret\": \"string\" }"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/secret [post]
 func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
-	secret, err := oc.oidcService.CreateClientSecret(c.Param("id"))
+	secret, err := oc.oidcService.CreateClientSecret(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, gin.H{"secret": secret})
 }

+// getClientLogoHandler godoc
+// @Summary Get client logo
+// @Description Get the logo image for an OIDC client
+// @Tags OIDC
+// @Produce image/png
+// @Produce image/jpeg
+// @Produce image/svg+xml
+// @Param id path string true "Client ID"
+// @Success 200 {file} binary "Logo image"
+// @Router /api/oidc/clients/{id}/logo [get]
 func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
-	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Param("id"))
+	imagePath, mimeType, err := oc.oidcService.GetClientLogo(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -253,28 +540,136 @@ func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
 	c.File(imagePath)
 }

+// updateClientLogoHandler godoc
+// @Summary Update client logo
+// @Description Upload or update the logo for an OIDC client
+// @Tags OIDC
+// @Accept multipart/form-data
+// @Param id path string true "Client ID"
+// @Param file formData file true "Logo image file (PNG, JPG, or SVG, max 2MB)"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/logo [post]
 func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
 	file, err := c.FormFile("file")
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	err = oc.oidcService.UpdateClientLogo(c.Param("id"), file)
+	err = oc.oidcService.UpdateClientLogo(c.Request.Context(), c.Param("id"), file)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// deleteClientLogoHandler godoc
+// @Summary Delete client logo
+// @Description Delete the logo for an OIDC client
+// @Tags OIDC
+// @Param id path string true "Client ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/logo [delete]
 func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
-	err := oc.oidcService.DeleteClientLogo(c.Param("id"))
+	err := oc.oidcService.DeleteClientLogo(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }
+
+// updateAllowedUserGroupsHandler godoc
+// @Summary Update allowed user groups
+// @Description Update the user groups allowed to access an OIDC client
+// @Tags OIDC
+// @Accept json
+// @Produce json
+// @Param id path string true "Client ID"
+// @Param groups body dto.OidcUpdateAllowedUserGroupsDto true "User group IDs"
+// @Success 200 {object} dto.OidcClientDto "Updated client"
+// @Security BearerAuth
+// @Router /api/oidc/clients/{id}/allowed-user-groups [put]
+func (oc *OidcController) updateAllowedUserGroupsHandler(c *gin.Context) {
+	var input dto.OidcUpdateAllowedUserGroupsDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	oidcClient, err := oc.oidcService.UpdateAllowedUserGroups(c.Request.Context(), c.Param("id"), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var oidcClientDto dto.OidcClientDto
+	if err := dto.MapStruct(oidcClient, &oidcClientDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, oidcClientDto)
+}
+
+func (oc *OidcController) deviceAuthorizationHandler(c *gin.Context) {
+	var input dto.OidcDeviceAuthorizationRequestDto
+	if err := c.ShouldBind(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	// Client id and secret can also be passed over the Authorization header
+	if input.ClientID == "" && input.ClientSecret == "" {
+		input.ClientID, input.ClientSecret, _ = c.Request.BasicAuth()
+	}
+
+	response, err := oc.oidcService.CreateDeviceAuthorization(c.Request.Context(), input)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, response)
+}
+
+func (oc *OidcController) verifyDeviceCodeHandler(c *gin.Context) {
+	userCode := c.Query("code")
+	if userCode == "" {
+		_ = c.Error(&common.ValidationError{Message: "code is required"})
+		return
+	}
+
+	// Get IP address and user agent from the request context
+	ipAddress := c.ClientIP()
+	userAgent := c.Request.UserAgent()
+
+	err := oc.oidcService.VerifyDeviceCode(c.Request.Context(), userCode, c.GetString("userID"), ipAddress, userAgent)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (oc *OidcController) getDeviceCodeInfoHandler(c *gin.Context) {
+	userCode := c.Query("code")
+	if userCode == "" {
+		_ = c.Error(&common.ValidationError{Message: "code is required"})
+		return
+	}
+
+	deviceCodeInfo, err := oc.oidcService.GetDeviceCodeInfo(c.Request.Context(), userCode, c.GetString("userID"))
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, deviceCodeInfo)
+}
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -4,33 +4,52 @@ import (
 	"net/http"
 	"time"

+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"golang.org/x/time/rate"
 )

-func NewUserController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, appConfigService *service.AppConfigService) {
+// NewUserController creates a new controller for user management endpoints
+// @Summary User management controller
+// @Description Initializes all user-related API endpoints
+// @Tags Users
+func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService, appConfigService *service.AppConfigService) {
 	uc := UserController{
 		userService:      userService,
 		appConfigService: appConfigService,
 	}

-	group.GET("/users", jwtAuthMiddleware.Add(true), uc.listUsersHandler)
-	group.GET("/users/me", jwtAuthMiddleware.Add(false), uc.getCurrentUserHandler)
-	group.GET("/users/:id", jwtAuthMiddleware.Add(true), uc.getUserHandler)
-	group.POST("/users", jwtAuthMiddleware.Add(true), uc.createUserHandler)
-	group.PUT("/users/:id", jwtAuthMiddleware.Add(true), uc.updateUserHandler)
-	group.PUT("/users/me", jwtAuthMiddleware.Add(false), uc.updateCurrentUserHandler)
-	group.DELETE("/users/:id", jwtAuthMiddleware.Add(true), uc.deleteUserHandler)
+	group.GET("/users", authMiddleware.Add(), uc.listUsersHandler)
+	group.GET("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.getCurrentUserHandler)
+	group.GET("/users/:id", authMiddleware.Add(), uc.getUserHandler)
+	group.POST("/users", authMiddleware.Add(), uc.createUserHandler)
+	group.PUT("/users/:id", authMiddleware.Add(), uc.updateUserHandler)
+	group.GET("/users/:id/groups", authMiddleware.Add(), uc.getUserGroupsHandler)
+	group.PUT("/users/me", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserHandler)
+	group.DELETE("/users/:id", authMiddleware.Add(), uc.deleteUserHandler)

-	group.POST("/users/:id/one-time-access-token", jwtAuthMiddleware.Add(true), uc.createOneTimeAccessTokenHandler)
+	group.PUT("/users/:id/user-groups", authMiddleware.Add(), uc.updateUserGroups)
+
+	group.GET("/users/:id/profile-picture.png", uc.getUserProfilePictureHandler)
+
+	group.PUT("/users/:id/profile-picture", authMiddleware.Add(), uc.updateUserProfilePictureHandler)
+	group.PUT("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.updateCurrentUserProfilePictureHandler)
+
+	group.POST("/users/me/one-time-access-token", authMiddleware.WithAdminNotRequired().Add(), uc.createOwnOneTimeAccessTokenHandler)
+	group.POST("/users/:id/one-time-access-token", authMiddleware.Add(), uc.createAdminOneTimeAccessTokenHandler)
+	group.POST("/users/:id/one-time-access-email", authMiddleware.Add(), uc.RequestOneTimeAccessEmailAsAdminHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
-	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.requestOneTimeAccessEmailHandler)
+	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.RequestOneTimeAccessEmailAsUnauthenticatedUserHandler)
+
+	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
+	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
 }

 type UserController struct {
@@ -38,177 +57,457 @@ type UserController struct {
 	appConfigService *service.AppConfigService
 }

+// getUserGroupsHandler godoc
+// @Summary Get user groups
+// @Description Retrieve all groups a specific user belongs to
+// @Tags Users,User Groups
+// @Param id path string true "User ID"
+// @Success 200 {array} dto.UserGroupDtoWithUsers
+// @Router /api/users/{id}/groups [get]
+func (uc *UserController) getUserGroupsHandler(c *gin.Context) {
+	userID := c.Param("id")
+	groups, err := uc.userService.GetUserGroups(c.Request.Context(), userID)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var groupsDto []dto.UserGroupDtoWithUsers
+	if err := dto.MapStructList(groups, &groupsDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, groupsDto)
+}
+
+// listUsersHandler godoc
+// @Summary List users
+// @Description Get a paginated list of users with optional search and sorting
+// @Tags Users
+// @Param search query string false "Search term to filter users"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("created_at")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("desc")
+// @Success 200 {object} dto.Paginated[dto.UserDto]
+// @Router /api/users [get]
 func (uc *UserController) listUsersHandler(c *gin.Context) {
 	searchTerm := c.Query("search")
 	var sortedPaginationRequest utils.SortedPaginationRequest
 	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	users, pagination, err := uc.userService.ListUsers(searchTerm, sortedPaginationRequest)
+	users, pagination, err := uc.userService.ListUsers(c.Request.Context(), searchTerm, sortedPaginationRequest)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var usersDto []dto.UserDto
 	if err := dto.MapStructList(users, &usersDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       usersDto,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserDto]{
+		Data:       usersDto,
+		Pagination: pagination,
 	})
 }

+// getUserHandler godoc
+// @Summary Get user by ID
+// @Description Retrieve detailed information about a specific user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [get]
 func (uc *UserController) getUserHandler(c *gin.Context) {
-	user, err := uc.userService.GetUser(c.Param("id"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, userDto)
 }

+// getCurrentUserHandler godoc
+// @Summary Get current user
+// @Description Retrieve information about the currently authenticated user
+// @Tags Users
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [get]
 func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
-	user, err := uc.userService.GetUser(c.GetString("userID"))
+	user, err := uc.userService.GetUser(c.Request.Context(), c.GetString("userID"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, userDto)
 }

+// deleteUserHandler godoc
+// @Summary Delete user
+// @Description Delete a specific user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id} [delete]
 func (uc *UserController) deleteUserHandler(c *gin.Context) {
-	if err := uc.userService.DeleteUser(c.Param("id")); err != nil {
-		c.Error(err)
+	if err := uc.userService.DeleteUser(c.Request.Context(), c.Param("id"), false); err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// createUserHandler godoc
+// @Summary Create user
+// @Description Create a new user
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 201 {object} dto.UserDto
+// @Router /api/users [post]
 func (uc *UserController) createUserHandler(c *gin.Context) {
 	var input dto.UserCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	user, err := uc.userService.CreateUser(input)
+	user, err := uc.userService.CreateUser(c.Request.Context(), input)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusCreated, userDto)
 }

+// updateUserHandler godoc
+// @Summary Update user
+// @Description Update an existing user by ID
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id} [put]
 func (uc *UserController) updateUserHandler(c *gin.Context) {
 	uc.updateUser(c, false)
 }

+// updateCurrentUserHandler godoc
+// @Summary Update current user
+// @Description Update the currently authenticated user's information
+// @Tags Users
+// @Param user body dto.UserCreateDto true "User information"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/me [put]
 func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
-	if uc.appConfigService.DbConfig.AllowOwnAccountEdit.Value != "true" {
-		c.Error(&common.AccountEditNotAllowedError{})
+	if !uc.appConfigService.GetDbConfig().AllowOwnAccountEdit.IsTrue() {
+		_ = c.Error(&common.AccountEditNotAllowedError{})
 		return
 	}
 	uc.updateUser(c, true)
 }

-func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
-	var input dto.OneTimeAccessTokenCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
-		return
-	}
+// getUserProfilePictureHandler godoc
+// @Summary Get user profile picture
+// @Description Retrieve a specific user's profile picture
+// @Tags Users
+// @Produce image/png
+// @Param id path string true "User ID"
+// @Success 200 {file} binary "PNG image"
+// @Router /api/users/{id}/profile-picture.png [get]
+func (uc *UserController) getUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")

-	token, err := uc.userService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
+	picture, size, err := uc.userService.GetProfilePicture(c.Request.Context(), userID)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}
+	if picture != nil {
+		defer picture.Close()
+	}

-	c.JSON(http.StatusCreated, gin.H{"token": token})
+	_, ok := c.GetQuery("skipCache")
+	if !ok {
+		c.Header("Cache-Control", "public, max-age=900")
+	}
+
+	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
 }

-func (uc *UserController) requestOneTimeAccessEmailHandler(c *gin.Context) {
-	var input dto.OneTimeAccessEmailDto
-	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+// updateUserProfilePictureHandler godoc
+// @Summary Update user profile picture
+// @Description Update a specific user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param id path string true "User ID"
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [put]
+func (uc *UserController) updateUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		_ = c.Error(err)
 		return
 	}
-
-	err := uc.userService.RequestOneTimeAccessEmail(input.Email, input.RedirectPath)
+	file, err := fileHeader.Open()
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// updateCurrentUserProfilePictureHandler godoc
+// @Summary Update current user's profile picture
+// @Description Update the currently authenticated user's profile picture
+// @Tags Users
+// @Accept multipart/form-data
+// @Produce json
+// @Param file formData file true "Profile picture image file (PNG, JPG, or JPEG)"
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [put]
+func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	fileHeader, err := c.FormFile("file")
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	file, err := fileHeader.Open()
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+	defer file.Close()
+
+	if err := uc.userService.UpdateProfilePicture(userID, file); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bool) {
+	var input dto.OneTimeAccessTokenCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	if own {
+		input.UserID = c.GetString("userID")
+	}
+	token, err := uc.userService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, input.ExpiresAt)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"token": token})
+}
+
+// createOwnOneTimeAccessTokenHandler godoc
+// @Summary Create one-time access token for current user
+// @Description Generate a one-time access token for the currently authenticated user
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
+// @Success 201 {object} object "{ \"token\": \"string\" }"
+// @Router /api/users/{id}/one-time-access-token [post]
+func (uc *UserController) createOwnOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, true)
+}
+
+// createAdminOneTimeAccessTokenHandler godoc
+// @Summary Create one-time access token for user (admin)
+// @Description Generate a one-time access token for a specific user (admin only)
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessTokenCreateDto true "Token options"
+// @Success 201 {object} object "{ \"token\": \"string\" }"
+// @Router /api/users/{id}/one-time-access-token [post]
+func (uc *UserController) createAdminOneTimeAccessTokenHandler(c *gin.Context) {
+	uc.createOneTimeAccessTokenHandler(c, false)
+}
+
+// RequestOneTimeAccessEmailAsUnauthenticatedUserHandler godoc
+// @Summary Request one-time access email
+// @Description Request a one-time access email for unauthenticated users
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param body body dto.OneTimeAccessEmailAsUnauthenticatedUserDto true "Email request information"
+// @Success 204 "No Content"
+// @Router /api/one-time-access-email [post]
+func (uc *UserController) RequestOneTimeAccessEmailAsUnauthenticatedUserHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailAsUnauthenticatedUserDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	err := uc.userService.RequestOneTimeAccessEmailAsUnauthenticatedUser(c.Request.Context(), input.Email, input.RedirectPath)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// RequestOneTimeAccessEmailAsAdminHandler godoc
+// @Summary Request one-time access email (admin)
+// @Description Request a one-time access email for a specific user (admin only)
+// @Tags Users
+// @Accept json
+// @Produce json
+// @Param id path string true "User ID"
+// @Param body body dto.OneTimeAccessEmailAsAdminDto true "Email request options"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/one-time-access-email [post]
+func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context) {
+	var input dto.OneTimeAccessEmailAsAdminDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	userID := c.Param("id")
+
+	err := uc.userService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, input.ExpiresAt)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// exchangeOneTimeAccessTokenHandler godoc
+// @Summary Exchange one-time access token
+// @Description Exchange a one-time access token for a session token
+// @Tags Users
+// @Param token path string true "One-time access token"
+// @Success 200 {object} dto.UserDto
+// @Router /api/one-time-access-token/{token} [post]
 func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Param("token"), c.ClientIP(), c.Request.UserAgent())
+	user, token, err := uc.userService.ExchangeOneTimeAccessToken(c.Request.Context(), c.Param("token"), c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	utils.AddAccessTokenCookie(c, uc.appConfigService.DbConfig.SessionDuration.Value, token)
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

+// getSetupAccessTokenHandler godoc
+// @Summary Setup initial admin
+// @Description Generate setup access token for initial admin user configuration
+// @Tags Users
+// @Success 200 {object} dto.UserDto
+// @Router /api/one-time-access-token/setup [post]
 func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
-	user, token, err := uc.userService.SetupInitialAdmin()
+	user, token, err := uc.userService.SetupInitialAdmin(c.Request.Context())
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	utils.AddAccessTokenCookie(c, uc.appConfigService.DbConfig.SessionDuration.Value, token)
+	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

+// updateUserGroups godoc
+// @Summary Update user groups
+// @Description Update the groups a specific user belongs to
+// @Tags Users
+// @Param id path string true "User ID"
+// @Param groups body dto.UserUpdateUserGroupDto true "User group IDs"
+// @Success 200 {object} dto.UserDto
+// @Router /api/users/{id}/user-groups [put]
+func (uc *UserController) updateUserGroups(c *gin.Context) {
+	var input dto.UserUpdateUserGroupDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	user, err := uc.userService.UpdateUserGroups(c.Request.Context(), c.Param("id"), input.UserGroupIds)
+	if err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	var userDto dto.UserDto
+	if err := dto.MapStruct(user, &userDto); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.JSON(http.StatusOK, userDto)
+}
+
+// updateUser is an internal helper method, not exposed as an API endpoint
 func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 	var input dto.UserCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -219,17 +518,54 @@ func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 		userID = c.Param("id")
 	}

-	user, err := uc.userService.UpdateUser(userID, input, updateOwnUser, false)
+	user, err := uc.userService.UpdateUser(c.Request.Context(), userID, input, updateOwnUser, false)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, userDto)
 }
+
+// resetUserProfilePictureHandler godoc
+// @Summary Reset user profile picture
+// @Description Reset a specific user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Param id path string true "User ID"
+// @Success 204 "No Content"
+// @Router /api/users/{id}/profile-picture [delete]
+func (uc *UserController) resetUserProfilePictureHandler(c *gin.Context) {
+	userID := c.Param("id")
+
+	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+// resetCurrentUserProfilePictureHandler godoc
+// @Summary Reset current user's profile picture
+// @Description Reset the currently authenticated user's profile picture to the default
+// @Tags Users
+// @Produce json
+// @Success 204 "No Content"
+// @Router /api/users/me/profile-picture [delete]
+func (uc *UserController) resetCurrentUserProfilePictureHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+
+	if err := uc.userService.ResetProfilePicture(userID); err != nil {
+		_ = c.Error(err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/user_group_controller.go
+++ b/backend/internal/controller/user_group_controller.go
@@ -1,152 +1,226 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/service"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

-func NewUserGroupController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, userGroupService *service.UserGroupService) {
+// NewUserGroupController creates a new controller for user group management
+// @Summary User group management controller
+// @Description Initializes all user group-related API endpoints
+// @Tags User Groups
+func NewUserGroupController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, userGroupService *service.UserGroupService) {
 	ugc := UserGroupController{
 		UserGroupService: userGroupService,
 	}

-	group.GET("/user-groups", jwtAuthMiddleware.Add(true), ugc.list)
-	group.GET("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.get)
-	group.POST("/user-groups", jwtAuthMiddleware.Add(true), ugc.create)
-	group.PUT("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.update)
-	group.DELETE("/user-groups/:id", jwtAuthMiddleware.Add(true), ugc.delete)
-	group.PUT("/user-groups/:id/users", jwtAuthMiddleware.Add(true), ugc.updateUsers)
+	userGroupsGroup := group.Group("/user-groups")
+	userGroupsGroup.Use(authMiddleware.Add())
+	{
+		userGroupsGroup.GET("", ugc.list)
+		userGroupsGroup.GET("/:id", ugc.get)
+		userGroupsGroup.POST("", ugc.create)
+		userGroupsGroup.PUT("/:id", ugc.update)
+		userGroupsGroup.DELETE("/:id", ugc.delete)
+		userGroupsGroup.PUT("/:id/users", ugc.updateUsers)
+	}
 }

 type UserGroupController struct {
 	UserGroupService *service.UserGroupService
 }

+// list godoc
+// @Summary List user groups
+// @Description Get a paginated list of user groups with optional search and sorting
+// @Tags User Groups
+// @Param search query string false "Search term to filter user groups by name"
+// @Param page query int false "Page number, starting from 1" default(1)
+// @Param limit query int false "Number of items per page" default(10)
+// @Param sort_column query string false "Column to sort by" default("name")
+// @Param sort_direction query string false "Sort direction (asc or desc)" default("asc")
+// @Success 200 {object} dto.Paginated[dto.UserGroupDtoWithUserCount]
+// @Router /api/user-groups [get]
 func (ugc *UserGroupController) list(c *gin.Context) {
+	ctx := c.Request.Context()
+
 	searchTerm := c.Query("search")
 	var sortedPaginationRequest utils.SortedPaginationRequest
 	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	groups, pagination, err := ugc.UserGroupService.List(searchTerm, sortedPaginationRequest)
+	groups, pagination, err := ugc.UserGroupService.List(ctx, searchTerm, sortedPaginationRequest)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	// Map the user groups to DTOs. The user count can't be mapped directly, so we have to do it manually.
+	// Map the user groups to DTOs
 	var groupsDto = make([]dto.UserGroupDtoWithUserCount, len(groups))
 	for i, group := range groups {
 		var groupDto dto.UserGroupDtoWithUserCount
 		if err := dto.MapStruct(group, &groupDto); err != nil {
-			c.Error(err)
+			_ = c.Error(err)
 			return
 		}
-		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(group.ID)
+		groupDto.UserCount, err = ugc.UserGroupService.GetUserCountOfGroup(ctx, group.ID)
 		if err != nil {
-			c.Error(err)
+			_ = c.Error(err)
 			return
 		}
 		groupsDto[i] = groupDto
 	}

-	c.JSON(http.StatusOK, gin.H{
-		"data":       groupsDto,
-		"pagination": pagination,
+	c.JSON(http.StatusOK, dto.Paginated[dto.UserGroupDtoWithUserCount]{
+		Data:       groupsDto,
+		Pagination: pagination,
 	})
 }

+// get godoc
+// @Summary Get user group by ID
+// @Description Retrieve detailed information about a specific user group including its users
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [get]
 func (ugc *UserGroupController) get(c *gin.Context) {
-	group, err := ugc.UserGroupService.Get(c.Param("id"))
+	group, err := ugc.UserGroupService.Get(c.Request.Context(), c.Param("id"))
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, groupDto)
 }

+// create godoc
+// @Summary Create user group
+// @Description Create a new user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 201 {object} dto.UserGroupDtoWithUsers "Created user group"
+// @Security BearerAuth
+// @Router /api/user-groups [post]
 func (ugc *UserGroupController) create(c *gin.Context) {
 	var input dto.UserGroupCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	group, err := ugc.UserGroupService.Create(input)
+	group, err := ugc.UserGroupService.Create(c.Request.Context(), input)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusCreated, groupDto)
 }

+// update godoc
+// @Summary Update user group
+// @Description Update an existing user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param userGroup body dto.UserGroupCreateDto true "User group information"
+// @Success 200 {object} dto.UserGroupDtoWithUsers "Updated user group"
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [put]
 func (ugc *UserGroupController) update(c *gin.Context) {
 	var input dto.UserGroupCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	group, err := ugc.UserGroupService.Update(c.Param("id"), input, false)
+	group, err := ugc.UserGroupService.Update(c.Request.Context(), c.Param("id"), input)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	c.JSON(http.StatusOK, groupDto)
 }

+// delete godoc
+// @Summary Delete user group
+// @Description Delete a specific user group by ID
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Success 204 "No Content"
+// @Security BearerAuth
+// @Router /api/user-groups/{id} [delete]
 func (ugc *UserGroupController) delete(c *gin.Context) {
-	if err := ugc.UserGroupService.Delete(c.Param("id")); err != nil {
-		c.Error(err)
+	if err := ugc.UserGroupService.Delete(c.Request.Context(), c.Param("id")); err != nil {
+		_ = c.Error(err)
 		return
 	}

 	c.Status(http.StatusNoContent)
 }

+// updateUsers godoc
+// @Summary Update users in a group
+// @Description Update the list of users belonging to a specific user group
+// @Tags User Groups
+// @Accept json
+// @Produce json
+// @Param id path string true "User Group ID"
+// @Param users body dto.UserGroupUpdateUsersDto true "List of user IDs to assign to this group"
+// @Success 200 {object} dto.UserGroupDtoWithUsers
+// @Security BearerAuth
+// @Router /api/user-groups/{id}/users [put]
 func (ugc *UserGroupController) updateUsers(c *gin.Context) {
 	var input dto.UserGroupUpdateUsersDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	group, err := ugc.UserGroupService.UpdateUsers(c.Param("id"), input)
+	group, err := ugc.UserGroupService.UpdateUsers(c.Request.Context(), c.Param("id"), input.UserIDs)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var groupDto dto.UserGroupDtoWithUsers
 	if err := dto.MapStruct(group, &groupDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -1,32 +1,33 @@
 package controller

 import (
-	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/middleware"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"net/http"
 	"time"

+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/middleware"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"golang.org/x/time/rate"
 )

-func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
+func NewWebauthnController(group *gin.RouterGroup, authMiddleware *middleware.AuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, appConfigService *service.AppConfigService) {
 	wc := &WebauthnController{webAuthnService: webauthnService, appConfigService: appConfigService}
-	group.GET("/webauthn/register/start", jwtAuthMiddleware.Add(false), wc.beginRegistrationHandler)
-	group.POST("/webauthn/register/finish", jwtAuthMiddleware.Add(false), wc.verifyRegistrationHandler)
+	group.GET("/webauthn/register/start", authMiddleware.WithAdminNotRequired().Add(), wc.beginRegistrationHandler)
+	group.POST("/webauthn/register/finish", authMiddleware.WithAdminNotRequired().Add(), wc.verifyRegistrationHandler)

 	group.GET("/webauthn/login/start", wc.beginLoginHandler)
 	group.POST("/webauthn/login/finish", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), wc.verifyLoginHandler)

-	group.POST("/webauthn/logout", jwtAuthMiddleware.Add(false), wc.logoutHandler)
+	group.POST("/webauthn/logout", authMiddleware.WithAdminNotRequired().Add(), wc.logoutHandler)

-	group.GET("/webauthn/credentials", jwtAuthMiddleware.Add(false), wc.listCredentialsHandler)
-	group.PATCH("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.updateCredentialHandler)
-	group.DELETE("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.deleteCredentialHandler)
+	group.GET("/webauthn/credentials", authMiddleware.WithAdminNotRequired().Add(), wc.listCredentialsHandler)
+	group.PATCH("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.updateCredentialHandler)
+	group.DELETE("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.deleteCredentialHandler)
 }

 type WebauthnController struct {
@@ -36,33 +37,33 @@ type WebauthnController struct {

 func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	options, err := wc.webAuthnService.BeginRegistration(userID)
+	options, err := wc.webAuthnService.BeginRegistration(c.Request.Context(), userID)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", true, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }

 func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
-		c.Error(&common.MissingSessionIdError{})
+		_ = c.Error(&common.MissingSessionIdError{})
 		return
 	}

 	userID := c.GetString("userID")
-	credential, err := wc.webAuthnService.VerifyRegistration(sessionID, userID, c.Request)
+	credential, err := wc.webAuthnService.VerifyRegistration(c.Request.Context(), sessionID, userID, c.Request)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var credentialDto dto.WebauthnCredentialDto
 	if err := dto.MapStruct(credential, &credentialDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -70,56 +71,58 @@ func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
 }

 func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
-	options, err := wc.webAuthnService.BeginLogin()
+	options, err := wc.webAuthnService.BeginLogin(c.Request.Context())
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", true, true)
+	cookie.AddSessionIdCookie(c, int(options.Timeout.Seconds()), options.SessionID)
 	c.JSON(http.StatusOK, options.Response)
 }

 func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
-	sessionID, err := c.Cookie("session_id")
+	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
-		c.Error(&common.MissingSessionIdError{})
+		_ = c.Error(&common.MissingSessionIdError{})
 		return
 	}

 	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	user, token, err := wc.webAuthnService.VerifyLogin(sessionID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
+	user, token, err := wc.webAuthnService.VerifyLogin(c.Request.Context(), sessionID, credentialAssertionData, c.ClientIP(), c.Request.UserAgent())
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	utils.AddAccessTokenCookie(c, wc.appConfigService.DbConfig.SessionDuration.Value, token)
+	maxAge := int(wc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
+	cookie.AddAccessTokenCookie(c, maxAge, token)
+
 	c.JSON(http.StatusOK, userDto)
 }

 func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
 	userID := c.GetString("userID")
-	credentials, err := wc.webAuthnService.ListCredentials(userID)
+	credentials, err := wc.webAuthnService.ListCredentials(c.Request.Context(), userID)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var credentialDtos []dto.WebauthnCredentialDto
 	if err := dto.MapStructList(credentials, &credentialDtos); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -130,9 +133,9 @@ func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	credentialID := c.Param("id")

-	err := wc.webAuthnService.DeleteCredential(userID, credentialID)
+	err := wc.webAuthnService.DeleteCredential(c.Request.Context(), userID, credentialID)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -145,19 +148,19 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {

 	var input dto.WebauthnCredentialUpdateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	credential, err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
+	credential, err := wc.webAuthnService.UpdateCredential(c.Request.Context(), userID, credentialID, input.Name)
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

 	var credentialDto dto.WebauthnCredentialDto
 	if err := dto.MapStruct(credential, &credentialDto); err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

@@ -165,6 +168,6 @@ func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
 }

 func (wc *WebauthnController) logoutHandler(c *gin.Context) {
-	utils.AddAccessTokenCookie(c, "0", "")
+	cookie.AddAccessTokenCookie(c, 0, "")
 	c.Status(http.StatusNoContent)
 }
--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -1,45 +1,88 @@
 package controller

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"encoding/json"
+	"fmt"
+	"log"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

+// NewWellKnownController creates a new controller for OIDC discovery endpoints
+// @Summary OIDC Discovery controller
+// @Description Initializes OIDC discovery and JWKS endpoints
+// @Tags Well Known
 func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtService) {
 	wkc := &WellKnownController{jwtService: jwtService}
+
+	// Pre-compute the OIDC configuration document, which is static
+	var err error
+	wkc.oidcConfig, err = wkc.computeOIDCConfiguration()
+	if err != nil {
+		log.Fatalf("Failed to pre-compute OpenID Connect configuration document: %v", err)
+	}
+
 	group.GET("/.well-known/jwks.json", wkc.jwksHandler)
 	group.GET("/.well-known/openid-configuration", wkc.openIDConfigurationHandler)
 }

 type WellKnownController struct {
 	jwtService *service.JwtService
+	oidcConfig []byte
 }

+// jwksHandler godoc
+// @Summary Get JSON Web Key Set (JWKS)
+// @Description Returns the JSON Web Key Set used for token verification
+// @Tags Well Known
+// @Produce json
+// @Success 200 {object} object "{ \"keys\": []interface{} }"
+// @Router /.well-known/jwks.json [get]
 func (wkc *WellKnownController) jwksHandler(c *gin.Context) {
-	jwk, err := wkc.jwtService.GetJWK()
+	jwks, err := wkc.jwtService.GetPublicJWKSAsJSON()
 	if err != nil {
-		c.Error(err)
+		_ = c.Error(err)
 		return
 	}

-	c.JSON(http.StatusOK, gin.H{"keys": []interface{}{jwk}})
+	c.Data(http.StatusOK, "application/json; charset=utf-8", jwks)
 }

+// openIDConfigurationHandler godoc
+// @Summary Get OpenID Connect discovery configuration
+// @Description Returns the OpenID Connect discovery document with endpoints and capabilities
+// @Tags Well Known
+// @Success 200 {object} object "OpenID Connect configuration"
+// @Router /.well-known/openid-configuration [get]
 func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {
+	c.Data(http.StatusOK, "application/json; charset=utf-8", wkc.oidcConfig)
+}
+
+func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 	appUrl := common.EnvConfig.AppURL
-	config := map[string]interface{}{
+	alg, err := wkc.jwtService.GetKeyAlg()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get key algorithm: %w", err)
+	}
+	config := map[string]any{
 		"issuer":                                appUrl,
 		"authorization_endpoint":                appUrl + "/authorize",
 		"token_endpoint":                        appUrl + "/api/oidc/token",
 		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
+		"end_session_endpoint":                  appUrl + "/api/oidc/end-session",
+		"introspection_endpoint":                appUrl + "/api/oidc/introspect",
+		"device_authorization_endpoint":         appUrl + "/api/oidc/device/authorize",
 		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
-		"scopes_supported":                      []string{"openid", "profile", "email"},
-		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username"},
+		"grant_types_supported":                 []string{"authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"},
+		"scopes_supported":                      []string{"openid", "profile", "email", "groups"},
+		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
 		"response_types_supported":              []string{"code", "id_token"},
 		"subject_types_supported":               []string{"public"},
-		"id_token_signing_alg_values_supported": []string{"RS256"},
+		"id_token_signing_alg_values_supported": []string{alg.String()},
 	}
-	c.JSON(http.StatusOK, config)
+	return json.Marshal(config)
 }
--- a/backend/internal/dto/api_key_dto.go
+++ b/backend/internal/dto/api_key_dto.go
@@ -0,0 +1,26 @@
+package dto
+
+import (
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+type ApiKeyCreateDto struct {
+	Name        string            `json:"name" binding:"required,min=3,max=50"`
+	Description string            `json:"description"`
+	ExpiresAt   datatype.DateTime `json:"expiresAt" binding:"required"`
+}
+
+type ApiKeyDto struct {
+	ID                  string             `json:"id"`
+	Name                string             `json:"name"`
+	Description         string             `json:"description"`
+	ExpiresAt           datatype.DateTime  `json:"expiresAt"`
+	LastUsedAt          *datatype.DateTime `json:"lastUsedAt"`
+	CreatedAt           datatype.DateTime  `json:"createdAt"`
+	ExpirationEmailSent bool               `json:"expirationEmailSent"`
+}
+
+type ApiKeyResponseDto struct {
+	ApiKey ApiKeyDto `json:"apiKey"`
+	Token  string    `json:"token"`
+}
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -12,31 +12,39 @@ type AppConfigVariableDto struct {
 }

 type AppConfigUpdateDto struct {
-	AppName                            string `json:"appName" binding:"required,min=1,max=30"`
-	SessionDuration                    string `json:"sessionDuration" binding:"required"`
-	EmailsVerified                     string `json:"emailsVerified" binding:"required"`
-	AllowOwnAccountEdit                string `json:"allowOwnAccountEdit" binding:"required"`
-	SmtHost                            string `json:"smtpHost"`
-	SmtpPort                           string `json:"smtpPort"`
-	SmtpFrom                           string `json:"smtpFrom" binding:"omitempty,email"`
-	SmtpUser                           string `json:"smtpUser"`
-	SmtpPassword                       string `json:"smtpPassword"`
-	SmtpTls                            string `json:"smtpTls"`
-	SmtpSkipCertVerify                 string `json:"smtpSkipCertVerify"`
-	LdapEnabled                        string `json:"ldapEnabled" binding:"required"`
-	LdapUrl                            string `json:"ldapUrl"`
-	LdapBindDn                         string `json:"ldapBindDn"`
-	LdapBindPassword                   string `json:"ldapBindPassword"`
-	LdapBase                           string `json:"ldapBase"`
-	LdapSkipCertVerify                 string `json:"ldapSkipCertVerify"`
-	LdapAttributeUserUniqueIdentifier  string `json:"ldapAttributeUserUniqueIdentifier"`
-	LdapAttributeUserUsername          string `json:"ldapAttributeUserUsername"`
-	LdapAttributeUserEmail             string `json:"ldapAttributeUserEmail"`
-	LdapAttributeUserFirstName         string `json:"ldapAttributeUserFirstName"`
-	LdapAttributeUserLastName          string `json:"ldapAttributeUserLastName"`
-	LdapAttributeGroupUniqueIdentifier string `json:"ldapAttributeGroupUniqueIdentifier"`
-	LdapAttributeGroupName             string `json:"ldapAttributeGroupName"`
-	LdapAttributeAdminGroup            string `json:"ldapAttributeAdminGroup"`
-	EmailOneTimeAccessEnabled          string `json:"emailOneTimeAccessEnabled" binding:"required"`
-	EmailLoginNotificationEnabled      string `json:"emailLoginNotificationEnabled" binding:"required"`
+	AppName                                    string `json:"appName" binding:"required,min=1,max=30"`
+	SessionDuration                            string `json:"sessionDuration" binding:"required"`
+	EmailsVerified                             string `json:"emailsVerified" binding:"required"`
+	DisableAnimations                          string `json:"disableAnimations" binding:"required"`
+	AllowOwnAccountEdit                        string `json:"allowOwnAccountEdit" binding:"required"`
+	SmtpHost                                   string `json:"smtpHost"`
+	SmtpPort                                   string `json:"smtpPort"`
+	SmtpFrom                                   string `json:"smtpFrom" binding:"omitempty,email"`
+	SmtpUser                                   string `json:"smtpUser"`
+	SmtpPassword                               string `json:"smtpPassword"`
+	SmtpTls                                    string `json:"smtpTls" binding:"required,oneof=none starttls tls"`
+	SmtpSkipCertVerify                         string `json:"smtpSkipCertVerify"`
+	LdapEnabled                                string `json:"ldapEnabled" binding:"required"`
+	LdapUrl                                    string `json:"ldapUrl"`
+	LdapBindDn                                 string `json:"ldapBindDn"`
+	LdapBindPassword                           string `json:"ldapBindPassword"`
+	LdapBase                                   string `json:"ldapBase"`
+	LdapUserSearchFilter                       string `json:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter                  string `json:"ldapUserGroupSearchFilter"`
+	LdapSkipCertVerify                         string `json:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier          string `json:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername                  string `json:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail                     string `json:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName                 string `json:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName                  string `json:"ldapAttributeUserLastName"`
+	LdapAttributeUserProfilePicture            string `json:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember                   string `json:"ldapAttributeGroupMember"`
+	LdapAttributeGroupUniqueIdentifier         string `json:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName                     string `json:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup                    string `json:"ldapAttributeAdminGroup"`
+	LdapSoftDeleteUsers                        string `json:"ldapSoftDeleteUsers"`
+	EmailOneTimeAccessAsAdminEnabled           string `json:"emailOneTimeAccessAsAdminEnabled" binding:"required"`
+	EmailOneTimeAccessAsUnauthenticatedEnabled string `json:"emailOneTimeAccessAsUnauthenticatedEnabled" binding:"required"`
+	EmailLoginNotificationEnabled              string `json:"emailLoginNotificationEnabled" binding:"required"`
+	EmailApiKeyExpirationEnabled               string `json:"emailApiKeyExpirationEnabled" binding:"required"`
 }
--- a/backend/internal/dto/audit_log_dto.go
+++ b/backend/internal/dto/audit_log_dto.go
@@ -1,8 +1,8 @@
 package dto

 import (
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type AuditLogDto struct {
@@ -15,5 +15,12 @@ type AuditLogDto struct {
 	City      string              `json:"city"`
 	Device    string              `json:"device"`
 	UserID    string              `json:"userID"`
+	Username  string              `json:"username"`
 	Data      model.AuditLogData  `json:"data"`
 }
+
+type AuditLogFilterDto struct {
+	UserID     string `form:"filters[userId]"`
+	Event      string `form:"filters[event]"`
+	ClientName string `form:"filters[clientName]"`
+}
--- a/backend/internal/dto/custom_claim_dto.go
+++ b/backend/internal/dto/custom_claim_dto.go
@@ -6,6 +6,6 @@ type CustomClaimDto struct {
 }

 type CustomClaimCreateDto struct {
-	Key   string `json:"key" binding:"required,claimKey"`
+	Key   string `json:"key" binding:"required"`
 	Value string `json:"value" binding:"required"`
 }
--- a/backend/internal/dto/dto_mapper.go
+++ b/backend/internal/dto/dto_mapper.go
@@ -2,9 +2,10 @@ package dto

 import (
 	"errors"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
 	"reflect"
 	"time"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 // MapStructList maps a list of source structs to a list of destination structs
@@ -39,13 +40,11 @@ func MapStruct[S any, D any](source S, destination *D) error {
 }

 func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {
-	// Loop through the fields of the destination struct
 	for i := 0; i < destVal.NumField(); i++ {
 		destField := destVal.Field(i)
 		destFieldType := destVal.Type().Field(i)

 		if destFieldType.Anonymous {
-			// Recursively handle embedded structs
 			if err := mapStructInternal(sourceVal, destField); err != nil {
 				return err
 			}
@@ -54,63 +53,57 @@ func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {

 		sourceField := sourceVal.FieldByName(destFieldType.Name)

-		// If the source field is valid and can be assigned to the destination field
 		if sourceField.IsValid() && destField.CanSet() {
-			// Handle direct assignment for simple types
-			if sourceField.Type() == destField.Type() {
-				destField.Set(sourceField)
-
-			} else if sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice {
-				// Handle slices
-				if sourceField.Type().Elem() == destField.Type().Elem() {
-					// Direct assignment for slices of primitive types or non-struct elements
-					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
-
-					for j := 0; j < sourceField.Len(); j++ {
-						newSlice.Index(j).Set(sourceField.Index(j))
-					}
-
-					destField.Set(newSlice)
-
-				} else if sourceField.Type().Elem().Kind() == reflect.Struct && destField.Type().Elem().Kind() == reflect.Struct {
-					// Recursively map slices of structs
-					newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
-
-					for j := 0; j < sourceField.Len(); j++ {
-						// Get the element from both source and destination slice
-						sourceElem := sourceField.Index(j)
-						destElem := reflect.New(destField.Type().Elem()).Elem()
-
-						// Recursively map the struct elements
-						if err := mapStructInternal(sourceElem, destElem); err != nil {
-							return err
-						}
-
-						// Set the mapped element in the new slice
-						newSlice.Index(j).Set(destElem)
-					}
-
-					destField.Set(newSlice)
-				}
-			} else if sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct {
-				// Recursively map nested structs
-				if err := mapStructInternal(sourceField, destField); err != nil {
-					return err
-				}
-			} else {
-				// Type switch for specific type conversions
-				switch sourceField.Interface().(type) {
-				case datatype.DateTime:
-					// Convert datatype.DateTime to time.Time
-					if sourceField.Type() == reflect.TypeOf(datatype.DateTime{}) && destField.Type() == reflect.TypeOf(time.Time{}) {
-						dateValue := sourceField.Interface().(datatype.DateTime)
-						destField.Set(reflect.ValueOf(dateValue.ToTime()))
-					}
-				}
+			if err := mapField(sourceField, destField); err != nil {
+				return err
 			}
-
 		}
 	}
-
+	return nil
+}
+
+func mapField(sourceField reflect.Value, destField reflect.Value) error {
+	switch {
+	case sourceField.Type() == destField.Type():
+		destField.Set(sourceField)
+	case sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice:
+		return mapSlice(sourceField, destField)
+	case sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct:
+		return mapStructInternal(sourceField, destField)
+	default:
+		return mapSpecialTypes(sourceField, destField)
+	}
+	return nil
+}
+
+func mapSlice(sourceField reflect.Value, destField reflect.Value) error {
+	if sourceField.Type().Elem() == destField.Type().Elem() {
+		newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+		for j := 0; j < sourceField.Len(); j++ {
+			newSlice.Index(j).Set(sourceField.Index(j))
+		}
+		destField.Set(newSlice)
+	} else if sourceField.Type().Elem().Kind() == reflect.Struct && destField.Type().Elem().Kind() == reflect.Struct {
+		newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
+		for j := 0; j < sourceField.Len(); j++ {
+			sourceElem := sourceField.Index(j)
+			destElem := reflect.New(destField.Type().Elem()).Elem()
+			if err := mapStructInternal(sourceElem, destElem); err != nil {
+				return err
+			}
+			newSlice.Index(j).Set(destElem)
+		}
+		destField.Set(newSlice)
+	}
+	return nil
+}
+
+func mapSpecialTypes(sourceField reflect.Value, destField reflect.Value) error {
+	if _, ok := sourceField.Interface().(datatype.DateTime); ok {
+		if sourceField.Type() == reflect.TypeOf(datatype.DateTime{}) && destField.Type() == reflect.TypeOf(time.Time{}) {
+			dateValue := sourceField.Interface().(datatype.DateTime)
+			destField.Set(reflect.ValueOf(dateValue.ToTime()))
+		}
+	}
 	return nil
 }
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -1,24 +1,30 @@
 package dto

-type PublicOidcClientDto struct {
+type OidcClientMetaDataDto struct {
 	ID      string `json:"id"`
 	Name    string `json:"name"`
 	HasLogo bool   `json:"hasLogo"`
 }

 type OidcClientDto struct {
-	PublicOidcClientDto
-	CallbackURLs []string `json:"callbackURLs"`
-	IsPublic     bool     `json:"isPublic"`
-	PkceEnabled  bool     `json:"pkceEnabled"`
-	CreatedBy    UserDto  `json:"createdBy"`
+	OidcClientMetaDataDto
+	CallbackURLs       []string `json:"callbackURLs"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
+}
+
+type OidcClientWithAllowedUserGroupsDto struct {
+	OidcClientDto
+	AllowedUserGroups []UserGroupDtoWithUserCount `json:"allowedUserGroups"`
 }

 type OidcClientCreateDto struct {
-	Name         string   `json:"name" binding:"required,max=50"`
-	CallbackURLs []string `json:"callbackURLs" binding:"required"`
-	IsPublic     bool     `json:"isPublic"`
-	PkceEnabled  bool     `json:"pkceEnabled"`
+	Name               string   `json:"name" binding:"required,max=50"`
+	CallbackURLs       []string `json:"callbackURLs" binding:"required"`
+	LogoutCallbackURLs []string `json:"logoutCallbackURLs"`
+	IsPublic           bool     `json:"isPublic"`
+	PkceEnabled        bool     `json:"pkceEnabled"`
 }

 type AuthorizeOidcClientRequestDto struct {
@@ -35,10 +41,82 @@ type AuthorizeOidcClientResponseDto struct {
 	CallbackURL string `json:"callbackURL"`
 }

+type AuthorizationRequiredDto struct {
+	ClientID string `json:"clientID" binding:"required"`
+	Scope    string `json:"scope" binding:"required"`
+}
+
 type OidcCreateTokensDto struct {
 	GrantType    string `form:"grant_type" binding:"required"`
-	Code         string `form:"code" binding:"required"`
+	Code         string `form:"code"`
+	DeviceCode   string `form:"device_code"`
 	ClientID     string `form:"client_id"`
 	ClientSecret string `form:"client_secret"`
 	CodeVerifier string `form:"code_verifier"`
+	RefreshToken string `form:"refresh_token"`
+}
+
+type OidcIntrospectDto struct {
+	Token string `form:"token" binding:"required"`
+}
+
+type OidcUpdateAllowedUserGroupsDto struct {
+	UserGroupIDs []string `json:"userGroupIds" binding:"required"`
+}
+
+type OidcLogoutDto struct {
+	IdTokenHint           string `form:"id_token_hint"`
+	ClientId              string `form:"client_id"`
+	PostLogoutRedirectUri string `form:"post_logout_redirect_uri"`
+	State                 string `form:"state"`
+}
+
+type OidcTokenResponseDto struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	IdToken      string `json:"id_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+type OidcIntrospectionResponseDto struct {
+	Active     bool     `json:"active"`
+	TokenType  string   `json:"token_type,omitempty"`
+	Scope      string   `json:"scope,omitempty"`
+	Expiration int64    `json:"exp,omitempty"`
+	IssuedAt   int64    `json:"iat,omitempty"`
+	NotBefore  int64    `json:"nbf,omitempty"`
+	Subject    string   `json:"sub,omitempty"`
+	Audience   []string `json:"aud,omitempty"`
+	Issuer     string   `json:"iss,omitempty"`
+	Identifier string   `json:"jti,omitempty"`
+}
+
+type OidcDeviceAuthorizationRequestDto struct {
+	ClientID     string `form:"client_id" binding:"required"`
+	Scope        string `form:"scope" binding:"required"`
+	ClientSecret string `form:"client_secret"`
+}
+
+type OidcDeviceAuthorizationResponseDto struct {
+	DeviceCode              string `json:"device_code"`
+	UserCode                string `json:"user_code"`
+	VerificationURI         string `json:"verification_uri"`
+	VerificationURIComplete string `json:"verification_uri_complete"`
+	ExpiresIn               int    `json:"expires_in"`
+	Interval                int    `json:"interval"`
+	RequiresAuthorization   bool   `json:"requires_authorization"`
+}
+
+type OidcDeviceTokenRequestDto struct {
+	GrantType    string `form:"grant_type" binding:"required,eq=urn:ietf:params:oauth:grant-type:device_code"`
+	DeviceCode   string `form:"device_code" binding:"required"`
+	ClientID     string `form:"client_id"`
+	ClientSecret string `form:"client_secret"`
+}
+
+type DeviceCodeInfoDto struct {
+	Scope                 string                `json:"scope"`
+	AuthorizationRequired bool                  `json:"authorizationRequired"`
+	Client                OidcClientMetaDataDto `json:"client"`
 }
--- a/backend/internal/dto/pagination_dto.go
+++ b/backend/internal/dto/pagination_dto.go
@@ -0,0 +1,10 @@
+package dto
+
+import "github.com/pocket-id/pocket-id/backend/internal/utils"
+
+type Pagination = utils.PaginationResponse
+
+type Paginated[T any] struct {
+	Data       []T        `json:"data"`
+	Pagination Pagination `json:"pagination"`
+}
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -9,25 +9,38 @@ type UserDto struct {
 	FirstName    string           `json:"firstName"`
 	LastName     string           `json:"lastName"`
 	IsAdmin      bool             `json:"isAdmin"`
+	Locale       *string          `json:"locale"`
 	CustomClaims []CustomClaimDto `json:"customClaims"`
+	UserGroups   []UserGroupDto   `json:"userGroups"`
 	LdapID       *string          `json:"ldapId"`
+	Disabled     bool             `json:"disabled"`
 }

 type UserCreateDto struct {
-	Username  string `json:"username" binding:"required,username,min=2,max=50"`
-	Email     string `json:"email" binding:"required,email"`
-	FirstName string `json:"firstName" binding:"required,min=1,max=50"`
-	LastName  string `json:"lastName" binding:"required,min=1,max=50"`
-	IsAdmin   bool   `json:"isAdmin"`
-	LdapID    string `json:"-"`
+	Username  string  `json:"username" binding:"required,username,min=2,max=50"`
+	Email     string  `json:"email" binding:"required,email"`
+	FirstName string  `json:"firstName" binding:"required,min=1,max=50"`
+	LastName  string  `json:"lastName" binding:"max=50"`
+	IsAdmin   bool    `json:"isAdmin"`
+	Locale    *string `json:"locale"`
+	Disabled  bool    `json:"disabled"`
+	LdapID    string  `json:"-"`
 }

 type OneTimeAccessTokenCreateDto struct {
-	UserID    string    `json:"userId" binding:"required"`
+	UserID    string    `json:"userId"`
 	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
 }

-type OneTimeAccessEmailDto struct {
+type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
 	Email        string `json:"email" binding:"required,email"`
 	RedirectPath string `json:"redirectPath"`
 }
+
+type OneTimeAccessEmailAsAdminDto struct {
+	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+}
+
+type UserUpdateUserGroupDto struct {
+	UserGroupIds []string `json:"userGroupIds" binding:"required"`
+}
--- a/backend/internal/dto/user_group_dto.go
+++ b/backend/internal/dto/user_group_dto.go
@@ -1,9 +1,18 @@
 package dto

 import (
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

+type UserGroupDto struct {
+	ID           string            `json:"id"`
+	FriendlyName string            `json:"friendlyName"`
+	Name         string            `json:"name"`
+	CustomClaims []CustomClaimDto  `json:"customClaims"`
+	LdapID       *string           `json:"ldapId"`
+	CreatedAt    datatype.DateTime `json:"createdAt"`
+}
+
 type UserGroupDtoWithUsers struct {
 	ID           string            `json:"id"`
 	FriendlyName string            `json:"friendlyName"`
@@ -33,7 +42,3 @@ type UserGroupCreateDto struct {
 type UserGroupUpdateUsersDto struct {
 	UserIDs []string `json:"userIds" binding:"required"`
 }
-
-type AssignUserToGroupDto struct {
-	UserID string `json:"userId" binding:"required"`
-}
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -1,10 +1,11 @@
 package dto

 import (
-	"github.com/gin-gonic/gin/binding"
-	"github.com/go-playground/validator/v10"
 	"log"
 	"regexp"
+
+	"github.com/gin-gonic/gin/binding"
+	"github.com/go-playground/validator/v10"
 )

 var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
@@ -16,22 +17,10 @@ var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
 	return matched
 }

-var validateClaimKey validator.Func = func(fl validator.FieldLevel) bool {
-	// The string can only contain letters and numbers
-	regex := "^[A-Za-z0-9]*$"
-	matched, _ := regexp.MatchString(regex, fl.Field().String())
-	return matched
-}
-
 func init() {
 	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
 		if err := v.RegisterValidation("username", validateUsername); err != nil {
 			log.Fatalf("Failed to register custom validation: %v", err)
 		}
 	}
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
-		if err := v.RegisterValidation("claimKey", validateClaimKey); err != nil {
-			log.Fatalf("Failed to register custom validation: %v", err)
-		}
-	}
 }
--- a/backend/internal/dto/webauthn_dto.go
+++ b/backend/internal/dto/webauthn_dto.go
@@ -2,7 +2,7 @@ package dto

 import (
 	"github.com/go-webauthn/webauthn/protocol"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type WebauthnCredentialDto struct {
--- a/backend/internal/job/api_key_expiry_job.go
+++ b/backend/internal/job/api_key_expiry_job.go
@@ -0,0 +1,45 @@
+package job
+
+import (
+	"context"
+	"log"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type ApiKeyEmailJobs struct {
+	apiKeyService    *service.ApiKeyService
+	appConfigService *service.AppConfigService
+}
+
+func (s *Scheduler) RegisterApiKeyExpiryJob(ctx context.Context, apiKeyService *service.ApiKeyService, appConfigService *service.AppConfigService) error {
+	jobs := &ApiKeyEmailJobs{
+		apiKeyService:    apiKeyService,
+		appConfigService: appConfigService,
+	}
+
+	return s.registerJob(ctx, "ExpiredApiKeyEmailJob", "0 0 * * *", jobs.checkAndNotifyExpiringApiKeys)
+}
+
+func (j *ApiKeyEmailJobs) checkAndNotifyExpiringApiKeys(ctx context.Context) error {
+	// Skip if the feature is disabled
+	if !j.appConfigService.GetDbConfig().EmailApiKeyExpirationEnabled.IsTrue() {
+		return nil
+	}
+
+	apiKeys, err := j.apiKeyService.ListExpiringApiKeys(ctx, 7)
+	if err != nil {
+		log.Printf("Failed to list expiring API keys: %v", err)
+		return err
+	}
+
+	for _, key := range apiKeys {
+		if key.User.Email == "" {
+			continue
+		}
+		if err := j.apiKeyService.SendApiKeyExpiringSoonEmail(ctx, key); err != nil {
+			log.Printf("Failed to send email for key %s: %v", key.ID, err)
+		}
+	}
+	return nil
+}
--- a/backend/internal/job/db_cleanup.go
+++ b/backend/internal/job/db_cleanup.go
@@ -1,68 +0,0 @@
-package job
-
-import (
-	"github.com/go-co-op/gocron/v2"
-	"github.com/google/uuid"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"gorm.io/gorm"
-	"log"
-	"time"
-)
-
-func RegisterDbCleanupJobs(db *gorm.DB) {
-	scheduler, err := gocron.NewScheduler()
-	if err != nil {
-		log.Fatalf("Failed to create a new scheduler: %s", err)
-	}
-
-	jobs := &Jobs{db: db}
-
-	registerJob(scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
-	registerJob(scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
-	registerJob(scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
-	scheduler.Start()
-}
-
-type Jobs struct {
-	db *gorm.DB
-}
-
-// ClearWebauthnSessions deletes WebAuthn sessions that have expired
-func (j *Jobs) clearWebauthnSessions() error {
-	return j.db.Delete(&model.WebauthnSession{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
-}
-
-// ClearOneTimeAccessTokens deletes one-time access tokens that have expired
-func (j *Jobs) clearOneTimeAccessTokens() error {
-	return j.db.Debug().Delete(&model.OneTimeAccessToken{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
-}
-
-// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
-func (j *Jobs) clearOidcAuthorizationCodes() error {
-	return j.db.Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", datatype.DateTime(time.Now())).Error
-}
-
-// ClearAuditLogs deletes audit logs older than 90 days
-func (j *Jobs) clearAuditLogs() error {
-	return j.db.Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(time.Now().AddDate(0, 0, -90))).Error
-}
-
-func registerJob(scheduler gocron.Scheduler, name string, interval string, job func() error) {
-	_, err := scheduler.NewJob(
-		gocron.CronJob(interval, false),
-		gocron.NewTask(job),
-		gocron.WithEventListeners(
-			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
-				log.Printf("Job %q run successfully", name)
-			}),
-			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
-				log.Printf("Job %q failed with error: %v", name, err)
-			}),
-		),
-	)
-
-	if err != nil {
-		log.Fatalf("Failed to register job %q: %v", name, err)
-	}
-}
--- a/backend/internal/job/db_cleanup_job.go
+++ b/backend/internal/job/db_cleanup_job.go
@@ -0,0 +1,68 @@
+package job
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+)
+
+func (s *Scheduler) RegisterDbCleanupJobs(ctx context.Context, db *gorm.DB) error {
+	jobs := &DbCleanupJobs{db: db}
+
+	return errors.Join(
+		s.registerJob(ctx, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions),
+		s.registerJob(ctx, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens),
+		s.registerJob(ctx, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes),
+		s.registerJob(ctx, "ClearOidcRefreshTokens", "0 3 * * *", jobs.clearOidcRefreshTokens),
+		s.registerJob(ctx, "ClearAuditLogs", "0 3 * * *", jobs.clearAuditLogs),
+	)
+}
+
+type DbCleanupJobs struct {
+	db *gorm.DB
+}
+
+// ClearWebauthnSessions deletes WebAuthn sessions that have expired
+func (j *DbCleanupJobs) clearWebauthnSessions(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.WebauthnSession{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearOneTimeAccessTokens deletes one-time access tokens that have expired
+func (j *DbCleanupJobs) clearOneTimeAccessTokens(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.OneTimeAccessToken{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
+func (j *DbCleanupJobs) clearOidcAuthorizationCodes(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.OidcAuthorizationCode{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
+func (j *DbCleanupJobs) clearOidcRefreshTokens(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.OidcRefreshToken{}, "expires_at < ?", datatype.DateTime(time.Now())).
+		Error
+}
+
+// ClearAuditLogs deletes audit logs older than 90 days
+func (j *DbCleanupJobs) clearAuditLogs(ctx context.Context) error {
+	return j.db.
+		WithContext(ctx).
+		Delete(&model.AuditLog{}, "created_at < ?", datatype.DateTime(time.Now().AddDate(0, 0, -90))).
+		Error
+}
--- a/backend/internal/job/file_cleanup_job.go
+++ b/backend/internal/job/file_cleanup_job.go
@@ -0,0 +1,76 @@
+package job
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+)
+
+func (s *Scheduler) RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB) error {
+	jobs := &FileCleanupJobs{db: db}
+
+	return s.registerJob(ctx, "ClearUnusedDefaultProfilePictures", "0 2 * * 0", jobs.clearUnusedDefaultProfilePictures)
+}
+
+type FileCleanupJobs struct {
+	db *gorm.DB
+}
+
+// ClearUnusedDefaultProfilePictures deletes default profile pictures that don't match any user's initials
+func (j *FileCleanupJobs) clearUnusedDefaultProfilePictures(ctx context.Context) error {
+	var users []model.User
+	err := j.db.
+		WithContext(ctx).
+		Find(&users).
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to fetch users: %w", err)
+	}
+
+	// Create a map to track which initials are in use
+	initialsInUse := make(map[string]struct{})
+	for _, user := range users {
+		initialsInUse[user.Initials()] = struct{}{}
+	}
+
+	defaultPicturesDir := common.EnvConfig.UploadPath + "/profile-pictures/defaults"
+	if _, err := os.Stat(defaultPicturesDir); os.IsNotExist(err) {
+		return nil
+	}
+
+	files, err := os.ReadDir(defaultPicturesDir)
+	if err != nil {
+		return fmt.Errorf("failed to read default profile pictures directory: %w", err)
+	}
+
+	filesDeleted := 0
+	for _, file := range files {
+		if file.IsDir() {
+			continue // Skip directories
+		}
+
+		filename := file.Name()
+		initials := strings.TrimSuffix(filename, ".png")
+
+		// If these initials aren't used by any user, delete the file
+		if _, ok := initialsInUse[initials]; !ok {
+			filePath := filepath.Join(defaultPicturesDir, filename)
+			if err := os.Remove(filePath); err != nil {
+				log.Printf("Failed to delete unused default profile picture %s: %v", filePath, err)
+			} else {
+				filesDeleted++
+			}
+		}
+	}
+
+	log.Printf("Deleted %d unused default profile pictures", filesDeleted)
+	return nil
+}
--- a/backend/internal/job/geoloite_update_job.go
+++ b/backend/internal/job/geoloite_update_job.go
@@ -0,0 +1,45 @@
+package job
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type GeoLiteUpdateJobs struct {
+	geoLiteService *service.GeoLiteService
+}
+
+func (s *Scheduler) RegisterGeoLiteUpdateJobs(ctx context.Context, geoLiteService *service.GeoLiteService) error {
+	// Check if the service needs periodic updating
+	if geoLiteService.DisableUpdater() {
+		// Nothing to do
+		return nil
+	}
+
+	jobs := &GeoLiteUpdateJobs{geoLiteService: geoLiteService}
+
+	// Register the job to run every day, at 5 minutes past midnight
+	err := s.registerJob(ctx, "UpdateGeoLiteDB", "5 * */1 * *", jobs.updateGoeLiteDB)
+	if err != nil {
+		return err
+	}
+
+	// Run the job immediately on startup, with a 1s delay
+	go func() {
+		time.Sleep(time.Second)
+		err = jobs.updateGoeLiteDB(ctx)
+		if err != nil {
+			// Log the error only, but don't return it
+			log.Printf("Failed to Update GeoLite database: %v", err)
+		}
+	}()
+
+	return nil
+}
+
+func (j *GeoLiteUpdateJobs) updateGoeLiteDB(ctx context.Context) error {
+	return j.geoLiteService.UpdateDatabase(ctx)
+}
--- a/backend/internal/job/ldap_job.go
+++ b/backend/internal/job/ldap_job.go
@@ -1,10 +1,10 @@
 package job

 import (
+	"context"
 	"log"

-	"github.com/go-co-op/gocron/v2"
-	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
 )

 type LdapJobs struct {
@@ -12,28 +12,29 @@ type LdapJobs struct {
 	appConfigService *service.AppConfigService
 }

-func RegisterLdapJobs(ldapService *service.LdapService, appConfigService *service.AppConfigService) {
+func (s *Scheduler) RegisterLdapJobs(ctx context.Context, ldapService *service.LdapService, appConfigService *service.AppConfigService) error {
 	jobs := &LdapJobs{ldapService: ldapService, appConfigService: appConfigService}

-	scheduler, err := gocron.NewScheduler()
-	if err != nil {
-		log.Fatalf("Failed to create a new scheduler: %s", err)
-	}
-
 	// Register the job to run every hour
-	registerJob(scheduler, "SyncLdap", "0 * * * *", jobs.syncLdap)
+	err := s.registerJob(ctx, "SyncLdap", "0 * * * *", jobs.syncLdap)
+	if err != nil {
+		return err
+	}

 	// Run the job immediately on startup
-	if err := jobs.syncLdap(); err != nil {
-		log.Printf("Failed to sync LDAP: %s", err)
+	err = jobs.syncLdap(ctx)
+	if err != nil {
+		// Log the error only, but don't return it
+		log.Printf("Failed to sync LDAP: %v", err)
 	}

-	scheduler.Start()
-}
-
-func (j *LdapJobs) syncLdap() error {
-	if j.appConfigService.DbConfig.LdapEnabled.Value == "true" {
-		return j.ldapService.SyncAll()
-	}
 	return nil
 }
+
+func (j *LdapJobs) syncLdap(ctx context.Context) error {
+	if !j.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
+		return nil
+	}
+
+	return j.ldapService.SyncAll(ctx)
+}
--- a/backend/internal/job/scheduler.go
+++ b/backend/internal/job/scheduler.go
@@ -0,0 +1,66 @@
+package job
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/go-co-op/gocron/v2"
+	"github.com/google/uuid"
+)
+
+type Scheduler struct {
+	scheduler gocron.Scheduler
+}
+
+func NewScheduler() (*Scheduler, error) {
+	scheduler, err := gocron.NewScheduler()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create a new scheduler: %w", err)
+	}
+
+	return &Scheduler{
+		scheduler: scheduler,
+	}, nil
+}
+
+// Run the scheduler.
+// This function blocks until the context is canceled.
+func (s *Scheduler) Run(ctx context.Context) error {
+	log.Println("Starting job scheduler")
+	s.scheduler.Start()
+
+	// Block until context is canceled
+	<-ctx.Done()
+
+	err := s.scheduler.Shutdown()
+	if err != nil {
+		log.Printf("[WARN] Error shutting down job scheduler: %v", err)
+	} else {
+		log.Println("Job scheduler shut down")
+	}
+
+	return nil
+}
+
+func (s *Scheduler) registerJob(ctx context.Context, name string, interval string, job func(ctx context.Context) error) error {
+	_, err := s.scheduler.NewJob(
+		gocron.CronJob(interval, false),
+		gocron.NewTask(job),
+		gocron.WithContext(ctx),
+		gocron.WithEventListeners(
+			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
+				log.Printf("Job %q run successfully", name)
+			}),
+			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
+				log.Printf("Job %q failed with error: %v", name, err)
+			}),
+		),
+	)
+
+	if err != nil {
+		return fmt.Errorf("failed to register job %q: %w", name, err)
+	}
+
+	return nil
+}
--- a/backend/internal/middleware/api_key_auth.go
+++ b/backend/internal/middleware/api_key_auth.go
@@ -0,0 +1,53 @@
+package middleware
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+type ApiKeyAuthMiddleware struct {
+	apiKeyService *service.ApiKeyService
+	jwtService    *service.JwtService
+}
+
+func NewApiKeyAuthMiddleware(apiKeyService *service.ApiKeyService, jwtService *service.JwtService) *ApiKeyAuthMiddleware {
+	return &ApiKeyAuthMiddleware{
+		apiKeyService: apiKeyService,
+		jwtService:    jwtService,
+	}
+}
+
+func (m *ApiKeyAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		userID, isAdmin, err := m.Verify(c, adminRequired)
+		if err != nil {
+			c.Abort()
+			_ = c.Error(err)
+			return
+		}
+
+		c.Set("userID", userID)
+		c.Set("userIsAdmin", isAdmin)
+		c.Next()
+	}
+}
+
+func (m *ApiKeyAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (userID string, isAdmin bool, err error) {
+	apiKey := c.GetHeader("X-API-KEY")
+
+	user, err := m.apiKeyService.ValidateApiKey(c.Request.Context(), apiKey)
+	if err != nil {
+		return "", false, &common.NotSignedInError{}
+	}
+
+	if user.Disabled {
+		return "", false, &common.UserDisabledError{}
+	}
+
+	if adminRequired && !user.IsAdmin {
+		return "", false, &common.MissingPermissionError{}
+	}
+
+	return user.ID, user.IsAdmin, nil
+}
--- a/backend/internal/middleware/auth_middleware.go
+++ b/backend/internal/middleware/auth_middleware.go
@@ -0,0 +1,103 @@
+package middleware
+
+import (
+	"errors"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+)
+
+// AuthMiddleware is a wrapper middleware that delegates to either API key or JWT authentication
+type AuthMiddleware struct {
+	apiKeyMiddleware *ApiKeyAuthMiddleware
+	jwtMiddleware    *JwtAuthMiddleware
+	options          AuthOptions
+}
+
+type AuthOptions struct {
+	AdminRequired   bool
+	SuccessOptional bool
+}
+
+func NewAuthMiddleware(
+	apiKeyService *service.ApiKeyService,
+	userService *service.UserService,
+	jwtService *service.JwtService,
+) *AuthMiddleware {
+	return &AuthMiddleware{
+		apiKeyMiddleware: NewApiKeyAuthMiddleware(apiKeyService, jwtService),
+		jwtMiddleware:    NewJwtAuthMiddleware(jwtService, userService),
+		options: AuthOptions{
+			AdminRequired:   true,
+			SuccessOptional: false,
+		},
+	}
+}
+
+// WithAdminNotRequired allows the middleware to continue with the request even if the user is not an admin
+func (m *AuthMiddleware) WithAdminNotRequired() *AuthMiddleware {
+	// Create a new instance to avoid modifying the original
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.AdminRequired = false
+	return clone
+}
+
+// WithSuccessOptional allows the middleware to continue with the request even if authentication fails
+func (m *AuthMiddleware) WithSuccessOptional() *AuthMiddleware {
+	// Create a new instance to avoid modifying the original
+	clone := &AuthMiddleware{
+		apiKeyMiddleware: m.apiKeyMiddleware,
+		jwtMiddleware:    m.jwtMiddleware,
+		options:          m.options,
+	}
+	clone.options.SuccessOptional = true
+	return clone
+}
+
+func (m *AuthMiddleware) Add() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		userID, isAdmin, err := m.jwtMiddleware.Verify(c, m.options.AdminRequired)
+		if err == nil {
+			c.Set("userID", userID)
+			c.Set("userIsAdmin", isAdmin)
+			if c.IsAborted() {
+				return
+			}
+			c.Next()
+			return
+		}
+
+		// If JWT auth failed and the error is not a NotSignedInError, abort the request
+		if !errors.Is(err, &common.NotSignedInError{}) {
+			c.Abort()
+			_ = c.Error(err)
+			return
+		}
+
+		// JWT auth failed, try API key auth
+		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
+		if err == nil {
+			c.Set("userID", userID)
+			c.Set("userIsAdmin", isAdmin)
+			if c.IsAborted() {
+				return
+			}
+			c.Next()
+			return
+		}
+
+		if m.options.SuccessOptional {
+			c.Next()
+			return
+		}
+
+		// Both JWT and API key auth failed
+		c.Abort()
+		_ = c.Error(err)
+	}
+}
--- a/backend/internal/middleware/cors.go
+++ b/backend/internal/middleware/cors.go
@@ -1,8 +1,9 @@
 package middleware

 import (
+	"net/http"
+
 	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 )

 type CorsMiddleware struct{}
@@ -13,17 +14,22 @@ func NewCorsMiddleware() *CorsMiddleware {

 func (m *CorsMiddleware) Add() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// Allow all origins for the token endpoint
-		if c.FullPath() == "/api/oidc/token" {
-			c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
-		} else {
-			c.Writer.Header().Set("Access-Control-Allow-Origin", common.EnvConfig.AppURL)
+		path := c.FullPath()
+		if path == "" {
+			// The router doesn't map preflight requests, so we need to use the raw URL path
+			path = c.Request.URL.Path
 		}

-		c.Writer.Header().Set("Access-Control-Allow-Headers", "*")
-		c.Writer.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS, GET, PUT")
+		if !isCorsPath(path) {
+			c.Next()
+			return
+		}

-		if c.Request.Method == "OPTIONS" {
+		c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+		c.Writer.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+
+		// Preflight request
+		if c.Request.Method == http.MethodOptions {
 			c.AbortWithStatus(204)
 			return
 		}
@@ -31,3 +37,17 @@ func (m *CorsMiddleware) Add() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+func isCorsPath(path string) bool {
+	switch path {
+	case "/api/oidc/token",
+		"/api/oidc/userinfo",
+		"/oidc/end-session",
+		"/api/oidc/introspect",
+		"/.well-known/jwks.json",
+		"/.well-known/openid-configuration":
+		return true
+	default:
+		return false
+	}
+}
--- a/backend/internal/middleware/error_handler.go
+++ b/backend/internal/middleware/error_handler.go
@@ -3,13 +3,14 @@ package middleware
 import (
 	"errors"
 	"fmt"
+	"net/http"
+	"strings"
+
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"gorm.io/gorm"
-	"net/http"
-	"strings"
 )

 type ErrorHandlerMiddleware struct{}
--- a/backend/internal/middleware/file_size_limit.go
+++ b/backend/internal/middleware/file_size_limit.go
@@ -2,9 +2,10 @@ package middleware

 import (
 	"fmt"
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 type FileSizeLimitMiddleware struct{}
@@ -18,7 +19,7 @@ func (m *FileSizeLimitMiddleware) Add(maxSize int64) gin.HandlerFunc {
 		c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, maxSize)
 		if err := c.Request.ParseMultipartForm(maxSize); err != nil {
 			err = &common.FileTooLargeError{MaxSize: formatFileSize(maxSize)}
-			c.Error(err)
+			_ = c.Error(err)
 			c.Abort()
 			return
 		}
--- a/backend/internal/middleware/jwt_auth.go
+++ b/backend/internal/middleware/jwt_auth.go
@@ -1,58 +1,73 @@
 package middleware

 import (
-	"github.com/gin-gonic/gin"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/service"
 	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"
 )

 type JwtAuthMiddleware struct {
-	jwtService            *service.JwtService
-	ignoreUnauthenticated bool
+	userService *service.UserService
+	jwtService  *service.JwtService
 }

-func NewJwtAuthMiddleware(jwtService *service.JwtService, ignoreUnauthenticated bool) *JwtAuthMiddleware {
-	return &JwtAuthMiddleware{jwtService: jwtService, ignoreUnauthenticated: ignoreUnauthenticated}
+func NewJwtAuthMiddleware(jwtService *service.JwtService, userService *service.UserService) *JwtAuthMiddleware {
+	return &JwtAuthMiddleware{jwtService: jwtService, userService: userService}
 }

-func (m *JwtAuthMiddleware) Add(adminOnly bool) gin.HandlerFunc {
+func (m *JwtAuthMiddleware) Add(adminRequired bool) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// Extract the token from the cookie or the Authorization header
-		token, err := c.Cookie("access_token")
+		userID, isAdmin, err := m.Verify(c, adminRequired)
 		if err != nil {
-			authorizationHeaderSplitted := strings.Split(c.GetHeader("Authorization"), " ")
-			if len(authorizationHeaderSplitted) == 2 {
-				token = authorizationHeaderSplitted[1]
-			} else if m.ignoreUnauthenticated {
-				c.Next()
-				return
-			} else {
-				c.Error(&common.NotSignedInError{})
-				c.Abort()
-				return
-			}
-		}
-
-		claims, err := m.jwtService.VerifyAccessToken(token)
-		if err != nil && m.ignoreUnauthenticated {
-			c.Next()
-			return
-		} else if err != nil {
-			c.Error(&common.NotSignedInError{})
 			c.Abort()
+			_ = c.Error(err)
 			return
 		}

-		// Check if the user is an admin
-		if adminOnly && !claims.IsAdmin {
-			c.Error(&common.MissingPermissionError{})
-			c.Abort()
-			return
-		}
-
-		c.Set("userID", claims.Subject)
-		c.Set("userIsAdmin", claims.IsAdmin)
+		c.Set("userID", userID)
+		c.Set("userIsAdmin", isAdmin)
 		c.Next()
 	}
 }
+
+func (m *JwtAuthMiddleware) Verify(c *gin.Context, adminRequired bool) (subject string, isAdmin bool, err error) {
+	// Extract the token from the cookie
+	accessToken, err := c.Cookie(cookie.AccessTokenCookieName)
+	if err != nil {
+		// Try to extract the token from the Authorization header if it's not in the cookie
+		var ok bool
+		_, accessToken, ok = strings.Cut(c.GetHeader("Authorization"), " ")
+		if !ok || accessToken == "" {
+			return "", false, &common.NotSignedInError{}
+		}
+	}
+
+	token, err := m.jwtService.VerifyAccessToken(accessToken)
+	if err != nil {
+		return "", false, &common.NotSignedInError{}
+	}
+
+	subject, ok := token.Subject()
+	if !ok {
+		_ = c.Error(&common.TokenInvalidError{})
+		return
+	}
+
+	user, err := m.userService.GetUser(c, subject)
+	if err != nil {
+		return "", false, &common.NotSignedInError{}
+	}
+
+	if user.Disabled {
+		return "", false, &common.UserDisabledError{}
+	}
+
+	if adminRequired && !user.IsAdmin {
+		return "", false, &common.MissingPermissionError{}
+	}
+
+	return subject, isAdmin, nil
+}
--- a/backend/internal/middleware/rate_limit.go
+++ b/backend/internal/middleware/rate_limit.go
@@ -1,10 +1,11 @@
 package middleware

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"sync"
 	"time"

+	"github.com/pocket-id/pocket-id/backend/internal/common"
+
 	"github.com/gin-gonic/gin"
 	"golang.org/x/time/rate"
 )
@@ -35,7 +36,7 @@ func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {

 		limiter := getLimiter(ip, limit, burst, &mu, clients)
 		if !limiter.Allow() {
-			c.Error(&common.TooManyRequestsError{})
+			_ = c.Error(&common.TooManyRequestsError{})
 			c.Abort()
 			return
 		}
--- a/backend/internal/model/api_key.go
+++ b/backend/internal/model/api_key.go
@@ -0,0 +1,17 @@
+package model
+
+import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+
+type ApiKey struct {
+	Base
+
+	Name                string `sortable:"true"`
+	Key                 string
+	Description         *string
+	ExpiresAt           datatype.DateTime  `sortable:"true"`
+	LastUsedAt          *datatype.DateTime `sortable:"true"`
+	ExpirationEmailSent bool
+
+	UserID string
+	User   User
+}
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -1,47 +1,189 @@
 package model

+import (
+	"errors"
+	"fmt"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+)
+
 type AppConfigVariable struct {
-	Key          string `gorm:"primaryKey;not null"`
-	Type         string
-	IsPublic     bool
-	IsInternal   bool
-	Value        string
-	DefaultValue string
+	Key   string `gorm:"primaryKey;not null"`
+	Value string
+}
+
+// IsTrue returns true if the value is a truthy string, such as "true", "t", "yes", "1", etc.
+func (a *AppConfigVariable) IsTrue() bool {
+	ok, _ := strconv.ParseBool(a.Value)
+	return ok
+}
+
+// AsDurationMinutes returns the value as a time.Duration, interpreting the string as a whole number of minutes.
+func (a *AppConfigVariable) AsDurationMinutes() time.Duration {
+	val, err := strconv.Atoi(a.Value)
+	if err != nil {
+		return 0
+	}
+	return time.Duration(val) * time.Minute
 }

 type AppConfig struct {
 	// General
-	AppName             AppConfigVariable
-	SessionDuration     AppConfigVariable
-	EmailsVerified      AppConfigVariable
-	AllowOwnAccountEdit AppConfigVariable
+	AppName             AppConfigVariable `key:"appName,public"` // Public
+	SessionDuration     AppConfigVariable `key:"sessionDuration"`
+	EmailsVerified      AppConfigVariable `key:"emailsVerified"`
+	DisableAnimations   AppConfigVariable `key:"disableAnimations,public"`   // Public
+	AllowOwnAccountEdit AppConfigVariable `key:"allowOwnAccountEdit,public"` // Public
 	// Internal
-	BackgroundImageType AppConfigVariable
-	LogoLightImageType  AppConfigVariable
-	LogoDarkImageType   AppConfigVariable
+	BackgroundImageType AppConfigVariable `key:"backgroundImageType,internal"` // Internal
+	LogoLightImageType  AppConfigVariable `key:"logoLightImageType,internal"`  // Internal
+	LogoDarkImageType   AppConfigVariable `key:"logoDarkImageType,internal"`   // Internal
 	// Email
-	SmtpHost                      AppConfigVariable
-	SmtpPort                      AppConfigVariable
-	SmtpFrom                      AppConfigVariable
-	SmtpUser                      AppConfigVariable
-	SmtpPassword                  AppConfigVariable
-	SmtpTls                       AppConfigVariable
-	SmtpSkipCertVerify            AppConfigVariable
-	EmailLoginNotificationEnabled AppConfigVariable
-	EmailOneTimeAccessEnabled     AppConfigVariable
+	SmtpHost                                   AppConfigVariable `key:"smtpHost"`
+	SmtpPort                                   AppConfigVariable `key:"smtpPort"`
+	SmtpFrom                                   AppConfigVariable `key:"smtpFrom"`
+	SmtpUser                                   AppConfigVariable `key:"smtpUser"`
+	SmtpPassword                               AppConfigVariable `key:"smtpPassword"`
+	SmtpTls                                    AppConfigVariable `key:"smtpTls"`
+	SmtpSkipCertVerify                         AppConfigVariable `key:"smtpSkipCertVerify"`
+	EmailLoginNotificationEnabled              AppConfigVariable `key:"emailLoginNotificationEnabled"`
+	EmailOneTimeAccessAsUnauthenticatedEnabled AppConfigVariable `key:"emailOneTimeAccessAsUnauthenticatedEnabled,public"` // Public
+	EmailOneTimeAccessAsAdminEnabled           AppConfigVariable `key:"emailOneTimeAccessAsAdminEnabled,public"`           // Public
+	EmailApiKeyExpirationEnabled               AppConfigVariable `key:"emailApiKeyExpirationEnabled"`
 	// LDAP
-	LdapEnabled                        AppConfigVariable
-	LdapUrl                            AppConfigVariable
-	LdapBindDn                         AppConfigVariable
-	LdapBindPassword                   AppConfigVariable
-	LdapBase                           AppConfigVariable
-	LdapSkipCertVerify                 AppConfigVariable
-	LdapAttributeUserUniqueIdentifier  AppConfigVariable
-	LdapAttributeUserUsername          AppConfigVariable
-	LdapAttributeUserEmail             AppConfigVariable
-	LdapAttributeUserFirstName         AppConfigVariable
-	LdapAttributeUserLastName          AppConfigVariable
-	LdapAttributeGroupUniqueIdentifier AppConfigVariable
-	LdapAttributeGroupName             AppConfigVariable
-	LdapAttributeAdminGroup            AppConfigVariable
+	LdapEnabled                        AppConfigVariable `key:"ldapEnabled,public"` // Public
+	LdapUrl                            AppConfigVariable `key:"ldapUrl"`
+	LdapBindDn                         AppConfigVariable `key:"ldapBindDn"`
+	LdapBindPassword                   AppConfigVariable `key:"ldapBindPassword"`
+	LdapBase                           AppConfigVariable `key:"ldapBase"`
+	LdapUserSearchFilter               AppConfigVariable `key:"ldapUserSearchFilter"`
+	LdapUserGroupSearchFilter          AppConfigVariable `key:"ldapUserGroupSearchFilter"`
+	LdapSkipCertVerify                 AppConfigVariable `key:"ldapSkipCertVerify"`
+	LdapAttributeUserUniqueIdentifier  AppConfigVariable `key:"ldapAttributeUserUniqueIdentifier"`
+	LdapAttributeUserUsername          AppConfigVariable `key:"ldapAttributeUserUsername"`
+	LdapAttributeUserEmail             AppConfigVariable `key:"ldapAttributeUserEmail"`
+	LdapAttributeUserFirstName         AppConfigVariable `key:"ldapAttributeUserFirstName"`
+	LdapAttributeUserLastName          AppConfigVariable `key:"ldapAttributeUserLastName"`
+	LdapAttributeUserProfilePicture    AppConfigVariable `key:"ldapAttributeUserProfilePicture"`
+	LdapAttributeGroupMember           AppConfigVariable `key:"ldapAttributeGroupMember"`
+	LdapAttributeGroupUniqueIdentifier AppConfigVariable `key:"ldapAttributeGroupUniqueIdentifier"`
+	LdapAttributeGroupName             AppConfigVariable `key:"ldapAttributeGroupName"`
+	LdapAttributeAdminGroup            AppConfigVariable `key:"ldapAttributeAdminGroup"`
+	LdapSoftDeleteUsers                AppConfigVariable `key:"ldapSoftDeleteUsers"`
+}
+
+func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {
+	// Use reflection to iterate through all fields
+	cfgValue := reflect.ValueOf(c).Elem()
+	cfgType := cfgValue.Type()
+
+	var res []AppConfigVariable
+
+	for i := range cfgType.NumField() {
+		field := cfgType.Field(i)
+
+		key, attrs, _ := strings.Cut(field.Tag.Get("key"), ",")
+		if key == "" {
+			continue
+		}
+
+		// If we're only showing public variables and this is not public, skip it
+		if !showAll && attrs != "public" {
+			continue
+		}
+
+		fieldValue := cfgValue.Field(i)
+
+		appConfigVariable := AppConfigVariable{
+			Key:   key,
+			Value: fieldValue.FieldByName("Value").String(),
+		}
+
+		res = append(res, appConfigVariable)
+	}
+
+	return res
+}
+
+func (c *AppConfig) FieldByKey(key string) (string, error) {
+	rv := reflect.ValueOf(c).Elem()
+	rt := rv.Type()
+
+	// Find the field in the struct whose "key" tag matches
+	for i := range rt.NumField() {
+		// Grab only the first part of the key, if there's a comma with additional properties
+		tagValue, _, _ := strings.Cut(rt.Field(i).Tag.Get("key"), ",")
+		if tagValue != key {
+			continue
+		}
+
+		valueField := rv.Field(i).FieldByName("Value")
+		return valueField.String(), nil
+	}
+
+	// If we are here, the config key was not found
+	return "", AppConfigKeyNotFoundError{field: key}
+}
+
+func (c *AppConfig) UpdateField(key string, value string, noInternal bool) error {
+	rv := reflect.ValueOf(c).Elem()
+	rt := rv.Type()
+
+	// Find the field in the struct whose "key" tag matches, then update that
+	for i := range rt.NumField() {
+		// Separate the key (before the comma) from any optional attributes after
+		tagValue, attrs, _ := strings.Cut(rt.Field(i).Tag.Get("key"), ",")
+		if tagValue != key {
+			continue
+		}
+
+		// If the field is internal and noInternal is true, we skip that
+		if noInternal && attrs == "internal" {
+			return AppConfigInternalForbiddenError{field: key}
+		}
+
+		valueField := rv.Field(i).FieldByName("Value")
+		if !valueField.CanSet() {
+			return fmt.Errorf("field Value in AppConfigVariable is not settable for config key '%s'", key)
+		}
+
+		// Update the value
+		valueField.SetString(value)
+
+		// Return once updated
+		return nil
+	}
+
+	// If we're here, we have not found the right field to update
+	return AppConfigKeyNotFoundError{field: key}
+}
+
+type AppConfigKeyNotFoundError struct {
+	field string
+}
+
+func (e AppConfigKeyNotFoundError) Error() string {
+	return fmt.Sprintf("cannot find config key '%s'", e.field)
+}
+
+func (e AppConfigKeyNotFoundError) Is(target error) bool {
+	// Ignore the field property when checking if an error is of the type AppConfigKeyNotFoundError
+	x := AppConfigKeyNotFoundError{}
+	return errors.As(target, &x)
+}
+
+type AppConfigInternalForbiddenError struct {
+	field string
+}
+
+func (e AppConfigInternalForbiddenError) Error() string {
+	return fmt.Sprintf("field '%s' is internal and can't be updated", e.field)
+}
+
+func (e AppConfigInternalForbiddenError) Is(target error) bool {
+	// Ignore the field property when checking if an error is of the type AppConfigInternalForbiddenError
+	x := AppConfigInternalForbiddenError{}
+	return errors.As(target, &x)
 }
--- a/backend/internal/model/app_config_test.go
+++ b/backend/internal/model/app_config_test.go
@@ -0,0 +1,129 @@
+// We use model_test here to avoid an import cycle
+package model_test
+
+import (
+	"reflect"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+)
+
+func TestAppConfigVariable_AsMinutesDuration(t *testing.T) {
+	tests := []struct {
+		name            string
+		value           string
+		expected        time.Duration
+		expectedSeconds int
+	}{
+		{
+			name:            "valid positive integer",
+			value:           "60",
+			expected:        60 * time.Minute,
+			expectedSeconds: 3600,
+		},
+		{
+			name:            "valid zero integer",
+			value:           "0",
+			expected:        0,
+			expectedSeconds: 0,
+		},
+		{
+			name:            "negative integer",
+			value:           "-30",
+			expected:        -30 * time.Minute,
+			expectedSeconds: -1800,
+		},
+		{
+			name:            "invalid non-integer",
+			value:           "not-a-number",
+			expected:        0,
+			expectedSeconds: 0,
+		},
+		{
+			name:            "empty string",
+			value:           "",
+			expected:        0,
+			expectedSeconds: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			configVar := model.AppConfigVariable{
+				Value: tt.value,
+			}
+
+			result := configVar.AsDurationMinutes()
+			assert.Equal(t, tt.expected, result)
+			assert.Equal(t, tt.expectedSeconds, int(result.Seconds()))
+		})
+	}
+}
+
+// This test ensures that the model.AppConfig and dto.AppConfigUpdateDto structs match:
+// - They should have the same properties, where the "json" tag of dto.AppConfigUpdateDto should match the "key" tag in model.AppConfig
+// - dto.AppConfigDto should not include "internal" fields from model.AppConfig
+// This test is primarily meant to catch discrepancies between the two structs as fields are added or removed over time
+func TestAppConfigStructMatchesUpdateDto(t *testing.T) {
+	appConfigType := reflect.TypeOf(model.AppConfig{})
+	updateDtoType := reflect.TypeOf(dto.AppConfigUpdateDto{})
+
+	// Process AppConfig fields
+	appConfigFields := make(map[string]string)
+	for i := 0; i < appConfigType.NumField(); i++ {
+		field := appConfigType.Field(i)
+		if field.Tag.Get("key") == "" {
+			// Skip internal fields
+			continue
+		}
+
+		// Extract the key name from the tag (takes the part before any comma)
+		keyTag := field.Tag.Get("key")
+		keyName, _, _ := strings.Cut(keyTag, ",")
+
+		appConfigFields[field.Name] = keyName
+	}
+
+	// Process AppConfigUpdateDto fields
+	dtoFields := make(map[string]string)
+	for i := 0; i < updateDtoType.NumField(); i++ {
+		field := updateDtoType.Field(i)
+
+		// Extract the json name from the tag (takes the part before any binding constraints)
+		jsonTag := field.Tag.Get("json")
+		jsonName, _, _ := strings.Cut(jsonTag, ",")
+
+		dtoFields[jsonName] = field.Name
+	}
+
+	// Verify every AppConfig field has a matching DTO field with the same name
+	for fieldName, keyName := range appConfigFields {
+		if strings.HasSuffix(fieldName, "ImageType") {
+			// Skip internal fields that shouldn't be in the DTO
+			continue
+		}
+
+		// Check if there's a DTO field with a matching JSON tag
+		_, exists := dtoFields[keyName]
+		assert.True(t, exists, "Field %s with key '%s' in AppConfig has no matching field in AppConfigUpdateDto", fieldName, keyName)
+	}
+
+	// Verify every DTO field has a matching AppConfig field
+	for jsonName, fieldName := range dtoFields {
+		// Find a matching field in AppConfig by key tag
+		found := false
+		for _, keyName := range appConfigFields {
+			if keyName == jsonName {
+				found = true
+				break
+			}
+		}
+
+		assert.True(t, found, "Field %s with json tag '%s' in AppConfigUpdateDto has no matching field in AppConfig", fieldName, jsonName)
+	}
+}
--- a/backend/internal/model/audit_log.go
+++ b/backend/internal/model/audit_log.go
@@ -3,7 +3,7 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
+	"fmt"
 )

 type AuditLog struct {
@@ -14,24 +14,29 @@ type AuditLog struct {
 	Country   string        `sortable:"true"`
 	City      string        `sortable:"true"`
 	UserAgent string        `sortable:"true"`
-	UserID    string
+	Username  string        `gorm:"-"`
 	Data      AuditLogData
+
+	UserID string
+	User   User
 }

-type AuditLogData map[string]string
+type AuditLogData map[string]string //nolint:recvcheck

-type AuditLogEvent string
+type AuditLogEvent string //nolint:recvcheck

 const (
-	AuditLogEventSignIn                   AuditLogEvent = "SIGN_IN"
-	AuditLogEventOneTimeAccessTokenSignIn AuditLogEvent = "TOKEN_SIGN_IN"
-	AuditLogEventClientAuthorization      AuditLogEvent = "CLIENT_AUTHORIZATION"
-	AuditLogEventNewClientAuthorization   AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
+	AuditLogEventSignIn                     AuditLogEvent = "SIGN_IN"
+	AuditLogEventOneTimeAccessTokenSignIn   AuditLogEvent = "TOKEN_SIGN_IN"
+	AuditLogEventClientAuthorization        AuditLogEvent = "CLIENT_AUTHORIZATION"
+	AuditLogEventNewClientAuthorization     AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
+	AuditLogEventDeviceCodeAuthorization    AuditLogEvent = "DEVICE_CODE_AUTHORIZATION"
+	AuditLogEventNewDeviceCodeAuthorization AuditLogEvent = "NEW_DEVICE_CODE_AUTHORIZATION"
 )

 // Scan and Value methods for GORM to handle the custom type

-func (e *AuditLogEvent) Scan(value interface{}) error {
+func (e *AuditLogEvent) Scan(value any) error {
 	*e = AuditLogEvent(value.(string))
 	return nil
 }
@@ -40,11 +45,14 @@ func (e AuditLogEvent) Value() (driver.Value, error) {
 	return string(e), nil
 }

-func (d *AuditLogData) Scan(value interface{}) error {
-	if v, ok := value.([]byte); ok {
+func (d *AuditLogData) Scan(value any) error {
+	switch v := value.(type) {
+	case []byte:
 		return json.Unmarshal(v, d)
-	} else {
-		return errors.New("type assertion to []byte failed")
+	case string:
+		return json.Unmarshal([]byte(v), d)
+	default:
+		return fmt.Errorf("unsupported type: %T", value)
 	}
 }

--- a/backend/internal/model/base.go
+++ b/backend/internal/model/base.go
@@ -1,22 +1,23 @@
 package model

 import (
-	"github.com/google/uuid"
-	model "github.com/stonith404/pocket-id/backend/internal/model/types"
-	"gorm.io/gorm"
 	"time"
+
+	"github.com/google/uuid"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"gorm.io/gorm"
 )

 // Base contains common columns for all tables.
 type Base struct {
-	ID        string         `gorm:"primaryKey;not null"`
-	CreatedAt model.DateTime `sortable:"true"`
+	ID        string            `gorm:"primaryKey;not null"`
+	CreatedAt datatype.DateTime `sortable:"true"`
 }

 func (b *Base) BeforeCreate(_ *gorm.DB) (err error) {
 	if b.ID == "" {
 		b.ID = uuid.New().String()
 	}
-	b.CreatedAt = model.DateTime(time.Now())
+	b.CreatedAt = datatype.DateTime(time.Now())
 	return
 }
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -3,8 +3,9 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	"fmt"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"gorm.io/gorm"
 )

@@ -36,16 +37,32 @@ type OidcAuthorizationCode struct {
 type OidcClient struct {
 	Base

-	Name         string `sortable:"true"`
-	Secret       string
-	CallbackURLs CallbackURLs
-	ImageType    *string
-	HasLogo      bool `gorm:"-"`
-	IsPublic     bool
-	PkceEnabled  bool
+	Name               string `sortable:"true"`
+	Secret             string
+	CallbackURLs       UrlList
+	LogoutCallbackURLs UrlList
+	ImageType          *string
+	HasLogo            bool `gorm:"-"`
+	IsPublic           bool
+	PkceEnabled        bool

-	CreatedByID string
-	CreatedBy   User
+	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
+	CreatedByID       string
+	CreatedBy         User
+}
+
+type OidcRefreshToken struct {
+	Base
+
+	Token     string
+	ExpiresAt datatype.DateTime
+	Scope     string
+
+	UserID string
+	User   User
+
+	ClientID string
+	Client   OidcClient
 }

 func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
@@ -54,16 +71,33 @@ func (c *OidcClient) AfterFind(_ *gorm.DB) (err error) {
 	return nil
 }

-type CallbackURLs []string
+type UrlList []string //nolint:recvcheck

-func (cu *CallbackURLs) Scan(value interface{}) error {
-	if v, ok := value.([]byte); ok {
+func (cu *UrlList) Scan(value interface{}) error {
+	switch v := value.(type) {
+	case []byte:
 		return json.Unmarshal(v, cu)
-	} else {
-		return errors.New("type assertion to []byte failed")
+	case string:
+		return json.Unmarshal([]byte(v), cu)
+	default:
+		return fmt.Errorf("unsupported type: %T", value)
 	}
 }

-func (cu CallbackURLs) Value() (driver.Value, error) {
+func (cu UrlList) Value() (driver.Value, error) {
 	return json.Marshal(cu)
 }
+
+type OidcDeviceCode struct {
+	Base
+	DeviceCode   string
+	UserCode     string
+	Scope        string
+	ExpiresAt    datatype.DateTime
+	IsAuthorized bool
+
+	UserID   *string
+	User     User
+	ClientID string
+	Client   OidcClient
+}
--- a/backend/internal/model/types/date_time.go
+++ b/backend/internal/model/types/date_time.go
@@ -2,12 +2,13 @@ package datatype

 import (
 	"database/sql/driver"
-	"github.com/stonith404/pocket-id/backend/internal/common"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 // DateTime custom type for time.Time to store date as unix timestamp for sqlite and as date for postgres
-type DateTime time.Time
+type DateTime time.Time //nolint:recvcheck

 func (date *DateTime) Scan(value interface{}) (err error) {
 	*date = DateTime(value.(time.Time))
--- a/backend/internal/model/user.go
+++ b/backend/internal/model/user.go
@@ -1,9 +1,12 @@
 package model

 import (
+	"strings"
+
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type User struct {
@@ -14,7 +17,9 @@ type User struct {
 	FirstName string `sortable:"true"`
 	LastName  string `sortable:"true"`
 	IsAdmin   bool   `sortable:"true"`
+	Locale    *string
 	LdapID    *string
+	Disabled  bool `sortable:"true"`

 	CustomClaims []CustomClaim
 	UserGroups   []UserGroup `gorm:"many2many:user_groups_users;"`
@@ -62,6 +67,15 @@ func (u User) WebAuthnCredentialDescriptors() (descriptors []protocol.Credential

 func (u User) FullName() string { return u.FirstName + " " + u.LastName }

+func (u User) Initials() string {
+	first := utils.GetFirstCharacter(u.FirstName)
+	last := utils.GetFirstCharacter(u.LastName)
+	if first == "" && last == "" && len(u.Username) >= 2 {
+		return strings.ToUpper(u.Username[:2])
+	}
+	return strings.ToUpper(first + last)
+}
+
 type OneTimeAccessToken struct {
 	Base
 	Token     string
--- a/backend/internal/model/webauthn.go
+++ b/backend/internal/model/webauthn.go
@@ -3,10 +3,11 @@ package model
 import (
 	"database/sql/driver"
 	"encoding/json"
-	"errors"
-	"github.com/go-webauthn/webauthn/protocol"
-	datatype "github.com/stonith404/pocket-id/backend/internal/model/types"
+	"fmt"
 	"time"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )

 type WebauthnSession struct {
@@ -44,15 +45,17 @@ type PublicKeyCredentialRequestOptions struct {
 	Timeout   time.Duration
 }

-type AuthenticatorTransportList []protocol.AuthenticatorTransport
+type AuthenticatorTransportList []protocol.AuthenticatorTransport //nolint:recvcheck

 // Scan and Value methods for GORM to handle the custom type
 func (atl *AuthenticatorTransportList) Scan(value interface{}) error {
-
-	if v, ok := value.([]byte); ok {
+	switch v := value.(type) {
+	case []byte:
 		return json.Unmarshal(v, atl)
-	} else {
-		return errors.New("type assertion to []byte failed")
+	case string:
+		return json.Unmarshal([]byte(v), atl)
+	default:
+		return fmt.Errorf("unsupported type: %T", value)
 	}
 }

--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -0,0 +1,165 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+type ApiKeyService struct {
+	db           *gorm.DB
+	emailService *EmailService
+}
+
+func NewApiKeyService(db *gorm.DB, emailService *EmailService) *ApiKeyService {
+	return &ApiKeyService{db: db, emailService: emailService}
+}
+
+func (s *ApiKeyService) ListApiKeys(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.ApiKey, utils.PaginationResponse, error) {
+	query := s.db.
+		WithContext(ctx).
+		Where("user_id = ?", userID).
+		Model(&model.ApiKey{})
+
+	var apiKeys []model.ApiKey
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &apiKeys)
+	if err != nil {
+		return nil, utils.PaginationResponse{}, err
+	}
+
+	return apiKeys, pagination, nil
+}
+
+func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input dto.ApiKeyCreateDto) (model.ApiKey, string, error) {
+	// Check if expiration is in the future
+	if !input.ExpiresAt.ToTime().After(time.Now()) {
+		return model.ApiKey{}, "", &common.APIKeyExpirationDateError{}
+	}
+
+	// Generate a secure random API key
+	token, err := utils.GenerateRandomAlphanumericString(32)
+	if err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	apiKey := model.ApiKey{
+		Name:        input.Name,
+		Key:         utils.CreateSha256Hash(token), // Hash the token for storage
+		Description: &input.Description,
+		ExpiresAt:   datatype.DateTime(input.ExpiresAt),
+		UserID:      userID,
+	}
+
+	err = s.db.
+		WithContext(ctx).
+		Create(&apiKey).
+		Error
+	if err != nil {
+		return model.ApiKey{}, "", err
+	}
+
+	// Return the raw token only once - it cannot be retrieved later
+	return apiKey, token, nil
+}
+
+func (s *ApiKeyService) RevokeApiKey(ctx context.Context, userID, apiKeyID string) error {
+	var apiKey model.ApiKey
+	err := s.db.
+		WithContext(ctx).
+		Where("id = ? AND user_id = ?", apiKeyID, userID).
+		Delete(&apiKey).
+		Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return &common.APIKeyNotFoundError{}
+		}
+		return err
+	}
+
+	return nil
+}
+
+func (s *ApiKeyService) ValidateApiKey(ctx context.Context, apiKey string) (model.User, error) {
+	if apiKey == "" {
+		return model.User{}, &common.NoAPIKeyProvidedError{}
+	}
+
+	now := time.Now()
+	hashedKey := utils.CreateSha256Hash(apiKey)
+
+	var key model.ApiKey
+	err := s.db.
+		WithContext(ctx).
+		Model(&model.ApiKey{}).
+		Clauses(clause.Returning{}).
+		Where("key = ? AND expires_at > ?", hashedKey, datatype.DateTime(now)).
+		Updates(&model.ApiKey{
+			LastUsedAt: utils.Ptr(datatype.DateTime(now)),
+		}).
+		Preload("User").
+		First(&key).
+		Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return model.User{}, &common.InvalidAPIKeyError{}
+		}
+
+		return model.User{}, err
+	}
+
+	return key.User, nil
+}
+
+func (s *ApiKeyService) ListExpiringApiKeys(ctx context.Context, daysAhead int) ([]model.ApiKey, error) {
+	var keys []model.ApiKey
+	now := time.Now()
+	cutoff := now.AddDate(0, 0, daysAhead)
+
+	err := s.db.
+		WithContext(ctx).
+		Preload("User").
+		Where("expires_at > ? AND expires_at <= ? AND expiration_email_sent = ?", datatype.DateTime(now), datatype.DateTime(cutoff), false).
+		Find(&keys).
+		Error
+
+	return keys, err
+}
+
+func (s *ApiKeyService) SendApiKeyExpiringSoonEmail(ctx context.Context, apiKey model.ApiKey) error {
+	user := apiKey.User
+
+	if user.ID == "" {
+		if err := s.db.WithContext(ctx).First(&user, "id = ?", apiKey.UserID).Error; err != nil {
+			return err
+		}
+	}
+
+	err := SendEmail(ctx, s.emailService, email.Address{
+		Name:  user.FullName(),
+		Email: user.Email,
+	}, ApiKeyExpiringSoonTemplate, &ApiKeyExpiringSoonTemplateData{
+		ApiKeyName: apiKey.Name,
+		ExpiresAt:  apiKey.ExpiresAt.ToTime(),
+		Name:       user.FirstName,
+	})
+	if err != nil {
+		return err
+	}
+
+	// Mark the API key as having had an expiration email sent
+	return s.db.WithContext(ctx).
+		Model(&model.ApiKey{}).
+		Where("id = ?", apiKey.ID).
+		Update("expiration_email_sent", true).
+		Error
+}
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -1,355 +1,426 @@
 package service

 import (
+	"context"
+	"errors"
 	"fmt"
 	"log"
 	"mime/multipart"
 	"os"
 	"reflect"
+	"strings"
+	"sync/atomic"
+	"time"

-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
 	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 type AppConfigService struct {
-	DbConfig *model.AppConfig
+	dbConfig atomic.Pointer[model.AppConfig]
 	db       *gorm.DB
 }

-func NewAppConfigService(db *gorm.DB) *AppConfigService {
+func NewAppConfigService(initCtx context.Context, db *gorm.DB) *AppConfigService {
 	service := &AppConfigService{
-		DbConfig: &defaultDbConfig,
-		db:       db,
+		db: db,
 	}
-	if err := service.InitDbConfig(); err != nil {
+
+	err := service.LoadDbConfig(initCtx)
+	if err != nil {
 		log.Fatalf("Failed to initialize app config service: %v", err)
 	}
+
 	return service
 }

-var defaultDbConfig = model.AppConfig{
-	// General
-	AppName: model.AppConfigVariable{
-		Key:          "appName",
-		Type:         "string",
-		IsPublic:     true,
-		DefaultValue: "Pocket ID",
-	},
-	SessionDuration: model.AppConfigVariable{
-		Key:          "sessionDuration",
-		Type:         "number",
-		DefaultValue: "60",
-	},
-	EmailsVerified: model.AppConfigVariable{
-		Key:          "emailsVerified",
-		Type:         "bool",
-		DefaultValue: "false",
-	},
-	AllowOwnAccountEdit: model.AppConfigVariable{
-		Key:          "allowOwnAccountEdit",
-		Type:         "bool",
-		IsPublic:     true,
-		DefaultValue: "true",
-	},
-	// Internal
-	BackgroundImageType: model.AppConfigVariable{
-		Key:          "backgroundImageType",
-		Type:         "string",
-		IsInternal:   true,
-		DefaultValue: "jpg",
-	},
-	LogoLightImageType: model.AppConfigVariable{
-		Key:          "logoLightImageType",
-		Type:         "string",
-		IsInternal:   true,
-		DefaultValue: "svg",
-	},
-	LogoDarkImageType: model.AppConfigVariable{
-		Key:          "logoDarkImageType",
-		Type:         "string",
-		IsInternal:   true,
-		DefaultValue: "svg",
-	},
-	// Email
-	SmtpHost: model.AppConfigVariable{
-		Key:  "smtpHost",
-		Type: "string",
-	},
-	SmtpPort: model.AppConfigVariable{
-		Key:  "smtpPort",
-		Type: "number",
-	},
-	SmtpFrom: model.AppConfigVariable{
-		Key:  "smtpFrom",
-		Type: "string",
-	},
-	SmtpUser: model.AppConfigVariable{
-		Key:  "smtpUser",
-		Type: "string",
-	},
-	SmtpPassword: model.AppConfigVariable{
-		Key:  "smtpPassword",
-		Type: "string",
-	},
-	SmtpTls: model.AppConfigVariable{
-		Key:          "smtpTls",
-		Type:         "bool",
-		DefaultValue: "true",
-	},
-	SmtpSkipCertVerify: model.AppConfigVariable{
-		Key:          "smtpSkipCertVerify",
-		Type:         "bool",
-		DefaultValue: "false",
-	},
-	EmailLoginNotificationEnabled: model.AppConfigVariable{
-		Key:          "emailLoginNotificationEnabled",
-		Type:         "bool",
-		DefaultValue: "false",
-	},
-	EmailOneTimeAccessEnabled: model.AppConfigVariable{
-		Key:          "emailOneTimeAccessEnabled",
-		Type:         "bool",
-		IsPublic:     true,
-		DefaultValue: "false",
-	},
-	// LDAP
-	LdapEnabled: model.AppConfigVariable{
-		Key:          "ldapEnabled",
-		Type:         "bool",
-		DefaultValue: "false",
-	},
-	LdapUrl: model.AppConfigVariable{
-		Key:  "ldapUrl",
-		Type: "string",
-	},
-	LdapBindDn: model.AppConfigVariable{
-		Key:  "ldapBindDn",
-		Type: "string",
-	},
-	LdapBindPassword: model.AppConfigVariable{
-		Key:  "ldapBindPassword",
-		Type: "string",
-	},
-	LdapBase: model.AppConfigVariable{
-		Key:  "ldapBase",
-		Type: "string",
-	},
-	LdapSkipCertVerify: model.AppConfigVariable{
-		Key:          "ldapSkipCertVerify",
-		Type:         "bool",
-		DefaultValue: "false",
-	},
-	LdapAttributeUserUniqueIdentifier: model.AppConfigVariable{
-		Key:  "ldapAttributeUserUniqueIdentifier",
-		Type: "string",
-	},
-	LdapAttributeUserUsername: model.AppConfigVariable{
-		Key:  "ldapAttributeUserUsername",
-		Type: "string",
-	},
-	LdapAttributeUserEmail: model.AppConfigVariable{
-		Key:  "ldapAttributeUserEmail",
-		Type: "string",
-	},
-	LdapAttributeUserFirstName: model.AppConfigVariable{
-		Key:  "ldapAttributeUserFirstName",
-		Type: "string",
-	},
-	LdapAttributeUserLastName: model.AppConfigVariable{
-		Key:  "ldapAttributeUserLastName",
-		Type: "string",
-	},
-	LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{
-		Key:  "ldapAttributeGroupUniqueIdentifier",
-		Type: "string",
-	},
-	LdapAttributeGroupName: model.AppConfigVariable{
-		Key:  "ldapAttributeGroupName",
-		Type: "string",
-	},
-	LdapAttributeAdminGroup: model.AppConfigVariable{
-		Key:  "ldapAttributeAdminGroup",
-		Type: "string",
-	},
-}
-
-func (s *AppConfigService) UpdateAppConfig(input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
-	var savedConfigVariables []model.AppConfigVariable
-
-	tx := s.db.Begin()
-	rt := reflect.ValueOf(input).Type()
-	rv := reflect.ValueOf(input)
-
-	for i := 0; i < rt.NumField(); i++ {
-		field := rt.Field(i)
-		key := field.Tag.Get("json")
-		value := rv.FieldByName(field.Name).String()
-
-		// If the emailEnabled is set to false, disable the emailOneTimeAccessEnabled
-		if key == s.DbConfig.EmailOneTimeAccessEnabled.Key {
-			if rv.FieldByName("EmailEnabled").String() == "false" {
-				value = "false"
-			}
-		}
-
-		var appConfigVariable model.AppConfigVariable
-		if err := tx.First(&appConfigVariable, "key = ? AND is_internal = false", key).Error; err != nil {
-			tx.Rollback()
-			return nil, err
-		}
-
-		appConfigVariable.Value = value
-		if err := tx.Save(&appConfigVariable).Error; err != nil {
-			tx.Rollback()
-			return nil, err
-		}
-
-		savedConfigVariables = append(savedConfigVariables, appConfigVariable)
+// GetDbConfig returns the application configuration.
+// Important: Treat the object as read-only: do not modify its properties directly!
+func (s *AppConfigService) GetDbConfig() *model.AppConfig {
+	v := s.dbConfig.Load()
+	if v == nil {
+		// This indicates a development-time error
+		panic("called GetDbConfig before DbConfig is loaded")
 	}

-	tx.Commit()
+	return v
+}

-	if err := s.LoadDbConfigFromDb(); err != nil {
+func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
+	// Values are the default ones
+	return &model.AppConfig{
+		// General
+		AppName:             model.AppConfigVariable{Value: "Pocket ID"},
+		SessionDuration:     model.AppConfigVariable{Value: "60"},
+		EmailsVerified:      model.AppConfigVariable{Value: "false"},
+		DisableAnimations:   model.AppConfigVariable{Value: "false"},
+		AllowOwnAccountEdit: model.AppConfigVariable{Value: "true"},
+		// Internal
+		BackgroundImageType: model.AppConfigVariable{Value: "jpg"},
+		LogoLightImageType:  model.AppConfigVariable{Value: "svg"},
+		LogoDarkImageType:   model.AppConfigVariable{Value: "svg"},
+		// Email
+		SmtpHost:                      model.AppConfigVariable{},
+		SmtpPort:                      model.AppConfigVariable{},
+		SmtpFrom:                      model.AppConfigVariable{},
+		SmtpUser:                      model.AppConfigVariable{},
+		SmtpPassword:                  model.AppConfigVariable{},
+		SmtpTls:                       model.AppConfigVariable{Value: "none"},
+		SmtpSkipCertVerify:            model.AppConfigVariable{Value: "false"},
+		EmailLoginNotificationEnabled: model.AppConfigVariable{Value: "false"},
+		EmailOneTimeAccessAsUnauthenticatedEnabled: model.AppConfigVariable{Value: "false"},
+		EmailOneTimeAccessAsAdminEnabled:           model.AppConfigVariable{Value: "false"},
+		EmailApiKeyExpirationEnabled:               model.AppConfigVariable{Value: "false"},
+		// LDAP
+		LdapEnabled:                        model.AppConfigVariable{Value: "false"},
+		LdapUrl:                            model.AppConfigVariable{},
+		LdapBindDn:                         model.AppConfigVariable{},
+		LdapBindPassword:                   model.AppConfigVariable{},
+		LdapBase:                           model.AppConfigVariable{},
+		LdapUserSearchFilter:               model.AppConfigVariable{Value: "(objectClass=person)"},
+		LdapUserGroupSearchFilter:          model.AppConfigVariable{Value: "(objectClass=groupOfNames)"},
+		LdapSkipCertVerify:                 model.AppConfigVariable{Value: "false"},
+		LdapAttributeUserUniqueIdentifier:  model.AppConfigVariable{},
+		LdapAttributeUserUsername:          model.AppConfigVariable{},
+		LdapAttributeUserEmail:             model.AppConfigVariable{},
+		LdapAttributeUserFirstName:         model.AppConfigVariable{},
+		LdapAttributeUserLastName:          model.AppConfigVariable{},
+		LdapAttributeUserProfilePicture:    model.AppConfigVariable{},
+		LdapAttributeGroupMember:           model.AppConfigVariable{Value: "member"},
+		LdapAttributeGroupUniqueIdentifier: model.AppConfigVariable{},
+		LdapAttributeGroupName:             model.AppConfigVariable{},
+		LdapAttributeAdminGroup:            model.AppConfigVariable{},
+		LdapSoftDeleteUsers:                model.AppConfigVariable{Value: "true"},
+	}
+}
+
+func (s *AppConfigService) updateAppConfigStartTransaction(ctx context.Context) (tx *gorm.DB, err error) {
+	// We start a transaction before doing any work, to ensure that we are the only ones updating the data in the database
+	// This works across multiple processes too
+	tx = s.db.Begin()
+	err = tx.Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to begin database transaction: %w", err)
+	}
+
+	// With SQLite there's nothing else we need to do, because a transaction blocks the entire database
+	// However, with Postgres we need to manually lock the table to prevent others from doing the same
+	switch s.db.Name() {
+	case "postgres":
+		// We do not use "NOWAIT" so this blocks until the database is available, or the context is canceled
+		// Here we use a context with a 10s timeout in case the database is blocked for longer
+		lockCtx, lockCancel := context.WithTimeout(ctx, 10*time.Second)
+		defer lockCancel()
+		err = tx.
+			WithContext(lockCtx).
+			Exec("LOCK TABLE app_config_variables IN ACCESS EXCLUSIVE MODE").
+			Error
+		if err != nil {
+			tx.Rollback()
+			return nil, fmt.Errorf("failed to acquire lock on app_config_variables table: %w", err)
+		}
+	default:
+		// Nothing to do here
+	}
+
+	return tx, nil
+}
+
+func (s *AppConfigService) updateAppConfigUpdateDatabase(ctx context.Context, tx *gorm.DB, dbUpdate *[]model.AppConfigVariable) error {
+	err := tx.
+		WithContext(ctx).
+		Clauses(clause.OnConflict{
+			// Perform an "upsert" if the key already exists, replacing the value
+			Columns:   []clause.Column{{Name: "key"}},
+			DoUpdates: clause.AssignmentColumns([]string{"value"}),
+		}).
+		Create(&dbUpdate).
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to update config in database: %w", err)
+	}
+
+	return nil
+}
+
+func (s *AppConfigService) UpdateAppConfig(ctx context.Context, input dto.AppConfigUpdateDto) ([]model.AppConfigVariable, error) {
+	if common.EnvConfig.UiConfigDisabled {
+		return nil, &common.UiConfigDisabledError{}
+	}
+
+	// Start the transaction
+	tx, err := s.updateAppConfigStartTransaction(ctx)
+	if err != nil {
+		return nil, err
+	}
+	defer func() {
+		tx.Rollback()
+	}()
+
+	// From here onwards, we know we are the only process/goroutine with exclusive access to the config
+	// Re-load the config from the database to be sure we have the correct data
+	cfg, err := s.loadDbConfigInternal(ctx, tx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to reload config from database: %w", err)
+	}
+
+	defaultCfg := s.getDefaultDbConfig()
+
+	// Iterate through all the fields to update
+	// We update the in-memory data (in the cfg struct) and collect values to update in the database
+	rt := reflect.ValueOf(input).Type()
+	rv := reflect.ValueOf(input)
+	dbUpdate := make([]model.AppConfigVariable, 0, rt.NumField())
+	for i := range rt.NumField() {
+		field := rt.Field(i)
+		value := rv.FieldByName(field.Name).String()
+
+		// Get the value of the json tag, taking only what's before the comma
+		key, _, _ := strings.Cut(field.Tag.Get("json"), ",")
+
+		// Update the in-memory config value
+		// If the new value is an empty string, then we set the in-memory value to the default one
+		// Skip values that are internal only and can't be updated
+		if value == "" {
+			// Ignore errors here as we know the key exists
+			defaultValue, _ := defaultCfg.FieldByKey(key)
+			err = cfg.UpdateField(key, defaultValue, true)
+		} else {
+			err = cfg.UpdateField(key, value, true)
+		}
+
+		// If we tried to update an internal field, ignore the error (and do not update in the DB)
+		if errors.Is(err, model.AppConfigInternalForbiddenError{}) {
+			continue
+		} else if err != nil {
+			return nil, fmt.Errorf("failed to update in-memory config for key '%s': %w", key, err)
+		}
+
+		// We always save "value" which can be an empty string
+		dbUpdate = append(dbUpdate, model.AppConfigVariable{
+			Key:   key,
+			Value: value,
+		})
+	}
+
+	// Update the values in the database
+	err = s.updateAppConfigUpdateDatabase(ctx, tx, &dbUpdate)
+	if err != nil {
 		return nil, err
 	}

-	return savedConfigVariables, nil
+	// Commit the changes to the DB, then finally save the updated config in the object
+	err = tx.Commit().Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to commit transaction: %w", err)
+	}
+
+	s.dbConfig.Store(cfg)
+
+	// Return the updated config
+	res := cfg.ToAppConfigVariableSlice(true)
+	return res, nil
 }

-func (s *AppConfigService) UpdateImageType(imageName string, fileType string) error {
-	key := fmt.Sprintf("%sImageType", imageName)
-	err := s.db.Model(&model.AppConfigVariable{}).Where("key = ?", key).Update("value", fileType).Error
+// UpdateAppConfigValues
+func (s *AppConfigService) UpdateAppConfigValues(ctx context.Context, keysAndValues ...string) error {
+	if common.EnvConfig.UiConfigDisabled {
+		return &common.UiConfigDisabledError{}
+	}
+
+	// Count of keysAndValues must be even
+	if len(keysAndValues)%2 != 0 {
+		return errors.New("invalid number of arguments received")
+	}
+
+	// Start the transaction
+	tx, err := s.updateAppConfigStartTransaction(ctx)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		tx.Rollback()
+	}()
+
+	// From here onwards, we know we are the only process/goroutine with exclusive access to the config
+	// Re-load the config from the database to be sure we have the correct data
+	cfg, err := s.loadDbConfigInternal(ctx, tx)
+	if err != nil {
+		return fmt.Errorf("failed to reload config from database: %w", err)
+	}
+
+	defaultCfg := s.getDefaultDbConfig()
+
+	// Iterate through all the fields to update
+	// We update the in-memory data (in the cfg struct) and collect values to update in the database
+	// (Note the += 2, as we are iterating through key-value pairs)
+	dbUpdate := make([]model.AppConfigVariable, 0, len(keysAndValues)/2)
+	for i := 0; i < len(keysAndValues); i += 2 {
+		key := keysAndValues[i]
+		value := keysAndValues[i+1]
+
+		// Ensure that the field is valid
+		// We do this by grabbing the default value
+		var defaultValue string
+		defaultValue, err = defaultCfg.FieldByKey(key)
+		if err != nil {
+			return fmt.Errorf("invalid configuration key '%s': %w", key, err)
+		}
+
+		// Update the in-memory config value
+		// If the new value is an empty string, then we set the in-memory value to the default one
+		// Skip values that are internal only and can't be updated
+		if value == "" {
+			err = cfg.UpdateField(key, defaultValue, false)
+		} else {
+			err = cfg.UpdateField(key, value, false)
+		}
+		if err != nil {
+			return fmt.Errorf("failed to update in-memory config for key '%s': %w", key, err)
+		}
+
+		// We always save "value" which can be an empty string
+		dbUpdate = append(dbUpdate, model.AppConfigVariable{
+			Key:   key,
+			Value: value,
+		})
+	}
+
+	// Update the values in the database
+	err = s.updateAppConfigUpdateDatabase(ctx, tx, &dbUpdate)
 	if err != nil {
 		return err
 	}

-	return s.LoadDbConfigFromDb()
-}
-
-func (s *AppConfigService) ListAppConfig(showAll bool) ([]model.AppConfigVariable, error) {
-	var configuration []model.AppConfigVariable
-	var err error
-
-	if showAll {
-		err = s.db.Find(&configuration).Error
-	} else {
-		err = s.db.Find(&configuration, "is_public = true").Error
-	}
-
+	// Commit the changes to the DB, then finally save the updated config in the object
+	err = tx.Commit().Error
 	if err != nil {
-		return nil, err
+		return fmt.Errorf("failed to commit transaction: %w", err)
 	}

-	// Set the value to the default value if it is empty
-	for i := range configuration {
-		if configuration[i].Value == "" && configuration[i].DefaultValue != "" {
-			configuration[i].Value = configuration[i].DefaultValue
-		}
-	}
+	s.dbConfig.Store(cfg)

-	return configuration, nil
+	return nil
 }

-func (s *AppConfigService) UpdateImage(uploadedFile *multipart.FileHeader, imageName string, oldImageType string) error {
+func (s *AppConfigService) ListAppConfig(showAll bool) []model.AppConfigVariable {
+	return s.GetDbConfig().ToAppConfigVariableSlice(showAll)
+}
+
+func (s *AppConfigService) UpdateImage(ctx context.Context, uploadedFile *multipart.FileHeader, imageName string, oldImageType string) (err error) {
 	fileType := utils.GetFileExtension(uploadedFile.Filename)
 	mimeType := utils.GetImageMimeType(fileType)
 	if mimeType == "" {
 		return &common.FileTypeNotSupportedError{}
 	}

-	// Delete the old image if it has a different file type
+	// Save the updated image
+	imagePath := common.EnvConfig.UploadPath + "/application-images/" + imageName + "." + fileType
+	err = utils.SaveFile(uploadedFile, imagePath)
+	if err != nil {
+		return err
+	}
+
+	// Delete the old image if it has a different file type, then update the type in the database
 	if fileType != oldImageType {
-		oldImagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, oldImageType)
-		if err := os.Remove(oldImagePath); err != nil {
+		oldImagePath := common.EnvConfig.UploadPath + "/application-images/" + imageName + "." + oldImageType
+		err = os.Remove(oldImagePath)
+		if err != nil {
 			return err
 		}
-	}

-	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, imageName, fileType)
-	if err := utils.SaveFile(uploadedFile, imagePath); err != nil {
-		return err
-	}
+		// Update the file type in the database
+		err = s.UpdateAppConfigValues(ctx, imageName+"ImageType", fileType)
+		if err != nil {
+			return err
+		}

-	// Update the file type in the database
-	if err := s.UpdateImageType(imageName, fileType); err != nil {
-		return err
 	}

 	return nil
 }

-// InitDbConfig creates the default configuration values in the database if they do not exist,
-// updates existing configurations if they differ from the default, and deletes any configurations
-// that are not in the default configuration.
-func (s *AppConfigService) InitDbConfig() error {
-	// Reflect to get the underlying value of DbConfig and its default configuration
-	defaultConfigReflectValue := reflect.ValueOf(defaultDbConfig)
-	defaultKeys := make(map[string]struct{})
+// LoadDbConfig loads the configuration values from the database into the DbConfig struct.
+func (s *AppConfigService) LoadDbConfig(ctx context.Context) (err error) {
+	var dest *model.AppConfig

-	// Iterate over the fields of DbConfig
-	for i := 0; i < defaultConfigReflectValue.NumField(); i++ {
-		defaultConfigVar := defaultConfigReflectValue.Field(i).Interface().(model.AppConfigVariable)
+	// If the UI config is disabled, only load from the env
+	if common.EnvConfig.UiConfigDisabled {
+		dest, err = s.loadDbConfigFromEnv()
+	} else {
+		dest, err = s.loadDbConfigInternal(ctx, s.db)
+	}
+	if err != nil {
+		return err
+	}

-		defaultKeys[defaultConfigVar.Key] = struct{}{}
+	// Update the value in the object
+	s.dbConfig.Store(dest)

-		var storedConfigVar model.AppConfigVariable
-		if err := s.db.First(&storedConfigVar, "key = ?", defaultConfigVar.Key).Error; err != nil {
-			// If the configuration does not exist, create it
-			if err := s.db.Create(&defaultConfigVar).Error; err != nil {
-				return err
-			}
+	return nil
+}
+
+func (s *AppConfigService) loadDbConfigFromEnv() (*model.AppConfig, error) {
+	// First, start from the default configuration
+	dest := s.getDefaultDbConfig()
+
+	// Iterate through each field
+	rt := reflect.ValueOf(dest).Elem().Type()
+	rv := reflect.ValueOf(dest).Elem()
+	for i := range rt.NumField() {
+		field := rt.Field(i)
+
+		// Get the value of the key tag, taking only what's before the comma
+		// The env var name is the key converted to SCREAMING_SNAKE_CASE
+		key, _, _ := strings.Cut(field.Tag.Get("key"), ",")
+		envVarName := utils.CamelCaseToScreamingSnakeCase(key)
+
+		// Set the value if it's set
+		value, ok := os.LookupEnv(envVarName)
+		if ok {
+			rv.Field(i).FieldByName("Value").SetString(value)
+		}
+	}
+
+	return dest, nil
+}
+
+func (s *AppConfigService) loadDbConfigInternal(ctx context.Context, tx *gorm.DB) (*model.AppConfig, error) {
+	// First, start from the default configuration
+	dest := s.getDefaultDbConfig()
+
+	// Load all configuration values from the database
+	// This loads all values in a single shot
+	loaded := []model.AppConfigVariable{}
+	queryCtx, queryCancel := context.WithTimeout(ctx, 10*time.Second)
+	defer queryCancel()
+	err := tx.
+		WithContext(queryCtx).
+		Find(&loaded).Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to load configuration from the database: %w", err)
+	}
+
+	// Iterate through all values loaded from the database
+	for _, v := range loaded {
+		// If the value is empty, it means we are using the default value
+		if v.Value == "" {
 			continue
 		}

-		// Update existing configuration if it differs from the default
-		if storedConfigVar.Type != defaultConfigVar.Type || storedConfigVar.IsPublic != defaultConfigVar.IsPublic || storedConfigVar.IsInternal != defaultConfigVar.IsInternal || storedConfigVar.DefaultValue != defaultConfigVar.DefaultValue {
-			storedConfigVar.Type = defaultConfigVar.Type
-			storedConfigVar.IsPublic = defaultConfigVar.IsPublic
-			storedConfigVar.IsInternal = defaultConfigVar.IsInternal
-			storedConfigVar.DefaultValue = defaultConfigVar.DefaultValue
-			if err := s.db.Save(&storedConfigVar).Error; err != nil {
-				return err
-			}
+		// Find the field in the struct whose "key" tag matches, then update that
+		err = dest.UpdateField(v.Key, v.Value, false)
+
+		// We ignore the case of fields that don't exist, as there may be leftover data in the database
+		if err != nil && !errors.Is(err, model.AppConfigKeyNotFoundError{}) {
+			return nil, fmt.Errorf("failed to process config for key '%s': %w", v.Key, err)
 		}
 	}

-	// Delete any configurations not in the default keys
-	var allConfigVars []model.AppConfigVariable
-	if err := s.db.Find(&allConfigVars).Error; err != nil {
-		return err
-	}
-
-	for _, config := range allConfigVars {
-		if _, exists := defaultKeys[config.Key]; !exists {
-			if err := s.db.Delete(&config).Error; err != nil {
-				return err
-			}
-		}
-	}
-	return s.LoadDbConfigFromDb()
-}
-
-// LoadDbConfigFromDb loads the configuration values from the database into the DbConfig struct.
-func (s *AppConfigService) LoadDbConfigFromDb() error {
-	dbConfigReflectValue := reflect.ValueOf(s.DbConfig).Elem()
-
-	for i := 0; i < dbConfigReflectValue.NumField(); i++ {
-		dbConfigField := dbConfigReflectValue.Field(i)
-		currentConfigVar := dbConfigField.Interface().(model.AppConfigVariable)
-		var storedConfigVar model.AppConfigVariable
-		if err := s.db.First(&storedConfigVar, "key = ?", currentConfigVar.Key).Error; err != nil {
-			return err
-		}
-
-		if storedConfigVar.Value == "" && storedConfigVar.DefaultValue != "" {
-			storedConfigVar.Value = storedConfigVar.DefaultValue
-		}
-
-		dbConfigField.Set(reflect.ValueOf(storedConfigVar))
-	}
-
-	return nil
+	return dest, nil
 }
--- a/backend/internal/service/app_config_service_test.go
+++ b/backend/internal/service/app_config_service_test.go
@@ -0,0 +1,523 @@
+package service
+
+import (
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/stretchr/testify/require"
+)
+
+// NewTestAppConfigService is a function used by tests to create AppConfigService objects with pre-defined configuration values
+func NewTestAppConfigService(config *model.AppConfig) *AppConfigService {
+	service := &AppConfigService{
+		dbConfig: atomic.Pointer[model.AppConfig]{},
+	}
+	service.dbConfig.Store(config)
+
+	return service
+}
+
+func TestLoadDbConfig(t *testing.T) {
+	t.Run("empty config table", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+		service := &AppConfigService{
+			db: db,
+		}
+
+		// Load the config
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Config should be equal to default config
+		require.Equal(t, service.GetDbConfig(), service.getDefaultDbConfig())
+	})
+
+	t.Run("loads value from config table", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Populate the config table with some initial values
+		err := db.
+			Create([]model.AppConfigVariable{
+				// Should be set to the default value because it's an empty string
+				{Key: "appName", Value: ""},
+				// Overrides default value
+				{Key: "sessionDuration", Value: "5"},
+				// Does not have a default value
+				{Key: "smtpHost", Value: "example"},
+			}).
+			Error
+		require.NoError(t, err)
+
+		// Load the config
+		service := &AppConfigService{
+			db: db,
+		}
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Values should match expected ones
+		expect := service.getDefaultDbConfig()
+		expect.SessionDuration.Value = "5"
+		expect.SmtpHost.Value = "example"
+		require.Equal(t, service.GetDbConfig(), expect)
+	})
+
+	t.Run("ignores unknown config keys", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Add an entry with a key that doesn't exist in the config struct
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "__nonExistentKey", Value: "some value"},
+			{Key: "appName", Value: "TestApp"}, // This one should still be loaded
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+		// This should not fail, just ignore the unknown key
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		config := service.GetDbConfig()
+		require.Equal(t, "TestApp", config.AppName.Value)
+	})
+
+	t.Run("loading config multiple times", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Initial state
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "appName", Value: "InitialApp"},
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+		require.Equal(t, "InitialApp", service.GetDbConfig().AppName.Value)
+
+		// Update the database value
+		err = db.Model(&model.AppConfigVariable{}).
+			Where("key = ?", "appName").
+			Update("value", "UpdatedApp").Error
+		require.NoError(t, err)
+
+		// Load the config again, it should reflect the updated value
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+		require.Equal(t, "UpdatedApp", service.GetDbConfig().AppName.Value)
+	})
+
+	t.Run("loads config from env when UiConfigDisabled is true", func(t *testing.T) {
+		// Save the original state and restore it after the test
+		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
+		defer func() {
+			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
+		}()
+
+		// Set environment variables for testing
+		t.Setenv("APP_NAME", "EnvTest App")
+		t.Setenv("SESSION_DURATION", "45")
+
+		// Enable UiConfigDisabled to load from env
+		common.EnvConfig.UiConfigDisabled = true
+
+		// Create database with config that should be ignored
+		db := newAppConfigTestDatabaseForTest(t)
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "appName", Value: "DB App"},
+			{Key: "sessionDuration", Value: "120"},
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+
+		// Load the config
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Config should be loaded from env, not DB
+		config := service.GetDbConfig()
+		require.Equal(t, "EnvTest App", config.AppName.Value, "Should load appName from env")
+		require.Equal(t, "45", config.SessionDuration.Value, "Should load sessionDuration from env")
+	})
+
+	t.Run("ignores env vars when UiConfigDisabled is false", func(t *testing.T) {
+		// Save the original state and restore it after the test
+		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
+		defer func() {
+			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
+		}()
+
+		// Set environment variables that should be ignored
+		t.Setenv("APP_NAME", "EnvTest App")
+		t.Setenv("SESSION_DURATION", "45")
+
+		// Make sure UiConfigDisabled is false to load from DB
+		common.EnvConfig.UiConfigDisabled = false
+
+		// Create database with config values that should take precedence
+		db := newAppConfigTestDatabaseForTest(t)
+		err := db.Create([]model.AppConfigVariable{
+			{Key: "appName", Value: "DB App"},
+			{Key: "sessionDuration", Value: "120"},
+		}).Error
+		require.NoError(t, err)
+
+		service := &AppConfigService{
+			db: db,
+		}
+
+		// Load the config
+		err = service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Config should be loaded from DB, not env
+		config := service.GetDbConfig()
+		require.Equal(t, "DB App", config.AppName.Value, "Should load appName from DB, not env")
+		require.Equal(t, "120", config.SessionDuration.Value, "Should load sessionDuration from DB, not env")
+	})
+}
+
+func TestUpdateAppConfigValues(t *testing.T) {
+	t.Run("update single value", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Update a single config value
+		err = service.UpdateAppConfigValues(t.Context(), "appName", "Test App")
+		require.NoError(t, err)
+
+		// Verify in-memory config was updated
+		config := service.GetDbConfig()
+		require.Equal(t, "Test App", config.AppName.Value)
+
+		// Verify database was updated
+		var dbValue model.AppConfigVariable
+		err = db.Where("key = ?", "appName").First(&dbValue).Error
+		require.NoError(t, err)
+		require.Equal(t, "Test App", dbValue.Value)
+	})
+
+	t.Run("update multiple values", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Update multiple config values
+		err = service.UpdateAppConfigValues(
+			t.Context(),
+			"appName", "Test App",
+			"sessionDuration", "30",
+			"smtpHost", "mail.example.com",
+		)
+		require.NoError(t, err)
+
+		// Verify in-memory config was updated
+		config := service.GetDbConfig()
+		require.Equal(t, "Test App", config.AppName.Value)
+		require.Equal(t, "30", config.SessionDuration.Value)
+		require.Equal(t, "mail.example.com", config.SmtpHost.Value)
+
+		// Verify database was updated
+		var count int64
+		db.Model(&model.AppConfigVariable{}).Count(&count)
+		require.Equal(t, int64(3), count)
+
+		var appName, sessionDuration, smtpHost model.AppConfigVariable
+		err = db.Where("key = ?", "appName").First(&appName).Error
+		require.NoError(t, err)
+		require.Equal(t, "Test App", appName.Value)
+
+		err = db.Where("key = ?", "sessionDuration").First(&sessionDuration).Error
+		require.NoError(t, err)
+		require.Equal(t, "30", sessionDuration.Value)
+
+		err = db.Where("key = ?", "smtpHost").First(&smtpHost).Error
+		require.NoError(t, err)
+		require.Equal(t, "mail.example.com", smtpHost.Value)
+	})
+
+	t.Run("empty value resets to default", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// First change the value
+		err = service.UpdateAppConfigValues(t.Context(), "sessionDuration", "30")
+		require.NoError(t, err)
+		require.Equal(t, "30", service.GetDbConfig().SessionDuration.Value)
+
+		// Now set it to empty which should use default value
+		err = service.UpdateAppConfigValues(t.Context(), "sessionDuration", "")
+		require.NoError(t, err)
+		require.Equal(t, "60", service.GetDbConfig().SessionDuration.Value) // Default value from getDefaultDbConfig
+	})
+
+	t.Run("error with odd number of arguments", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Try to update with odd number of arguments
+		err = service.UpdateAppConfigValues(t.Context(), "appName", "Test App", "sessionDuration")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "invalid number of arguments")
+	})
+
+	t.Run("error with invalid key", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Try to update with invalid key
+		err = service.UpdateAppConfigValues(t.Context(), "nonExistentKey", "some value")
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "invalid configuration key")
+	})
+}
+
+func TestUpdateAppConfig(t *testing.T) {
+	t.Run("updates configuration values from DTO", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Create update DTO
+		input := dto.AppConfigUpdateDto{
+			AppName:         "Updated App Name",
+			SessionDuration: "120",
+			SmtpHost:        "smtp.example.com",
+			SmtpPort:        "587",
+		}
+
+		// Update config
+		updatedVars, err := service.UpdateAppConfig(t.Context(), input)
+		require.NoError(t, err)
+
+		// Verify returned updated variables
+		require.NotEmpty(t, updatedVars)
+
+		var foundAppName, foundSessionDuration, foundSmtpHost, foundSmtpPort bool
+		for _, v := range updatedVars {
+			switch v.Key {
+			case "appName":
+				require.Equal(t, "Updated App Name", v.Value)
+				foundAppName = true
+			case "sessionDuration":
+				require.Equal(t, "120", v.Value)
+				foundSessionDuration = true
+			case "smtpHost":
+				require.Equal(t, "smtp.example.com", v.Value)
+				foundSmtpHost = true
+			case "smtpPort":
+				require.Equal(t, "587", v.Value)
+				foundSmtpPort = true
+			}
+		}
+		require.True(t, foundAppName)
+		require.True(t, foundSessionDuration)
+		require.True(t, foundSmtpHost)
+		require.True(t, foundSmtpPort)
+
+		// Verify in-memory config was updated
+		config := service.GetDbConfig()
+		require.Equal(t, "Updated App Name", config.AppName.Value)
+		require.Equal(t, "120", config.SessionDuration.Value)
+		require.Equal(t, "smtp.example.com", config.SmtpHost.Value)
+		require.Equal(t, "587", config.SmtpPort.Value)
+
+		// Verify database was updated
+		var appName, sessionDuration, smtpHost, smtpPort model.AppConfigVariable
+		err = db.Where("key = ?", "appName").First(&appName).Error
+		require.NoError(t, err)
+		require.Equal(t, "Updated App Name", appName.Value)
+
+		err = db.Where("key = ?", "sessionDuration").First(&sessionDuration).Error
+		require.NoError(t, err)
+		require.Equal(t, "120", sessionDuration.Value)
+
+		err = db.Where("key = ?", "smtpHost").First(&smtpHost).Error
+		require.NoError(t, err)
+		require.Equal(t, "smtp.example.com", smtpHost.Value)
+
+		err = db.Where("key = ?", "smtpPort").First(&smtpPort).Error
+		require.NoError(t, err)
+		require.Equal(t, "587", smtpPort.Value)
+	})
+
+	t.Run("empty values reset to defaults", func(t *testing.T) {
+		db := newAppConfigTestDatabaseForTest(t)
+
+		// Create a service with default config and modify some values
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// First set some non-default values
+		err = service.UpdateAppConfigValues(t.Context(),
+			"appName", "Custom App",
+			"sessionDuration", "120",
+		)
+		require.NoError(t, err)
+
+		// Create update DTO with empty values to reset to defaults
+		input := dto.AppConfigUpdateDto{
+			AppName:         "", // Should reset to default "Pocket ID"
+			SessionDuration: "", // Should reset to default "60"
+		}
+
+		// Update config
+		updatedVars, err := service.UpdateAppConfig(t.Context(), input)
+		require.NoError(t, err)
+
+		// Verify returned updated variables (they should be empty strings in DB)
+		var foundAppName, foundSessionDuration bool
+		for _, v := range updatedVars {
+			switch v.Key {
+			case "appName":
+				require.Equal(t, "Pocket ID", v.Value) // Returns the default value
+				foundAppName = true
+			case "sessionDuration":
+				require.Equal(t, "60", v.Value) // Returns the default value
+				foundSessionDuration = true
+			}
+		}
+		require.True(t, foundAppName)
+		require.True(t, foundSessionDuration)
+
+		// Verify in-memory config was reset to defaults
+		config := service.GetDbConfig()
+		require.Equal(t, "Pocket ID", config.AppName.Value)  // Default value
+		require.Equal(t, "60", config.SessionDuration.Value) // Default value
+
+		// Verify database was updated with empty values
+		for _, key := range []string{"appName", "sessionDuration"} {
+			var loaded model.AppConfigVariable
+			err = db.Where("key = ?", key).First(&loaded).Error
+			require.NoErrorf(t, err, "Failed to load DB value for key '%s'", key)
+			require.Emptyf(t, loaded.Value, "Loaded value for key '%s' is not empty", key)
+		}
+	})
+
+	t.Run("cannot update when UiConfigDisabled is true", func(t *testing.T) {
+		// Save the original state and restore it after the test
+		originalUiConfigDisabled := common.EnvConfig.UiConfigDisabled
+		defer func() {
+			common.EnvConfig.UiConfigDisabled = originalUiConfigDisabled
+		}()
+
+		// Disable UI config
+		common.EnvConfig.UiConfigDisabled = true
+
+		db := newAppConfigTestDatabaseForTest(t)
+		service := &AppConfigService{
+			db: db,
+		}
+		err := service.LoadDbConfig(t.Context())
+		require.NoError(t, err)
+
+		// Try to update config
+		_, err = service.UpdateAppConfig(t.Context(), dto.AppConfigUpdateDto{
+			AppName: "Should Not Update",
+		})
+
+		// Should get a UiConfigDisabledError
+		require.Error(t, err)
+		var uiConfigDisabledErr *common.UiConfigDisabledError
+		require.ErrorAs(t, err, &uiConfigDisabledErr)
+	})
+}
+
+// Implements gorm's logger.Writer interface
+type testLoggerAdapter struct {
+	t *testing.T
+}
+
+func (l testLoggerAdapter) Printf(format string, args ...any) {
+	l.t.Logf(format, args...)
+}
+
+func newAppConfigTestDatabaseForTest(t *testing.T) *gorm.DB {
+	t.Helper()
+
+	// Get a name for this in-memory database that is specific to the test
+	dbName := utils.CreateSha256Hash(t.Name())
+
+	// Connect to a new in-memory SQL database
+	db, err := gorm.Open(
+		sqlite.Open("file:"+dbName+"?mode=memory&cache=shared"),
+		&gorm.Config{
+			TranslateError: true,
+			Logger: logger.New(
+				testLoggerAdapter{t: t},
+				logger.Config{
+					SlowThreshold:             200 * time.Millisecond,
+					LogLevel:                  logger.Info,
+					IgnoreRecordNotFoundError: false,
+					ParameterizedQueries:      false,
+					Colorful:                  false,
+				},
+			),
+		})
+	require.NoError(t, err, "Failed to connect to test database")
+
+	// Create the app_config_variables table
+	err = db.Exec(`
+CREATE TABLE app_config_variables
+(
+    key           VARCHAR(100) NOT NULL PRIMARY KEY,
+    value         TEXT NOT NULL
+)
+`).Error
+	require.NoError(t, err, "Failed to create test config table")
+
+	return db
+}
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -1,12 +1,16 @@
 package service

 import (
-	userAgentParser "github.com/mileusna/useragent"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
+	"context"
+	"fmt"
 	"log"
+
+	userAgentParser "github.com/mileusna/useragent"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+	"gorm.io/gorm"
 )

 type AuditLogService struct {
@@ -21,10 +25,10 @@ func NewAuditLogService(db *gorm.DB, appConfigService *AppConfigService, emailSe
 }

 // Create creates a new audit log entry in the database
-func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData) model.AuditLog {
+func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData, tx *gorm.DB) model.AuditLog {
 	country, city, err := s.geoliteService.GetLocationByIP(ipAddress)
 	if err != nil {
-		log.Printf("Failed to get IP location: %v\n", err)
+		log.Printf("Failed to get IP location: %v", err)
 	}

 	auditLog := model.AuditLog{
@@ -38,8 +42,12 @@ func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent
 	}

 	// Save the audit log in the database
-	if err := s.db.Create(&auditLog).Error; err != nil {
-		log.Printf("Failed to create audit log: %v\n", err)
+	err = tx.
+		WithContext(ctx).
+		Create(&auditLog).
+		Error
+	if err != nil {
+		log.Printf("Failed to create audit log: %v", err)
 		return model.AuditLog{}
 	}

@@ -47,25 +55,42 @@ func (s *AuditLogService) Create(event model.AuditLogEvent, ipAddress, userAgent
 }

 // CreateNewSignInWithEmail creates a new audit log entry in the database and sends an email if the device hasn't been used before
-func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID string) model.AuditLog {
-	createdAuditLog := s.Create(model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{})
+func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddress, userAgent, userID string, tx *gorm.DB) model.AuditLog {
+	createdAuditLog := s.Create(ctx, model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{}, tx)

 	// Count the number of times the user has logged in from the same device
 	var count int64
-	err := s.db.Model(&model.AuditLog{}).Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).Count(&count).Error
+	err := tx.
+		WithContext(ctx).
+		Model(&model.AuditLog{}).
+		Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).
+		Count(&count).
+		Error
 	if err != nil {
 		log.Printf("Failed to count audit logs: %v\n", err)
 		return createdAuditLog
 	}

 	// If the user hasn't logged in from the same device before and email notifications are enabled, send an email
-	if s.appConfigService.DbConfig.EmailLoginNotificationEnabled.Value == "true" && count <= 1 {
+	if s.appConfigService.GetDbConfig().EmailLoginNotificationEnabled.IsTrue() && count <= 1 {
+		// We use a background context here as this is running in a goroutine
+		//nolint:contextcheck
 		go func() {
-			var user model.User
-			s.db.Where("id = ?", userID).First(&user)
+			innerCtx := context.Background()

-			err := SendEmail(s.emailService, email.Address{
-				Name:  user.Username,
+			// Note we don't use the transaction here because this is running in background
+			var user model.User
+			innerErr := s.db.
+				WithContext(innerCtx).
+				Where("id = ?", userID).
+				First(&user).
+				Error
+			if innerErr != nil {
+				log.Printf("Failed to load user: %v", innerErr)
+			}
+
+			innerErr = SendEmail(innerCtx, s.emailService, email.Address{
+				Name:  user.FullName(),
 				Email: user.Email,
 			}, NewLoginTemplate, &NewLoginTemplateData{
 				IPAddress: ipAddress,
@@ -74,8 +99,8 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 				Device:    s.DeviceStringFromUserAgent(userAgent),
 				DateTime:  createdAuditLog.CreatedAt.UTC(),
 			})
-			if err != nil {
-				log.Printf("Failed to send email to '%s': %v\n", user.Email, err)
+			if innerErr != nil {
+				log.Printf("Failed to send email to '%s': %v", user.Email, innerErr)
 			}
 		}()
 	}
@@ -84,9 +109,12 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ipAddress, userAgent, userID
 }

 // ListAuditLogsForUser retrieves all audit logs for a given user ID
-func (s *AuditLogService) ListAuditLogsForUser(userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
+func (s *AuditLogService) ListAuditLogsForUser(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.AuditLog, utils.PaginationResponse, error) {
 	var logs []model.AuditLog
-	query := s.db.Model(&model.AuditLog{}).Where("user_id = ?", userID)
+	query := s.db.
+		WithContext(ctx).
+		Model(&model.AuditLog{}).
+		Where("user_id = ?", userID)

 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
 	return logs, pagination, err
@@ -96,3 +124,99 @@ func (s *AuditLogService) DeviceStringFromUserAgent(userAgent string) string {
 	ua := userAgentParser.Parse(userAgent)
 	return ua.Name + " on " + ua.OS + " " + ua.OSVersion
 }
+
+func (s *AuditLogService) ListAllAuditLogs(ctx context.Context, sortedPaginationRequest utils.SortedPaginationRequest, filters dto.AuditLogFilterDto) ([]model.AuditLog, utils.PaginationResponse, error) {
+	var logs []model.AuditLog
+
+	query := s.db.
+		WithContext(ctx).
+		Preload("User").
+		Model(&model.AuditLog{})
+
+	if filters.UserID != "" {
+		query = query.Where("user_id = ?", filters.UserID)
+	}
+	if filters.Event != "" {
+		query = query.Where("event = ?", filters.Event)
+	}
+	if filters.ClientName != "" {
+		dialect := s.db.Name()
+		switch dialect {
+		case "sqlite":
+			query = query.Where("json_extract(data, '$.clientName') = ?", filters.ClientName)
+		case "postgres":
+			query = query.Where("data->>'clientName' = ?", filters.ClientName)
+		default:
+			return nil, utils.PaginationResponse{}, fmt.Errorf("unsupported database dialect: %s", dialect)
+		}
+	}
+
+	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
+	if err != nil {
+		return nil, pagination, err
+	}
+
+	return logs, pagination, nil
+}
+
+func (s *AuditLogService) ListUsernamesWithIds(ctx context.Context) (users map[string]string, err error) {
+	query := s.db.
+		WithContext(ctx).
+		Joins("User").
+		Model(&model.AuditLog{}).
+		Select("DISTINCT \"User\".id, \"User\".username").
+		Where("\"User\".username IS NOT NULL")
+
+	type Result struct {
+		ID       string `gorm:"column:id"`
+		Username string `gorm:"column:username"`
+	}
+
+	var results []Result
+	if err := query.Find(&results).Error; err != nil {
+		return nil, fmt.Errorf("failed to query user IDs: %w", err)
+	}
+
+	users = make(map[string]string, len(results))
+	for _, result := range results {
+		users[result.ID] = result.Username
+	}
+
+	return users, nil
+}
+
+func (s *AuditLogService) ListClientNames(ctx context.Context) (clientNames []string, err error) {
+	dialect := s.db.Name()
+	query := s.db.
+		WithContext(ctx).
+		Model(&model.AuditLog{})
+
+	switch dialect {
+	case "sqlite":
+		query = query.
+			Select("DISTINCT json_extract(data, '$.clientName') AS client_name").
+			Where("json_extract(data, '$.clientName') IS NOT NULL")
+	case "postgres":
+		query = query.
+			Select("DISTINCT data->>'clientName' AS client_name").
+			Where("data->>'clientName' IS NOT NULL")
+	default:
+		return nil, fmt.Errorf("unsupported database dialect: %s", dialect)
+	}
+
+	type Result struct {
+		ClientName string `gorm:"column:client_name"`
+	}
+
+	var results []Result
+	if err := query.Find(&results).Error; err != nil {
+		return nil, fmt.Errorf("failed to query client IDs: %w", err)
+	}
+
+	clientNames = make([]string, len(results))
+	for i, result := range results {
+		clientNames[i] = result.ClientName
+	}
+
+	return clientNames, nil
+}
--- a/backend/internal/service/custom_claim_service.go
+++ b/backend/internal/service/custom_claim_service.go
@@ -1,34 +1,14 @@
 package service

 import (
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
+	"context"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )

-// Reserved claims
-var reservedClaims = map[string]struct{}{
-	"given_name":         {},
-	"family_name":        {},
-	"name":               {},
-	"email":              {},
-	"preferred_username": {},
-	"groups":             {},
-	"sub":                {},
-	"iss":                {},
-	"aud":                {},
-	"exp":                {},
-	"iat":                {},
-	"auth_time":          {},
-	"nonce":              {},
-	"acr":                {},
-	"amr":                {},
-	"azp":                {},
-	"nbf":                {},
-	"jti":                {},
-}
-
 type CustomClaimService struct {
 	db *gorm.DB
 }
@@ -39,8 +19,30 @@ func NewCustomClaimService(db *gorm.DB) *CustomClaimService {

 // isReservedClaim checks if a claim key is reserved e.g. email, preferred_username
 func isReservedClaim(key string) bool {
-	_, ok := reservedClaims[key]
-	return ok
+	switch key {
+	case "given_name",
+		"family_name",
+		"name",
+		"email",
+		"preferred_username",
+		"groups",
+		TokenTypeClaim,
+		"sub",
+		"iss",
+		"aud",
+		"exp",
+		"iat",
+		"auth_time",
+		"nonce",
+		"acr",
+		"amr",
+		"azp",
+		"nbf",
+		"jti":
+		return true
+	default:
+		return false
+	}
 }

 // idType is the type of the id used to identify the user or user group
@@ -52,28 +54,37 @@ const (
 )

 // UpdateCustomClaimsForUser updates the custom claims for a user
-func (s *CustomClaimService) UpdateCustomClaimsForUser(userID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
-	return s.updateCustomClaims(UserID, userID, claims)
+func (s *CustomClaimService) UpdateCustomClaimsForUser(ctx context.Context, userID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	return s.updateCustomClaims(ctx, UserID, userID, claims)
 }

 // UpdateCustomClaimsForUserGroup updates the custom claims for a user group
-func (s *CustomClaimService) UpdateCustomClaimsForUserGroup(userGroupID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
-	return s.updateCustomClaims(UserGroupID, userGroupID, claims)
+func (s *CustomClaimService) UpdateCustomClaimsForUserGroup(ctx context.Context, userGroupID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+	return s.updateCustomClaims(ctx, UserGroupID, userGroupID, claims)
 }

 // updateCustomClaims updates the custom claims for a user or user group
-func (s *CustomClaimService) updateCustomClaims(idType idType, value string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) updateCustomClaims(ctx context.Context, idType idType, value string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
 	// Check for duplicate keys in the claims slice
-	seenKeys := make(map[string]bool)
+	seenKeys := make(map[string]struct{})
 	for _, claim := range claims {
-		if seenKeys[claim.Key] {
+		if _, ok := seenKeys[claim.Key]; ok {
 			return nil, &common.DuplicateClaimError{Key: claim.Key}
 		}
-		seenKeys[claim.Key] = true
+		seenKeys[claim.Key] = struct{}{}
 	}

+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()
+
 	var existingClaims []model.CustomClaim
-	err := s.db.Where(string(idType), value).Find(&existingClaims).Error
+	err := tx.
+		WithContext(ctx).
+		Where(string(idType), value).
+		Find(&existingClaims).
+		Error
 	if err != nil {
 		return nil, err
 	}
@@ -87,8 +98,12 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla
 				break
 			}
 		}
+
 		if !found {
-			err = s.db.Delete(&existingClaim).Error
+			err = tx.
+				WithContext(ctx).
+				Delete(&existingClaim).
+				Error
 			if err != nil {
 				return nil, err
 			}
@@ -105,14 +120,20 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla
 			Value: claim.Value,
 		}

-		if idType == UserID {
+		switch idType {
+		case UserID:
 			customClaim.UserID = &value
-		} else if idType == UserGroupID {
+		case UserGroupID:
 			customClaim.UserGroupID = &value
 		}

 		// Update the claim if it already exists or create a new one
-		err = s.db.Where(string(idType)+" = ? AND key = ?", value, claim.Key).Assign(&customClaim).FirstOrCreate(&model.CustomClaim{}).Error
+		err = tx.
+			WithContext(ctx).
+			Where(string(idType)+" = ? AND key = ?", value, claim.Key).
+			Assign(&customClaim).
+			FirstOrCreate(&model.CustomClaim{}).
+			Error
 		if err != nil {
 			return nil, err
 		}
@@ -120,7 +141,16 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla

 	// Get the updated claims
 	var updatedClaims []model.CustomClaim
-	err = s.db.Where(string(idType)+" = ?", value).Find(&updatedClaims).Error
+	err = tx.
+		WithContext(ctx).
+		Where(string(idType)+" = ?", value).
+		Find(&updatedClaims).
+		Error
+	if err != nil {
+		return nil, err
+	}
+
+	err = tx.Commit().Error
 	if err != nil {
 		return nil, err
 	}
@@ -128,23 +158,31 @@ func (s *CustomClaimService) updateCustomClaims(idType idType, value string, cla
 	return updatedClaims, nil
 }

-func (s *CustomClaimService) GetCustomClaimsForUser(userID string) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) GetCustomClaimsForUser(ctx context.Context, userID string, tx *gorm.DB) ([]model.CustomClaim, error) {
 	var customClaims []model.CustomClaim
-	err := s.db.Where("user_id = ?", userID).Find(&customClaims).Error
+	err := tx.
+		WithContext(ctx).
+		Where("user_id = ?", userID).
+		Find(&customClaims).
+		Error
 	return customClaims, err
 }

-func (s *CustomClaimService) GetCustomClaimsForUserGroup(userGroupID string) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) GetCustomClaimsForUserGroup(ctx context.Context, userGroupID string, tx *gorm.DB) ([]model.CustomClaim, error) {
 	var customClaims []model.CustomClaim
-	err := s.db.Where("user_group_id = ?", userGroupID).Find(&customClaims).Error
+	err := tx.
+		WithContext(ctx).
+		Where("user_group_id = ?", userGroupID).
+		Find(&customClaims).
+		Error
 	return customClaims, err
 }

 // GetCustomClaimsForUserWithUserGroups returns the custom claims of a user and all user groups the user is a member of,
 // prioritizing the user's claims over user group claims with the same key.
-func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(userID string) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(ctx context.Context, userID string, tx *gorm.DB) ([]model.CustomClaim, error) {
 	// Get the custom claims of the user
-	customClaims, err := s.GetCustomClaimsForUser(userID)
+	customClaims, err := s.GetCustomClaimsForUser(ctx, userID, tx)
 	if err != nil {
 		return nil, err
 	}
@@ -157,7 +195,9 @@ func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(userID string)

 	// Get all user groups of the user
 	var userGroupsOfUser []model.UserGroup
-	err = s.db.Preload("CustomClaims").
+	err = tx.
+		WithContext(ctx).
+		Preload("CustomClaims").
 		Joins("JOIN user_groups_users ON user_groups_users.user_group_id = user_groups.id").
 		Where("user_groups_users.user_id = ?", userID).
 		Find(&userGroupsOfUser).Error
@@ -185,10 +225,12 @@ func (s *CustomClaimService) GetCustomClaimsForUserWithUserGroups(userID string)
 }

 // GetSuggestions returns a list of custom claim keys that have been used before
-func (s *CustomClaimService) GetSuggestions() ([]string, error) {
+func (s *CustomClaimService) GetSuggestions(ctx context.Context) ([]string, error) {
 	var customClaimsKeys []string

-	err := s.db.Model(&model.CustomClaim{}).
+	err := s.db.
+		WithContext(ctx).
+		Model(&model.CustomClaim{}).
 		Group("key").
 		Order("COUNT(*) DESC").
 		Pluck("key", &customClaimsKeys).Error
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -1,36 +1,44 @@
+//go:build e2etest
+
 package service

 import (
+	"context"
 	"crypto/ecdsa"
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
-	"github.com/fxamacker/cbor/v2"
-	"github.com/stonith404/pocket-id/backend/internal/model/types"
-	"github.com/stonith404/pocket-id/backend/resources"
 	"log"
 	"os"
 	"path/filepath"
 	"time"

+	"github.com/fxamacker/cbor/v2"
 	"github.com/go-webauthn/webauthn/protocol"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"github.com/lestrrat-go/jwx/v3/jwk"
 	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	"github.com/pocket-id/pocket-id/backend/resources"
 )

 type TestService struct {
 	db               *gorm.DB
+	jwtService       *JwtService
 	appConfigService *AppConfigService
+	ldapService      *LdapService
 }

-func NewTestService(db *gorm.DB, appConfigService *AppConfigService) *TestService {
-	return &TestService{db: db, appConfigService: appConfigService}
+func NewTestService(db *gorm.DB, appConfigService *AppConfigService, jwtService *JwtService, ldapService *LdapService) *TestService {
+	return &TestService{db: db, appConfigService: appConfigService, jwtService: jwtService, ldapService: ldapService}
 }

+//nolint:gocognit
 func (s *TestService) SeedDatabase() error {
-	return s.db.Transaction(func(tx *gorm.DB) error {
+	err := s.db.Transaction(func(tx *gorm.DB) error {
 		users := []model.User{
 			{
 				Base: model.Base{
@@ -111,11 +119,12 @@ func (s *TestService) SeedDatabase() error {
 				Base: model.Base{
 					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
 				},
-				Name:         "Nextcloud",
-				Secret:       "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
-				CallbackURLs: model.CallbackURLs{"http://nextcloud/auth/callback"},
-				ImageType:    utils.StringPointer("png"),
-				CreatedByID:  users[0].ID,
+				Name:               "Nextcloud",
+				Secret:             "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
+				CallbackURLs:       model.UrlList{"http://nextcloud/auth/callback"},
+				LogoutCallbackURLs: model.UrlList{"http://nextcloud/auth/logout/callback"},
+				ImageType:          utils.StringPointer("png"),
+				CreatedByID:        users[0].ID,
 			},
 			{
 				Base: model.Base{
@@ -123,8 +132,11 @@ func (s *TestService) SeedDatabase() error {
 				},
 				Name:         "Immich",
 				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
-				CallbackURLs: model.CallbackURLs{"http://immich/auth/callback"},
-				CreatedByID:  users[0].ID,
+				CallbackURLs: model.UrlList{"http://immich/auth/callback"},
+				CreatedByID:  users[1].ID,
+				AllowedUserGroups: []model.UserGroup{
+					userGroups[1],
+				},
 			},
 		}
 		for _, client := range oidcClients {
@@ -145,6 +157,17 @@ func (s *TestService) SeedDatabase() error {
 			return err
 		}

+		refreshToken := model.OidcRefreshToken{
+			Token:     utils.CreateSha256Hash("ou87UDg249r1StBLYkMEqy9TXDbV5HmGuDpMcZDo"),
+			ExpiresAt: datatype.DateTime(time.Now().Add(24 * time.Hour)),
+			Scope:     "openid profile email",
+			UserID:    users[0].ID,
+			ClientID:  oidcClients[0].ID,
+		}
+		if err := tx.Create(&refreshToken).Error; err != nil {
+			return err
+		}
+
 		accessToken := model.OneTimeAccessToken{
 			Token:     "one-time-token",
 			ExpiresAt: datatype.DateTime(time.Now().Add(1 * time.Hour)),
@@ -163,27 +186,28 @@ func (s *TestService) SeedDatabase() error {
 			return err
 		}

-		publicKey1, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
-		publicKey2, err := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESq/wR8QbBu3dKnpaw/v0mDxFFDwnJ/L5XHSg2tAmq5x1BpSMmIr3+DxCbybVvGRmWGh8kKhy7SMnK91M6rFHTA==")
-		if err != nil {
-			return err
-		}
+		// To generate a new key pair, run the following command:
+		// openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 | \
+		// openssl pkcs8 -topk8 -nocrypt | tee >(openssl pkey -pubout)
+
+		publicKeyPasskey1, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwcOo5KV169KR67QEHrcYkeXE3CCxv2BgwnSq4VYTQxyLtdmKxegexa8JdwFKhKXa2BMI9xaN15BoL6wSCRFJhg==")
+		publicKeyPasskey2, _ := s.getCborPublicKey("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEj4qA0PrZzg8Co1C27nyUbzrp8Ewjr7eOlGI2LfrzmbL5nPhZRAdJ3hEaqrHMSnJBhfMqtQGKwDYpaLIQFAKLhw==")
 		webauthnCredentials := []model.WebauthnCredential{
 			{
 				Name:            "Passkey 1",
-				CredentialID:    []byte("test-credential-1"),
-				PublicKey:       publicKey1,
+				CredentialID:    []byte("test-credential-tim"),
+				PublicKey:       publicKeyPasskey1,
 				AttestationType: "none",
 				Transport:       model.AuthenticatorTransportList{protocol.Internal},
 				UserID:          users[0].ID,
 			},
 			{
 				Name:            "Passkey 2",
-				CredentialID:    []byte("test-credential-2"),
-				PublicKey:       publicKey2,
+				CredentialID:    []byte("test-credential-craig"),
+				PublicKey:       publicKeyPasskey2,
 				AttestationType: "none",
 				Transport:       model.AuthenticatorTransportList{protocol.Internal},
-				UserID:          users[0].ID,
+				UserID:          users[1].ID,
 			},
 		}
 		for _, credential := range webauthnCredentials {
@@ -201,8 +225,26 @@ func (s *TestService) SeedDatabase() error {
 			return err
 		}

+		apiKey := model.ApiKey{
+			Base: model.Base{
+				ID: "5f1fa856-c164-4295-961e-175a0d22d725",
+			},
+			Name:   "Test API Key",
+			Key:    "6c34966f57ef2bb7857649aff0e7ab3ad67af93c846342ced3f5a07be8706c20",
+			UserID: users[0].ID,
+		}
+		if err := tx.Create(&apiKey).Error; err != nil {
+			return err
+		}
+
 		return nil
 	})
+
+	if err != nil {
+		return err
+	}
+
+	return nil
 }

 func (s *TestService) ResetDatabase() error {
@@ -265,19 +307,22 @@ func (s *TestService) ResetApplicationImages() error {
 	return nil
 }

-func (s *TestService) ResetAppConfig() error {
-	// Reseed the config variables
-	if err := s.appConfigService.InitDbConfig(); err != nil {
-		return err
-	}
-
-	// Reset all app config variables to their default values
-	if err := s.db.Session(&gorm.Session{AllowGlobalUpdate: true}).Model(&model.AppConfigVariable{}).Update("value", "").Error; err != nil {
+func (s *TestService) ResetAppConfig(ctx context.Context) error {
+	// Reset all app config variables to their default values in the database
+	err := s.db.Session(&gorm.Session{AllowGlobalUpdate: true}).Model(&model.AppConfigVariable{}).Update("value", "").Error
+	if err != nil {
 		return err
 	}

 	// Reload the app config from the database after resetting the values
-	return s.appConfigService.LoadDbConfigFromDb()
+	return s.appConfigService.LoadDbConfig(ctx)
+}
+
+func (s *TestService) SetJWTKeys() {
+	const privateKeyString = `{"alg":"RS256","d":"mvMDWSdPPvcum0c0iEHE2gbqtV2NKMmLwrl9E6K7g8lTV95SePLnW_bwyMPV7EGp7PQk3l17I5XRhFjze7GqTnFIOgKzMianPs7jv2ELtBMGK0xOPATgu1iGb70xZ6vcvuEfRyY3dJ0zr4jpUdVuXwKmx9rK4IdZn2dFCKfvSuspqIpz11RhF1ALrqDLkxGVv7ZwNh0_VhJZU9hcjG5l6xc7rQEKpPRkZp0IdjkGS8Z0FskoVaiRIWAbZuiVFB9WCW8k1czC4HQTPLpII01bUQx2ludbm0UlXRgVU9ptUUbU7GAImQqTOW8LfPGklEvcgzlIlR_oqw4P9yBxLi-yMQ","dp":"pvNCSnnhbo8Igw9psPR-DicxFnkXlu_ix4gpy6efTrxA-z1VDFDioJ814vKQNioYDzpyAP1gfMPhRkvG_q0hRZsJah3Sb9dfA-WkhSWY7lURQP4yIBTMU0PF_rEATuS7lRciYk1SOx5fqXZd3m_LP0vpBC4Ujlq6NAq6CIjCnms","dq":"TtUVGCCkPNgfOLmkYXu7dxxUCV5kB01-xAEK2OY0n0pG8vfDophH4_D_ZC7nvJ8J9uDhs_3JStexq1lIvaWtG99RNTChIEDzpdn6GH9yaVcb_eB4uJjrNm64FhF8PGCCwxA-xMCZMaARKwhMB2_IOMkxUbWboL3gnhJ2rDO_QO0","e":"AQAB","kid":"8uHDw3M6rf8","kty":"RSA","n":"yaeEL0VKoPBXIAaWXsUgmu05lAvEIIdJn0FX9lHh4JE5UY9B83C5sCNdhs9iSWzpeP11EVjWp8i3Yv2CF7c7u50BXnVBGtxpZpFC-585UXacoJ0chUmarL9GRFJcM1nPHBTFu68aRrn1rIKNHUkNaaxFo0NFGl_4EDDTO8HwawTjwkPoQlRzeByhlvGPVvwgB3Fn93B8QJ_cZhXKxJvjjrC_8Pk76heC_ntEMru71Ix77BoC3j2TuyiN7m9RNBW8BU5q6lKoIdvIeZfTFLzi37iufyfvMrJTixp9zhNB1NxlLCeOZl2MXegtiGqd2H3cbAyqoOiv9ihUWTfXj7SxJw","p":"_Yylc9e07CKdqNRD2EosMC2mrhrEa9j5oY_l00Qyy4-jmCA59Q9viyqvveRo0U7cRvFA5BWgWN6GGLh1DG3X-QBqVr0dnk3uzbobb55RYUXyPLuBZI2q6w2oasbiDwPdY7KpkVv_H-bpITQlyDvO8hhucA6rUV7F6KTQVz8M3Ms","q":"y5p3hch-7jJ21TkAhp_Vk1fLCAuD4tbErwQs2of9ja8sB4iJOs5Wn6HD3P7Mc8Plye7qaLHvzc8I5g0tPKWvC0DPd_FLPXiWwMVAzee3NUX_oGeJNOQp11y1w_KqdO9qZqHSEPZ3NcFL_SZMFgggxhM1uzRiPzsVN0lnD_6prZU","qi":"2Grt6uXHm61ji3xSdkBWNtUnj19vS1-7rFJp5SoYztVQVThf_W52BAiXKBdYZDRVoItC_VS2NvAOjeJjhYO_xQ_q3hK7MdtuXfEPpLnyXKkmWo3lrJ26wbeF6l05LexCkI7ShsOuSt-dsyaTJTszuKDIA6YOfWvfo3aVZmlWRaI","use":"sig"}`
+
+	privateKey, _ := jwk.ParseKey([]byte(privateKeyString))
+	_ = s.jwtService.SetKey(privateKey)
 }

 // getCborPublicKey decodes a Base64 encoded public key and returns the CBOR encoded COSE key
@@ -311,3 +356,52 @@ func (s *TestService) getCborPublicKey(base64PublicKey string) ([]byte, error) {

 	return cborPublicKey, nil
 }
+
+// SyncLdap triggers an LDAP synchronization
+func (s *TestService) SyncLdap(ctx context.Context) error {
+	return s.ldapService.SyncAll(ctx)
+}
+
+// SetLdapTestConfig writes the test LDAP config variables directly to the database.
+func (s *TestService) SetLdapTestConfig(ctx context.Context) error {
+	err := s.db.Transaction(func(tx *gorm.DB) error {
+		ldapConfigs := map[string]string{
+			"ldapUrl":                            "ldap://lldap:3890",
+			"ldapBindDn":                         "uid=admin,ou=people,dc=pocket-id,dc=org",
+			"ldapBindPassword":                   "admin_password",
+			"ldapBase":                           "dc=pocket-id,dc=org",
+			"ldapUserSearchFilter":               "(objectClass=person)",
+			"ldapUserGroupSearchFilter":          "(objectClass=groupOfNames)",
+			"ldapSkipCertVerify":                 "true",
+			"ldapAttributeUserUniqueIdentifier":  "uuid",
+			"ldapAttributeUserUsername":          "uid",
+			"ldapAttributeUserEmail":             "mail",
+			"ldapAttributeUserFirstName":         "givenName",
+			"ldapAttributeUserLastName":          "sn",
+			"ldapAttributeGroupUniqueIdentifier": "uuid",
+			"ldapAttributeGroupName":             "uid",
+			"ldapAttributeGroupMember":           "member",
+			"ldapAttributeAdminGroup":            "admin_group",
+			"ldapSoftDeleteUsers":                "true",
+			"ldapEnabled":                        "true",
+		}
+
+		for key, value := range ldapConfigs {
+			configVar := model.AppConfigVariable{Key: key, Value: value}
+			if err := tx.Create(&configVar).Error; err != nil {
+				return fmt.Errorf("failed to create config variable '%s': %w", key, err)
+			}
+		}
+		return nil
+	})
+
+	if err != nil {
+		return fmt.Errorf("failed to set LDAP test config: %w", err)
+	}
+
+	if err := s.appConfigService.LoadDbConfig(ctx); err != nil {
+		return fmt.Errorf("failed to load app config: %w", err)
+	}
+
+	return nil
+}
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -2,25 +2,29 @@ package service

 import (
 	"bytes"
+	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
-	"gorm.io/gorm"
 	htemplate "html/template"
+	"io"
 	"mime/multipart"
 	"mime/quotedprintable"
-	"net"
-	"net/smtp"
 	"net/textproto"
+	"os"
+	"strings"
 	ttemplate "text/template"
 	"time"
-)

-var netDialer = &net.Dialer{
-	Timeout: 3 * time.Second,
-}
+	"github.com/emersion/go-sasl"
+	"github.com/emersion/go-smtp"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
+)

 type EmailService struct {
 	appConfigService *AppConfigService
@@ -29,7 +33,7 @@ type EmailService struct {
 	textTemplates    map[string]*ttemplate.Template
 }

-func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailService, error) {
+func NewEmailService(db *gorm.DB, appConfigService *AppConfigService) (*EmailService, error) {
 	htmlTemplates, err := email.PrepareHTMLTemplates(emailTemplatesPaths)
 	if err != nil {
 		return nil, fmt.Errorf("prepare html templates: %w", err)
@@ -48,22 +52,28 @@ func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailSer
 	}, nil
 }

-func (srv *EmailService) SendTestEmail(recipientUserId string) error {
+func (srv *EmailService) SendTestEmail(ctx context.Context, recipientUserId string) error {
 	var user model.User
-	if err := srv.db.First(&user, "id = ?", recipientUserId).Error; err != nil {
+	err := srv.db.
+		WithContext(ctx).
+		First(&user, "id = ?", recipientUserId).
+		Error
+	if err != nil {
 		return err
 	}

-	return SendEmail(srv,
+	return SendEmail(ctx, srv,
 		email.Address{
 			Email: user.Email,
 			Name:  user.FullName(),
 		}, TestTemplate, nil)
 }

-func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
+func SendEmail[V any](ctx context.Context, srv *EmailService, toEmail email.Address, template email.Template[V], tData *V) error {
+	dbConfig := srv.appConfigService.GetDbConfig()
+
 	data := &email.TemplateData[V]{
-		AppName: srv.appConfigService.DbConfig.AppName.Value,
+		AppName: dbConfig.AppName.Value,
 		LogoURL: common.EnvConfig.AppURL + "/api/application-configuration/logo",
 		Data:    tData,
 	}
@@ -78,59 +88,61 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	c.AddHeader("Subject", template.Title(data))
 	c.AddAddressHeader("From", []email.Address{
 		{
-			Email: srv.appConfigService.DbConfig.SmtpFrom.Value,
-			Name:  srv.appConfigService.DbConfig.AppName.Value,
+			Email: dbConfig.SmtpFrom.Value,
+			Name:  dbConfig.AppName.Value,
 		},
 	})
 	c.AddAddressHeader("To", []email.Address{toEmail})
 	c.AddHeaderRaw("Content-Type",
 		fmt.Sprintf("multipart/alternative;\n boundary=%s;\n charset=UTF-8", boundary),
 	)
+
+	c.AddHeader("MIME-Version", "1.0")
+	c.AddHeader("Date", time.Now().Format(time.RFC1123Z))
+
+	// to create a message-id, we need the FQDN of the sending server, but that may be a docker hostname or localhost
+	// so we use the domain of the from address instead (the same as Thunderbird does)
+	// if the address does not have an @ (which would be unusual), we use hostname
+
+	fromAddress := dbConfig.SmtpFrom.Value
+	domain := ""
+	if strings.Contains(fromAddress, "@") {
+		domain = strings.Split(fromAddress, "@")[1]
+	} else {
+		hostname, err := os.Hostname()
+		if err != nil {
+			// can that happen? we just give up
+			return fmt.Errorf("failed to get own hostname: %w", err)
+		} else {
+			domain = hostname
+		}
+	}
+	c.AddHeader("Message-ID", "<"+uuid.New().String()+"@"+domain+">")
+
 	c.Body(body)

-	// Set up the TLS configuration
-	tlsConfig := &tls.Config{
-		InsecureSkipVerify: srv.appConfigService.DbConfig.SmtpSkipCertVerify.Value == "true",
-		ServerName:         srv.appConfigService.DbConfig.SmtpHost.Value,
+	// Check if the context is still valid before attemtping to connect
+	// We need to do this because the smtp library doesn't have context support
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+		// All good
 	}

 	// Connect to the SMTP server
-	port := srv.appConfigService.DbConfig.SmtpPort.Value
-	smtpAddress := srv.appConfigService.DbConfig.SmtpHost.Value + ":" + port
-	var client *smtp.Client
-	if srv.appConfigService.DbConfig.SmtpTls.Value == "false" {
-		client, err = smtp.Dial(smtpAddress)
-	} else if port == "465" {
-		client, err = srv.connectToSmtpServerUsingImplicitTLS(
-			smtpAddress,
-			tlsConfig,
-		)
-	} else {
-		client, err = srv.connectToSmtpServerUsingStartTLS(
-			smtpAddress,
-			tlsConfig,
-		)
-	}
-
+	client, err := srv.getSmtpClient()
 	if err != nil {
 		return fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}
-
 	defer client.Close()

-	smtpUser := srv.appConfigService.DbConfig.SmtpUser.Value
-	smtpPassword := srv.appConfigService.DbConfig.SmtpPassword.Value
-
-	// Set up the authentication if user or password are set
-	if smtpUser != "" || smtpPassword != "" {
-		auth := smtp.PlainAuth("",
-			srv.appConfigService.DbConfig.SmtpUser.Value,
-			srv.appConfigService.DbConfig.SmtpPassword.Value,
-			srv.appConfigService.DbConfig.SmtpHost.Value,
-		)
-		if err := client.Auth(auth); err != nil {
-			return fmt.Errorf("failed to authenticate SMTP client: %w", err)
-		}
+	// Check if the context is still valid before sending the email
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	default:
+		// All good
 	}

 	// Send the email
@@ -141,61 +153,106 @@ func SendEmail[V any](srv *EmailService, toEmail email.Address, template email.T
 	return nil
 }

-func (srv *EmailService) connectToSmtpServerUsingImplicitTLS(serverAddr string, tlsConfig *tls.Config) (*smtp.Client, error) {
-	tlsDialer := &tls.Dialer{
-		NetDialer: netDialer,
-		Config:    tlsConfig,
+func (srv *EmailService) getSmtpClient() (client *smtp.Client, err error) {
+	dbConfig := srv.appConfigService.GetDbConfig()
+
+	port := dbConfig.SmtpPort.Value
+	smtpAddress := dbConfig.SmtpHost.Value + ":" + port
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: dbConfig.SmtpSkipCertVerify.IsTrue(), //nolint:gosec
+		ServerName:         dbConfig.SmtpHost.Value,
+	}
+
+	// Connect to the SMTP server based on TLS setting
+	switch dbConfig.SmtpTls.Value {
+	case "none":
+		client, err = smtp.Dial(smtpAddress)
+	case "tls":
+		client, err = smtp.DialTLS(smtpAddress, tlsConfig)
+	case "starttls":
+		client, err = smtp.DialStartTLS(
+			smtpAddress,
+			tlsConfig,
+		)
+	default:
+		return nil, fmt.Errorf("invalid SMTP TLS setting: %s", dbConfig.SmtpTls.Value)
 	}
-	conn, err := tlsDialer.Dial("tcp", serverAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
 	}

-	client, err := smtp.NewClient(conn, srv.appConfigService.DbConfig.SmtpHost.Value)
-	if err != nil {
-		conn.Close()
-		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
+	client.CommandTimeout = 10 * time.Second
+
+	// Send the HELO command
+	if err := srv.sendHelloCommand(client); err != nil {
+		return nil, fmt.Errorf("failed to send HELO command: %w", err)
 	}

-	return client, nil
+	// Set up the authentication if user or password are set
+	smtpUser := dbConfig.SmtpUser.Value
+	smtpPassword := dbConfig.SmtpPassword.Value
+
+	if smtpUser != "" || smtpPassword != "" {
+		// Authenticate with plain auth
+		auth := sasl.NewPlainClient("", smtpUser, smtpPassword)
+		if err := client.Auth(auth); err != nil {
+			// If the server does not support plain auth, try login auth
+			var smtpErr *smtp.SMTPError
+			ok := errors.As(err, &smtpErr)
+			if ok && smtpErr.Code == smtp.ErrAuthUnknownMechanism.Code {
+				auth = sasl.NewLoginClient(smtpUser, smtpPassword)
+				err = client.Auth(auth)
+			}
+			// Both plain and login auth failed
+			if err != nil {
+				return nil, fmt.Errorf("failed to authenticate: %w", err)
+			}
+
+		}
+	}
+
+	return client, err
 }

-func (srv *EmailService) connectToSmtpServerUsingStartTLS(serverAddr string, tlsConfig *tls.Config) (*smtp.Client, error) {
-	conn, err := netDialer.Dial("tcp", serverAddr)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to SMTP server: %w", err)
+func (srv *EmailService) sendHelloCommand(client *smtp.Client) error {
+	hostname, err := os.Hostname()
+	if err == nil {
+		if err := client.Hello(hostname); err != nil {
+			return err
+		}
 	}
-
-	client, err := smtp.NewClient(conn, srv.appConfigService.DbConfig.SmtpHost.Value)
-	if err != nil {
-		conn.Close()
-		return nil, fmt.Errorf("failed to create SMTP client: %w", err)
-	}
-
-	if err := client.StartTLS(tlsConfig); err != nil {
-		return nil, fmt.Errorf("failed to start TLS: %w", err)
-	}
-	return client, nil
+	return nil
 }

 func (srv *EmailService) sendEmailContent(client *smtp.Client, toEmail email.Address, c *email.Composer) error {
-	if err := client.Mail(srv.appConfigService.DbConfig.SmtpFrom.Value); err != nil {
+	// Set the sender
+	if err := client.Mail(srv.appConfigService.GetDbConfig().SmtpFrom.Value, nil); err != nil {
 		return fmt.Errorf("failed to set sender: %w", err)
 	}
-	if err := client.Rcpt(toEmail.Email); err != nil {
+
+	// Set the recipient
+	if err := client.Rcpt(toEmail.Email, nil); err != nil {
 		return fmt.Errorf("failed to set recipient: %w", err)
 	}
+
+	// Get a writer to write the email data
 	w, err := client.Data()
 	if err != nil {
 		return fmt.Errorf("failed to start data: %w", err)
 	}
-	_, err = w.Write([]byte(c.String()))
+
+	// Write the email content
+	_, err = io.Copy(w, strings.NewReader(c.String()))
 	if err != nil {
 		return fmt.Errorf("failed to write email data: %w", err)
 	}
+
+	// Close the writer
 	if err := w.Close(); err != nil {
 		return fmt.Errorf("failed to close data writer: %w", err)
 	}
+
 	return nil
 }

--- a/backend/internal/service/email_service_templates.go
+++ b/backend/internal/service/email_service_templates.go
@@ -2,8 +2,9 @@ package service

 import (
 	"fmt"
-	"github.com/stonith404/pocket-id/backend/internal/utils/email"
 	"time"
+
+	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 )

 /**
@@ -30,7 +31,7 @@ var NewLoginTemplate = email.Template[NewLoginTemplateData]{
 var OneTimeAccessTemplate = email.Template[OneTimeAccessTemplateData]{
 	Path: "one-time-access",
 	Title: func(data *email.TemplateData[OneTimeAccessTemplateData]) string {
-		return "One time access"
+		return "Login Code"
 	},
 }

@@ -41,6 +42,13 @@ var TestTemplate = email.Template[struct{}]{
 	},
 }

+var ApiKeyExpiringSoonTemplate = email.Template[ApiKeyExpiringSoonTemplateData]{
+	Path: "api-key-expiring-soon",
+	Title: func(data *email.TemplateData[ApiKeyExpiringSoonTemplateData]) string {
+		return fmt.Sprintf("API Key \"%s\" Expiring Soon", data.Data.ApiKeyName)
+	},
+}
+
 type NewLoginTemplateData struct {
 	IPAddress string
 	Country   string
@@ -50,8 +58,17 @@ type NewLoginTemplateData struct {
 }

 type OneTimeAccessTemplateData = struct {
-	Link string
+	Code              string
+	LoginLink         string
+	LoginLinkWithCode string
+	ExpirationString  string
+}
+
+type ApiKeyExpiringSoonTemplateData struct {
+	Name       string
+	ApiKeyName string
+	ExpiresAt  time.Time
 }

 // this is list of all template paths used for preloading templates
-var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path}
+var emailTemplatesPaths = []string{NewLoginTemplate.Path, OneTimeAccessTemplate.Path, TestTemplate.Path, ApiKeyExpiringSoonTemplate.Path}
--- a/backend/internal/service/geolite_service.go
+++ b/backend/internal/service/geolite_service.go
@@ -3,6 +3,7 @@ package service
 import (
 	"archive/tar"
 	"compress/gzip"
+	"context"
 	"errors"
 	"fmt"
 	"io"
@@ -17,11 +18,13 @@ import (

 	"github.com/oschwald/maxminddb-golang/v2"

-	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
 )

 type GeoLiteService struct {
-	mutex sync.Mutex
+	httpClient     *http.Client
+	disableUpdater bool
+	mutex          sync.RWMutex
 }

 var localhostIPNets = []*net.IPNet{
@@ -40,18 +43,24 @@ var tailscaleIPNets = []*net.IPNet{
 }

 // NewGeoLiteService initializes a new GeoLiteService instance and starts a goroutine to update the GeoLite2 City database.
-func NewGeoLiteService() *GeoLiteService {
-	service := &GeoLiteService{}
+func NewGeoLiteService(httpClient *http.Client) *GeoLiteService {
+	service := &GeoLiteService{
+		httpClient: httpClient,
+	}

-	go func() {
-		if err := service.updateDatabase(); err != nil {
-			log.Printf("Failed to update GeoLite2 City database: %v\n", err)
-		}
-	}()
+	if common.EnvConfig.MaxMindLicenseKey == "" && common.EnvConfig.GeoLiteDBUrl == common.MaxMindGeoLiteCityUrl {
+		// Warn the user, and disable the periodic updater
+		log.Println("MAXMIND_LICENSE_KEY environment variable is empty. The GeoLite2 City database won't be updated.")
+		service.disableUpdater = true
+	}

 	return service
 }

+func (s *GeoLiteService) DisableUpdater() bool {
+	return s.disableUpdater
+}
+
 // GetLocationByIP returns the country and city of the given IP address.
 func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
 	// Check the IP address against known private IP ranges
@@ -74,8 +83,8 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 	}

 	// Race condition between reading and writing the database.
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
+	s.mutex.RLock()
+	defer s.mutex.RUnlock()

 	db, err := maxminddb.Open(common.EnvConfig.GeoLiteDBPath)
 	if err != nil {
@@ -83,7 +92,10 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 	}
 	defer db.Close()

-	addr := netip.MustParseAddr(ipAddress)
+	addr, err := netip.ParseAddr(ipAddress)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to parse IP address: %w", err)
+	}

 	var record struct {
 		City struct {
@@ -103,21 +115,24 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 }

 // UpdateDatabase checks the age of the database and updates it if it's older than 14 days.
-func (s *GeoLiteService) updateDatabase() error {
+func (s *GeoLiteService) UpdateDatabase(parentCtx context.Context) error {
 	if s.isDatabaseUpToDate() {
-		log.Println("GeoLite2 City database is up-to-date.")
+		log.Println("GeoLite2 City database is up-to-date")
 		return nil
 	}

-	log.Println("Updating GeoLite2 City database...")
+	log.Println("Updating GeoLite2 City database")
+	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)

-	// Download and extract the database
-	downloadUrl := fmt.Sprintf(
-		"https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz",
-		common.EnvConfig.MaxMindLicenseKey,
-	)
-	// Download the database tar.gz file
-	resp, err := http.Get(downloadUrl)
+	ctx, cancel := context.WithTimeout(parentCtx, 10*time.Minute)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, downloadUrl, nil)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := s.httpClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to download database: %w", err)
 	}
@@ -128,7 +143,8 @@ func (s *GeoLiteService) updateDatabase() error {
 	}

 	// Extract the database file directly to the target path
-	if err := s.extractDatabase(resp.Body); err != nil {
+	err = s.extractDatabase(resp.Body)
+	if err != nil {
 		return fmt.Errorf("failed to extract database: %w", err)
 	}

@@ -156,18 +172,25 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {

 	tarReader := tar.NewReader(gzr)

+	var totalSize int64
+	const maxTotalSize = 300 * 1024 * 1024 // 300 MB limit for total decompressed size
+
 	// Iterate over the files in the tar archive
 	for {
 		header, err := tarReader.Next()
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
-		}
-		if err != nil {
+		} else if err != nil {
 			return fmt.Errorf("failed to read tar archive: %w", err)
 		}

 		// Check if the file is the GeoLite2-City.mmdb file
 		if header.Typeflag == tar.TypeReg && filepath.Base(header.Name) == "GeoLite2-City.mmdb" {
+			totalSize += header.Size
+			if totalSize > maxTotalSize {
+				return errors.New("total decompressed size exceeds maximum allowed limit")
+			}
+
 			// extract to a temporary file to avoid having a corrupted db in case of write failure.
 			baseDir := filepath.Dir(common.EnvConfig.GeoLiteDBPath)
 			tmpFile, err := os.CreateTemp(baseDir, "geolite.*.mmdb.tmp")
@@ -177,7 +200,7 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
 			tempName := tmpFile.Name()

 			// Write the file contents directly to the target location
-			if _, err := io.Copy(tmpFile, tarReader); err != nil {
+			if _, err := io.Copy(tmpFile, tarReader); err != nil { //nolint:gosec
 				// if fails to write, then cleanup and throw an error
 				tmpFile.Close()
 				os.Remove(tempName)
--- a/backend/internal/service/jwt_service.go
+++ b/backend/internal/service/jwt_service.go
@@ -1,311 +1,551 @@
 package service

 import (
+	"context"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
 	"encoding/base64"
-	"encoding/pem"
+	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/golang-jwt/jwt/v5"
-	"github.com/stonith404/pocket-id/backend/internal/common"
-	"github.com/stonith404/pocket-id/backend/internal/model"
+	"io"
 	"log"
-	"math/big"
 	"os"
 	"path/filepath"
-	"slices"
-	"strconv"
 	"time"
+
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
+	"github.com/lestrrat-go/jwx/v3/jwt"
+
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )

 const (
-	privateKeyPath = "data/keys/jwt_private_key.pem"
-	publicKeyPath  = "data/keys/jwt_public_key.pem"
+	// PrivateKeyFile is the path in the data/keys folder where the key is stored
+	// This is a JSON file containing a key encoded as JWK
+	PrivateKeyFile = "jwt_private_key.json"
+
+	// RsaKeySize is the size, in bits, of the RSA key to generate if none is found
+	RsaKeySize = 2048
+
+	// KeyUsageSigning is the usage for the private keys, for the "use" property
+	KeyUsageSigning = "sig"
+
+	// IsAdminClaim is a boolean claim used in access tokens for admin users
+	// This may be omitted on non-admin tokens
+	IsAdminClaim = "isAdmin"
+
+	// TokenTypeClaim is the claim used to identify the type of token
+	TokenTypeClaim = "type"
+
+	// OAuthAccessTokenJWTType identifies a JWT as an OAuth access token
+	OAuthAccessTokenJWTType = "oauth-access-token" //nolint:gosec
+
+	// AccessTokenJWTType identifies a JWT as an access token used by Pocket ID
+	AccessTokenJWTType = "access-token"
+
+	// IDTokenJWTType identifies a JWT as an ID token used by Pocket ID
+	IDTokenJWTType = "id-token"
+
+	// Acceptable clock skew for verifying tokens
+	clockSkew = time.Minute
 )

 type JwtService struct {
-	publicKey        *rsa.PublicKey
-	privateKey       *rsa.PrivateKey
+	privateKey       jwk.Key
+	keyId            string
 	appConfigService *AppConfigService
+	jwksEncoded      []byte
 }

 func NewJwtService(appConfigService *AppConfigService) *JwtService {
-	service := &JwtService{
-		appConfigService: appConfigService,
-	}
+	service := &JwtService{}

 	// Ensure keys are generated or loaded
-	if err := service.loadOrGenerateKeys(); err != nil {
+	if err := service.init(appConfigService, common.EnvConfig.KeysPath); err != nil {
 		log.Fatalf("Failed to initialize jwt service: %v", err)
 	}

 	return service
 }

-type AccessTokenJWTClaims struct {
-	jwt.RegisteredClaims
-	IsAdmin bool `json:"isAdmin,omitempty"`
+func (s *JwtService) init(appConfigService *AppConfigService, keysPath string) error {
+	s.appConfigService = appConfigService
+
+	// Ensure keys are generated or loaded
+	return s.loadOrGenerateKey(keysPath)
 }

-type JWK struct {
-	Kid string `json:"kid"`
-	Kty string `json:"kty"`
-	Use string `json:"use"`
-	Alg string `json:"alg"`
-	N   string `json:"n"`
-	E   string `json:"e"`
-}
+// loadOrGenerateKey loads the private key from the given path or generates it if not existing.
+func (s *JwtService) loadOrGenerateKey(keysPath string) error {
+	var key jwk.Key

-// loadOrGenerateKeys loads RSA keys from the given paths or generates them if they do not exist.
-func (s *JwtService) loadOrGenerateKeys() error {
-	if _, err := os.Stat(privateKeyPath); os.IsNotExist(err) {
-		if err := s.generateKeys(); err != nil {
-			return err
+	// First, check if we have a JWK file
+	// If we do, then we just load that
+	jwkPath := filepath.Join(keysPath, PrivateKeyFile)
+	ok, err := utils.FileExists(jwkPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if private key file (JWK) exists at path '%s': %w", jwkPath, err)
+	}
+	if ok {
+		key, err = s.loadKeyJWK(jwkPath)
+		if err != nil {
+			return fmt.Errorf("failed to load private key file (JWK) at path '%s': %w", jwkPath, err)
 		}
+
+		// Set the key, and we are done
+		err = s.SetKey(key)
+		if err != nil {
+			return fmt.Errorf("failed to set private key: %w", err)
+		}
+
+		return nil
 	}

-	privateKeyBytes, err := os.ReadFile(privateKeyPath)
+	// If we are here, we need to generate a new key
+	key, err = s.generateNewRSAKey()
 	if err != nil {
-		return errors.New("can't read jwt private key: " + err.Error())
-	}
-	s.privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
-	if err != nil {
-		return errors.New("can't parse jwt private key: " + err.Error())
+		return fmt.Errorf("failed to generate new private key: %w", err)
 	}

-	publicKeyBytes, err := os.ReadFile(publicKeyPath)
+	// Set the key in the object, which also validates it
+	err = s.SetKey(key)
 	if err != nil {
-		return errors.New("can't read jwt public key: " + err.Error())
+		return fmt.Errorf("failed to set private key: %w", err)
 	}
-	s.publicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
+
+	// Save the key as JWK
+	err = SaveKeyJWK(s.privateKey, jwkPath)
 	if err != nil {
-		return errors.New("can't parse jwt public key: " + err.Error())
+		return fmt.Errorf("failed to save private key file at path '%s': %w", jwkPath, err)
+	}
+
+	return nil
+}
+
+func ValidateKey(privateKey jwk.Key) error {
+	// Validate the loaded key
+	err := privateKey.Validate()
+	if err != nil {
+		return fmt.Errorf("key object is invalid: %w", err)
+	}
+	keyID, ok := privateKey.KeyID()
+	if !ok || keyID == "" {
+		return errors.New("key object does not contain a key ID")
+	}
+	usage, ok := privateKey.KeyUsage()
+	if !ok || usage != KeyUsageSigning {
+		return errors.New("key object is not valid for signing")
+	}
+	ok, err = jwk.IsPrivateKey(privateKey)
+	if err != nil || !ok {
+		return errors.New("key object is not a private key")
+	}
+
+	return nil
+}
+
+func (s *JwtService) SetKey(privateKey jwk.Key) error {
+	// Validate the loaded key
+	err := ValidateKey(privateKey)
+	if err != nil {
+		return fmt.Errorf("private key is not valid: %w", err)
+	}
+
+	// Set the private key and key id in the object
+	s.privateKey = privateKey
+
+	keyId, ok := privateKey.KeyID()
+	if !ok {
+		return errors.New("key object does not contain a key ID")
+	}
+	s.keyId = keyId
+
+	// Create and encode a JWKS containing the public key
+	publicKey, err := s.GetPublicJWK()
+	if err != nil {
+		return fmt.Errorf("failed to get public JWK: %w", err)
+	}
+	jwks := jwk.NewSet()
+	err = jwks.AddKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("failed to add public key to JWKS: %w", err)
+	}
+	s.jwksEncoded, err = json.Marshal(jwks)
+	if err != nil {
+		return fmt.Errorf("failed to encode JWKS to JSON: %w", err)
 	}

 	return nil
 }

 func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
-	sessionDurationInMinutes, _ := strconv.Atoi(s.appConfigService.DbConfig.SessionDuration.Value)
-	claim := AccessTokenJWTClaims{
-		RegisteredClaims: jwt.RegisteredClaims{
-			Subject:   user.ID,
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(sessionDurationInMinutes) * time.Minute)),
-			IssuedAt:  jwt.NewNumericDate(time.Now()),
-			Audience:  jwt.ClaimStrings{common.EnvConfig.AppURL},
-		},
-		IsAdmin: user.IsAdmin,
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Subject(user.ID).
+		Expiration(now.Add(s.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes())).
+		IssuedAt(now).
+		Issuer(common.EnvConfig.AppURL).
+		Build()
 	if err != nil {
-		return "", errors.New("failed to generate key ID: " + err.Error())
+		return "", fmt.Errorf("failed to build token: %w", err)
 	}

-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
-	token.Header["kid"] = kid
+	err = SetAudienceString(token, common.EnvConfig.AppURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
+	}

-	return token.SignedString(s.privateKey)
+	err = SetTokenType(token, AccessTokenJWTType)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
+	}
+
+	err = SetIsAdmin(token, user.IsAdmin)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'isAdmin' claim in token: %w", err)
+	}
+
+	alg, _ := s.privateKey.Algorithm()
+	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	return string(signed), nil
 }

-func (s *JwtService) VerifyAccessToken(tokenString string) (*AccessTokenJWTClaims, error) {
-	token, err := jwt.ParseWithClaims(tokenString, &AccessTokenJWTClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return s.publicKey, nil
-	})
-	if err != nil || !token.Valid {
-		return nil, errors.New("couldn't handle this token")
+func (s *JwtService) VerifyAccessToken(tokenString string) (jwt.Token, error) {
+	alg, _ := s.privateKey.Algorithm()
+	token, err := jwt.ParseString(
+		tokenString,
+		jwt.WithValidate(true),
+		jwt.WithKey(alg, s.privateKey),
+		jwt.WithAcceptableSkew(clockSkew),
+		jwt.WithAudience(common.EnvConfig.AppURL),
+		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithValidator(TokenTypeValidator(AccessTokenJWTType)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse token: %w", err)
 	}

-	claims, isValid := token.Claims.(*AccessTokenJWTClaims)
-	if !isValid {
-		return nil, errors.New("can't parse claims")
-	}
-
-	if !slices.Contains(claims.Audience, common.EnvConfig.AppURL) {
-		return nil, errors.New("audience doesn't match")
-	}
-	return claims, nil
+	return token, nil
 }

-func (s *JwtService) GenerateIDToken(userClaims map[string]interface{}, clientID string, nonce string) (string, error) {
-	claims := jwt.MapClaims{
-		"aud": clientID,
-		"exp": jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-		"iat": jwt.NewNumericDate(time.Now()),
-		"iss": common.EnvConfig.AppURL,
+func (s *JwtService) GenerateIDToken(userClaims map[string]any, clientID string, nonce string) (string, error) {
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Expiration(now.Add(1 * time.Hour)).
+		IssuedAt(now).
+		Issuer(common.EnvConfig.AppURL).
+		Build()
+	if err != nil {
+		return "", fmt.Errorf("failed to build token: %w", err)
+	}
+
+	err = SetAudienceString(token, clientID)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
+	}
+
+	err = SetTokenType(token, IDTokenJWTType)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
 	}

 	for k, v := range userClaims {
-		claims[k] = v
-	}
-
-	if nonce != "" {
-		claims["nonce"] = nonce
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
-	if err != nil {
-		return "", errors.New("failed to generate key ID: " + err.Error())
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
-	token.Header["kid"] = kid
-
-	return token.SignedString(s.privateKey)
-}
-
-func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string) (string, error) {
-	claim := jwt.RegisteredClaims{
-		Subject:   user.ID,
-		ExpiresAt: jwt.NewNumericDate(time.Now().Add(1 * time.Hour)),
-		IssuedAt:  jwt.NewNumericDate(time.Now()),
-		Audience:  jwt.ClaimStrings{clientID},
-		Issuer:    common.EnvConfig.AppURL,
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
-	if err != nil {
-		return "", errors.New("failed to generate key ID: " + err.Error())
-	}
-
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claim)
-	token.Header["kid"] = kid
-
-	return token.SignedString(s.privateKey)
-}
-
-func (s *JwtService) VerifyOauthAccessToken(tokenString string) (*jwt.RegisteredClaims, error) {
-	token, err := jwt.ParseWithClaims(tokenString, &jwt.RegisteredClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return s.publicKey, nil
-	})
-	if err != nil || !token.Valid {
-		return nil, errors.New("couldn't handle this token")
-	}
-
-	claims, isValid := token.Claims.(*jwt.RegisteredClaims)
-	if !isValid {
-		return nil, errors.New("can't parse claims")
-	}
-
-	return claims, nil
-}
-
-// GetJWK returns the JSON Web Key (JWK) for the public key.
-func (s *JwtService) GetJWK() (JWK, error) {
-	if s.publicKey == nil {
-		return JWK{}, errors.New("public key is not initialized")
-	}
-
-	kid, err := s.generateKeyID(s.publicKey)
-	if err != nil {
-		return JWK{}, err
-	}
-
-	jwk := JWK{
-		Kid: kid,
-		Kty: "RSA",
-		Use: "sig",
-		Alg: "RS256",
-		N:   base64.RawURLEncoding.EncodeToString(s.publicKey.N.Bytes()),
-		E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(s.publicKey.E)).Bytes()),
-	}
-
-	return jwk, nil
-}
-
-// GenerateKeyID generates a Key ID for the public key using the first 8 bytes of the SHA-256 hash of the public key.
-func (s *JwtService) generateKeyID(publicKey *rsa.PublicKey) (string, error) {
-	pubASN1, err := x509.MarshalPKIXPublicKey(publicKey)
-	if err != nil {
-		return "", errors.New("failed to marshal public key: " + err.Error())
-	}
-
-	// Compute SHA-256 hash of the public key
-	hash := sha256.New()
-	hash.Write(pubASN1)
-	hashed := hash.Sum(nil)
-
-	// Truncate the hash to the first 8 bytes for a shorter Key ID
-	shortHash := hashed[:8]
-
-	// Return Base64 encoded truncated hash as Key ID
-	return base64.RawURLEncoding.EncodeToString(shortHash), nil
-}
-
-// generateKeys generates a new RSA key pair and saves them to the specified paths.
-func (s *JwtService) generateKeys() error {
-	if err := os.MkdirAll(filepath.Dir(privateKeyPath), 0700); err != nil {
-		return errors.New("failed to create directories for keys: " + err.Error())
-	}
-
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return errors.New("failed to generate private key: " + err.Error())
-	}
-	s.privateKey = privateKey
-
-	if err := s.savePEMKey(privateKeyPath, x509.MarshalPKCS1PrivateKey(privateKey), "RSA PRIVATE KEY"); err != nil {
-		return err
-	}
-
-	publicKey := &privateKey.PublicKey
-	s.publicKey = publicKey
-
-	if err := s.savePEMKey(publicKeyPath, x509.MarshalPKCS1PublicKey(publicKey), "RSA PUBLIC KEY"); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// savePEMKey saves a PEM encoded key to a file.
-func (s *JwtService) savePEMKey(path string, keyBytes []byte, keyType string) error {
-	keyFile, err := os.Create(path)
-	if err != nil {
-		return errors.New("failed to create key file: " + err.Error())
-	}
-	defer keyFile.Close()
-
-	keyPEM := pem.EncodeToMemory(&pem.Block{
-		Type:  keyType,
-		Bytes: keyBytes,
-	})
-
-	if _, err := keyFile.Write(keyPEM); err != nil {
-		return errors.New("failed to write key file: " + err.Error())
-	}
-
-	return nil
-}
-
-// loadKeys loads RSA keys from the given paths.
-func (s *JwtService) loadKeys() error {
-	if _, err := os.Stat(privateKeyPath); os.IsNotExist(err) {
-		if err := s.generateKeys(); err != nil {
-			return err
+		err = token.Set(k, v)
+		if err != nil {
+			return "", fmt.Errorf("failed to set claim '%s': %w", k, err)
 		}
 	}

-	privateKeyBytes, err := os.ReadFile(privateKeyPath)
-	if err != nil {
-		return fmt.Errorf("can't read jwt private key: %w", err)
-	}
-	s.privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
-	if err != nil {
-		return fmt.Errorf("can't parse jwt private key: %w", err)
+	if nonce != "" {
+		err = token.Set("nonce", nonce)
+		if err != nil {
+			return "", fmt.Errorf("failed to set claim 'nonce': %w", err)
+		}
 	}

-	publicKeyBytes, err := os.ReadFile(publicKeyPath)
+	alg, _ := s.privateKey.Algorithm()
+	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
 	if err != nil {
-		return fmt.Errorf("can't read jwt public key: %w", err)
+		return "", fmt.Errorf("failed to sign token: %w", err)
 	}
-	s.publicKey, err = jwt.ParseRSAPublicKeyFromPEM(publicKeyBytes)
+
+	return string(signed), nil
+}
+
+func (s *JwtService) VerifyIdToken(tokenString string, acceptExpiredTokens bool) (jwt.Token, error) {
+	alg, _ := s.privateKey.Algorithm()
+
+	opts := make([]jwt.ParseOption, 0)
+
+	// These options are always present
+	opts = append(opts,
+		jwt.WithValidate(true),
+		jwt.WithKey(alg, s.privateKey),
+		jwt.WithAcceptableSkew(clockSkew),
+		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithValidator(TokenTypeValidator(IDTokenJWTType)),
+	)
+
+	// By default, jwt.Parse includes 3 default validators for "nbf", "iat", and "exp"
+	// In case we want to accept expired tokens (during logout), we need to set the validators explicitly without validating "exp"
+	if acceptExpiredTokens {
+		// This is equivalent to the default validators except it doesn't validate "exp"
+		opts = append(opts,
+			jwt.WithResetValidators(true),
+			jwt.WithValidator(jwt.IsIssuedAtValid()),
+			jwt.WithValidator(jwt.IsNbfValid()),
+		)
+	}
+
+	token, err := jwt.ParseString(tokenString, opts...)
 	if err != nil {
-		return fmt.Errorf("can't parse jwt public key: %w", err)
+		return nil, fmt.Errorf("failed to parse token: %w", err)
+	}
+
+	return token, nil
+}
+
+func (s *JwtService) GenerateOauthAccessToken(user model.User, clientID string) (string, error) {
+	now := time.Now()
+	token, err := jwt.NewBuilder().
+		Subject(user.ID).
+		Expiration(now.Add(1 * time.Hour)).
+		IssuedAt(now).
+		Issuer(common.EnvConfig.AppURL).
+		Build()
+	if err != nil {
+		return "", fmt.Errorf("failed to build token: %w", err)
+	}
+
+	err = SetAudienceString(token, clientID)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
+	}
+
+	err = SetTokenType(token, OAuthAccessTokenJWTType)
+	if err != nil {
+		return "", fmt.Errorf("failed to set 'type' claim in token: %w", err)
+	}
+
+	alg, _ := s.privateKey.Algorithm()
+	signed, err := jwt.Sign(token, jwt.WithKey(alg, s.privateKey))
+	if err != nil {
+		return "", fmt.Errorf("failed to sign token: %w", err)
+	}
+
+	return string(signed), nil
+}
+
+func (s *JwtService) VerifyOauthAccessToken(tokenString string) (jwt.Token, error) {
+	alg, _ := s.privateKey.Algorithm()
+	token, err := jwt.ParseString(
+		tokenString,
+		jwt.WithValidate(true),
+		jwt.WithKey(alg, s.privateKey),
+		jwt.WithAcceptableSkew(clockSkew),
+		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithValidator(TokenTypeValidator(OAuthAccessTokenJWTType)),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse token: %w", err)
+	}
+
+	return token, nil
+}
+
+// GetPublicJWK returns the JSON Web Key (JWK) for the public key.
+func (s *JwtService) GetPublicJWK() (jwk.Key, error) {
+	if s.privateKey == nil {
+		return nil, errors.New("key is not initialized")
+	}
+
+	pubKey, err := s.privateKey.PublicKey()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key: %w", err)
+	}
+
+	EnsureAlgInKey(pubKey)
+
+	return pubKey, nil
+}
+
+// GetPublicJWKSAsJSON returns the JSON Web Key Set (JWKS) for the public key, encoded as JSON.
+// The value is cached since the key is static.
+func (s *JwtService) GetPublicJWKSAsJSON() ([]byte, error) {
+	if len(s.jwksEncoded) == 0 {
+		return nil, errors.New("key is not initialized")
+	}
+
+	return s.jwksEncoded, nil
+}
+
+// GetKeyAlg returns the algorithm of the key
+func (s *JwtService) GetKeyAlg() (jwa.KeyAlgorithm, error) {
+	if len(s.jwksEncoded) == 0 {
+		return nil, errors.New("key is not initialized")
+	}
+
+	alg, ok := s.privateKey.Algorithm()
+	if !ok || alg == nil {
+		return nil, errors.New("failed to retrieve algorithm for key")
+	}
+
+	return alg, nil
+}
+
+func (s *JwtService) loadKeyJWK(path string) (jwk.Key, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read key data: %w", err)
+	}
+
+	key, err := jwk.ParseKey(data)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse key: %w", err)
+	}
+
+	return key, nil
+}
+
+// EnsureAlgInKey ensures that the key contains an "alg" parameter, set depending on the key type
+func EnsureAlgInKey(key jwk.Key) {
+	_, ok := key.Algorithm()
+	if ok {
+		// Algorithm is already set
+		return
+	}
+
+	switch key.KeyType() {
+	case jwa.RSA():
+		// Default to RS256 for RSA keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.RS256())
+	case jwa.EC():
+		// Default to ES256 for ECDSA keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.ES256())
+	case jwa.OKP():
+		// Default to EdDSA for OKP keys
+		_ = key.Set(jwk.AlgorithmKey, jwa.EdDSA())
+	}
+}
+
+func (s *JwtService) generateNewRSAKey() (jwk.Key, error) {
+	// We generate RSA keys only
+	rawKey, err := rsa.GenerateKey(rand.Reader, RsaKeySize)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate RSA private key: %w", err)
+	}
+
+	// Import the raw key
+	return importRawKey(rawKey)
+}
+
+func importRawKey(rawKey any) (jwk.Key, error) {
+	key, err := jwk.Import(rawKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to import generated private key: %w", err)
+	}
+
+	// Generate the key ID
+	kid, err := generateRandomKeyID()
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate key ID: %w", err)
+	}
+	_ = key.Set(jwk.KeyIDKey, kid)
+
+	// Set other required fields
+	_ = key.Set(jwk.KeyUsageKey, KeyUsageSigning)
+	EnsureAlgInKey(key)
+
+	return key, err
+}
+
+// SaveKeyJWK saves a JWK to a file
+func SaveKeyJWK(key jwk.Key, path string) error {
+	dir := filepath.Dir(path)
+	err := os.MkdirAll(dir, 0700)
+	if err != nil {
+		return fmt.Errorf("failed to create directory '%s' for key file: %w", dir, err)
+	}
+
+	keyFile, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return fmt.Errorf("failed to create key file: %w", err)
+	}
+	defer keyFile.Close()
+
+	// Write the JSON file to disk
+	enc := json.NewEncoder(keyFile)
+	enc.SetEscapeHTML(false)
+	err = enc.Encode(key)
+	if err != nil {
+		return fmt.Errorf("failed to write key file: %w", err)
 	}

 	return nil
 }
+
+// generateRandomKeyID generates a random key ID.
+func generateRandomKeyID() (string, error) {
+	buf := make([]byte, 8)
+	_, err := io.ReadFull(rand.Reader, buf)
+	if err != nil {
+		return "", fmt.Errorf("failed to read random bytes: %w", err)
+	}
+	return base64.RawURLEncoding.EncodeToString(buf), nil
+}
+
+// GetIsAdmin returns the value of the "isAdmin" claim in the token
+func GetIsAdmin(token jwt.Token) (bool, error) {
+	if !token.Has(IsAdminClaim) {
+		return false, nil
+	}
+	var isAdmin bool
+	err := token.Get(IsAdminClaim, &isAdmin)
+	return isAdmin, err
+}
+
+// SetTokenType sets the "type" claim in the token
+func SetTokenType(token jwt.Token, tokenType string) error {
+	if tokenType == "" {
+		return nil
+	}
+	return token.Set(TokenTypeClaim, tokenType)
+}
+
+// SetIsAdmin sets the "isAdmin" claim in the token
+func SetIsAdmin(token jwt.Token, isAdmin bool) error {
+	// Only set if true
+	if !isAdmin {
+		return nil
+	}
+	return token.Set(IsAdminClaim, isAdmin)
+}
+
+// SetAudienceString sets the "aud" claim with a value that is a string, and not an array
+// This is permitted by RFC 7519, and it's done here for backwards-compatibility
+func SetAudienceString(token jwt.Token, audience string) error {
+	return token.Set(jwt.AudienceKey, audience)
+}
+
+// TokenTypeValidator is a validator function that checks the "type" claim in the token
+func TokenTypeValidator(expectedTokenType string) jwt.ValidatorFunc {
+	return func(_ context.Context, t jwt.Token) error {
+		var tokenType string
+		err := t.Get(TokenTypeClaim, &tokenType)
+		if err != nil {
+			return fmt.Errorf("failed to get token type claim: %w", err)
+		}
+		if tokenType != expectedTokenType {
+			return fmt.Errorf("invalid token type: expected %s, got %s", expectedTokenType, tokenType)
+		}
+		return nil
+	}
+}
--- a/backend/internal/service/jwt_service_test.go
+++ b/backend/internal/service/jwt_service_test.go
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -1,65 +1,74 @@
 package service

 import (
+	"bytes"
+	"context"
 	"crypto/tls"
+	"encoding/base64"
+	"errors"
 	"fmt"
+	"io"
 	"log"
+	"net/http"
+	"net/url"
 	"strings"
+	"time"

 	"github.com/go-ldap/ldap/v3"
-	"github.com/stonith404/pocket-id/backend/internal/dto"
-	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/dto"
+	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )

 type LdapService struct {
 	db               *gorm.DB
+	httpClient       *http.Client
 	appConfigService *AppConfigService
 	userService      *UserService
 	groupService     *UserGroupService
 }

-func NewLdapService(db *gorm.DB, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
-	return &LdapService{db: db, appConfigService: appConfigService, userService: userService, groupService: groupService}
+func NewLdapService(db *gorm.DB, httpClient *http.Client, appConfigService *AppConfigService, userService *UserService, groupService *UserGroupService) *LdapService {
+	return &LdapService{
+		db:               db,
+		httpClient:       httpClient,
+		appConfigService: appConfigService,
+		userService:      userService,
+		groupService:     groupService,
+	}
 }

 func (s *LdapService) createClient() (*ldap.Conn, error) {
-	if s.appConfigService.DbConfig.LdapEnabled.Value != "true" {
+	dbConfig := s.appConfigService.GetDbConfig()
+
+	if !dbConfig.LdapEnabled.IsTrue() {
 		return nil, fmt.Errorf("LDAP is not enabled")
 	}
+
 	// Setup LDAP connection
-	ldapURL := s.appConfigService.DbConfig.LdapUrl.Value
-	skipTLSVerify := s.appConfigService.DbConfig.LdapSkipCertVerify.Value == "true"
-	client, err := ldap.DialURL(ldapURL, ldap.DialWithTLSConfig(&tls.Config{InsecureSkipVerify: skipTLSVerify}))
+	client, err := ldap.DialURL(dbConfig.LdapUrl.Value, ldap.DialWithTLSConfig(&tls.Config{
+		InsecureSkipVerify: dbConfig.LdapSkipCertVerify.IsTrue(), //nolint:gosec
+	}))
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to LDAP: %w", err)
 	}

 	// Bind as service account
-	bindDn := s.appConfigService.DbConfig.LdapBindDn.Value
-	bindPassword := s.appConfigService.DbConfig.LdapBindPassword.Value
-	err = client.Bind(bindDn, bindPassword)
+	err = client.Bind(dbConfig.LdapBindDn.Value, dbConfig.LdapBindPassword.Value)
 	if err != nil {
 		return nil, fmt.Errorf("failed to bind to LDAP: %w", err)
 	}
 	return client, nil
 }

-func (s *LdapService) SyncAll() error {
-	err := s.SyncUsers()
-	if err != nil {
-		return fmt.Errorf("failed to sync users: %w", err)
-	}
+func (s *LdapService) SyncAll(ctx context.Context) error {
+	// Start a transaction
+	tx := s.db.Begin()
+	defer func() {
+		tx.Rollback()
+	}()

-	err = s.SyncGroups()
-	if err != nil {
-		return fmt.Errorf("failed to sync groups: %w", err)
-	}
-
-	return nil
-}
-
-func (s *LdapService) SyncGroups() error {
 	// Setup LDAP connection
 	client, err := s.createClient()
 	if err != nil {
@@ -67,195 +76,373 @@ func (s *LdapService) SyncGroups() error {
 	}
 	defer client.Close()

-	baseDN := s.appConfigService.DbConfig.LdapBase.Value
-	nameAttribute := s.appConfigService.DbConfig.LdapAttributeGroupName.Value
-	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeGroupUniqueIdentifier.Value
-	filter := "(objectClass=groupOfUniqueNames)"
-
-	searchAttrs := []string{
-		nameAttribute,
-		uniqueIdentifierAttribute,
-		"member",
+	err = s.SyncUsers(ctx, tx, client)
+	if err != nil {
+		return fmt.Errorf("failed to sync users: %w", err)
 	}

-	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
+	err = s.SyncGroups(ctx, tx, client)
+	if err != nil {
+		return fmt.Errorf("failed to sync groups: %w", err)
+	}
+
+	// Commit the changes
+	err = tx.Commit().Error
+	if err != nil {
+		return fmt.Errorf("failed to commit changes to database: %w", err)
+	}
+
+	return nil
+}
+
+//nolint:gocognit
+func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
+	dbConfig := s.appConfigService.GetDbConfig()
+
+	searchAttrs := []string{
+		dbConfig.LdapAttributeGroupName.Value,
+		dbConfig.LdapAttributeGroupUniqueIdentifier.Value,
+		dbConfig.LdapAttributeGroupMember.Value,
+	}
+
+	searchReq := ldap.NewSearchRequest(
+		dbConfig.LdapBase.Value,
+		ldap.ScopeWholeSubtree,
+		0, 0, 0, false,
+		dbConfig.LdapUserGroupSearchFilter.Value,
+		searchAttrs,
+		[]ldap.Control{},
+	)
 	result, err := client.Search(searchReq)
 	if err != nil {
 		return fmt.Errorf("failed to query LDAP: %w", err)
 	}

 	// Create a mapping for groups that exist
-	ldapGroupIDs := make(map[string]bool)
+	ldapGroupIDs := make(map[string]struct{}, len(result.Entries))

 	for _, value := range result.Entries {
-		var usersToAddDto dto.UserGroupUpdateUsersDto
-		var membersUserId []string
+		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value)

-		ldapId := value.GetAttributeValue(uniqueIdentifierAttribute)
-		ldapGroupIDs[ldapId] = true
+		// Skip groups without a valid LDAP ID
+		if ldapId == "" {
+			log.Printf("Skipping LDAP group without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeGroupUniqueIdentifier.Value)
+			continue
+		}
+
+		ldapGroupIDs[ldapId] = struct{}{}

 		// Try to find the group in the database
 		var databaseGroup model.UserGroup
-		s.db.Where("ldap_id = ?", ldapId).First(&databaseGroup)
+		err = tx.
+			WithContext(ctx).
+			Where("ldap_id = ?", ldapId).
+			First(&databaseGroup).
+			Error
+		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+			// This could error with ErrRecordNotFound and we want to ignore that here
+			return fmt.Errorf("failed to query for LDAP group ID '%s': %w", ldapId, err)
+		}

 		// Get group members and add to the correct Group
-		groupMembers := value.GetAttributeValues("member")
+		groupMembers := value.GetAttributeValues(dbConfig.LdapAttributeGroupMember.Value)
+		membersUserId := make([]string, 0, len(groupMembers))
 		for _, member := range groupMembers {
-			// Normal output of this would be CN=username,ou=people,dc=example,dc=com
-			// Splitting at the "=" and "," then just grabbing the username for that string
-			singleMember := strings.Split(strings.Split(member, "=")[1], ",")[0]
+			ldapId := getDNProperty("uid", member)
+			if ldapId == "" {
+				continue
+			}

 			var databaseUser model.User
-			s.db.Where("username = ?", singleMember).First(&databaseUser)
+			err = tx.
+				WithContext(ctx).
+				Where("username = ? AND ldap_id IS NOT NULL", ldapId).
+				First(&databaseUser).
+				Error
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				// The user collides with a non-LDAP user, so we skip it
+				continue
+			} else if err != nil {
+				return fmt.Errorf("failed to query for existing user '%s': %w", ldapId, err)
+			}
+
 			membersUserId = append(membersUserId, databaseUser.ID)
 		}

 		syncGroup := dto.UserGroupCreateDto{
-			Name:         value.GetAttributeValue(nameAttribute),
-			FriendlyName: value.GetAttributeValue(nameAttribute),
-			LdapID:       value.GetAttributeValue(uniqueIdentifierAttribute),
-		}
-
-		usersToAddDto = dto.UserGroupUpdateUsersDto{
-			UserIDs: membersUserId,
+			Name:         value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
+			FriendlyName: value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
+			LdapID:       value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value),
 		}

 		if databaseGroup.ID == "" {
-			newGroup, err := s.groupService.Create(syncGroup)
+			newGroup, err := s.groupService.createInternal(ctx, syncGroup, tx)
 			if err != nil {
-				log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
-			} else {
-				if _, err = s.groupService.UpdateUsers(newGroup.ID, usersToAddDto); err != nil {
-					log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
-				}
+				return fmt.Errorf("failed to create group '%s': %w", syncGroup.Name, err)
+			}
+
+			_, err = s.groupService.updateUsersInternal(ctx, newGroup.ID, membersUserId, tx)
+			if err != nil {
+				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
 			}
 		} else {
-			_, err = s.groupService.Update(databaseGroup.ID, syncGroup, true)
-			_, err = s.groupService.UpdateUsers(databaseGroup.ID, usersToAddDto)
+			_, err = s.groupService.updateInternal(ctx, databaseGroup.ID, syncGroup, true, tx)
 			if err != nil {
-				log.Printf("Error syncing group %s: %s", syncGroup.Name, err)
-				return err
+				return fmt.Errorf("failed to update group '%s': %w", syncGroup.Name, err)
 			}

+			_, err = s.groupService.updateUsersInternal(ctx, databaseGroup.ID, membersUserId, tx)
+			if err != nil {
+				return fmt.Errorf("failed to sync users for group '%s': %w", syncGroup.Name, err)
+			}
 		}
-
 	}

 	// Get all LDAP groups from the database
 	var ldapGroupsInDb []model.UserGroup
-	if err := s.db.Find(&ldapGroupsInDb, "ldap_id IS NOT NULL").Select("ldap_id").Error; err != nil {
-		fmt.Println(fmt.Errorf("failed to fetch groups from database: %v", err))
+	err = tx.
+		WithContext(ctx).
+		Find(&ldapGroupsInDb, "ldap_id IS NOT NULL").
+		Select("ldap_id").
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to fetch groups from database: %w", err)
 	}

 	// Delete groups that no longer exist in LDAP
 	for _, group := range ldapGroupsInDb {
-		if _, exists := ldapGroupIDs[*group.LdapID]; !exists {
-			if err := s.db.Delete(&model.UserGroup{}, "ldap_id = ?", group.LdapID).Error; err != nil {
-				log.Printf("Failed to delete group %s with: %v", group.Name, err)
-			} else {
-				log.Printf("Deleted group %s", group.Name)
-			}
+		if _, exists := ldapGroupIDs[*group.LdapID]; exists {
+			continue
 		}
+
+		err = tx.
+			WithContext(ctx).
+			Delete(&model.UserGroup{}, "ldap_id = ?", group.LdapID).
+			Error
+		if err != nil {
+			return fmt.Errorf("failed to delete group '%s': %w", group.Name, err)
+		}
+
+		log.Printf("Deleted group '%s'", group.Name)
 	}

 	return nil
 }

-func (s *LdapService) SyncUsers() error {
-	// Setup LDAP connection
-	client, err := s.createClient()
-	if err != nil {
-		return fmt.Errorf("failed to create LDAP client: %w", err)
-	}
-	defer client.Close()
-
-	baseDN := s.appConfigService.DbConfig.LdapBase.Value
-	uniqueIdentifierAttribute := s.appConfigService.DbConfig.LdapAttributeUserUniqueIdentifier.Value
-	usernameAttribute := s.appConfigService.DbConfig.LdapAttributeUserUsername.Value
-	emailAttribute := s.appConfigService.DbConfig.LdapAttributeUserEmail.Value
-	firstNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserFirstName.Value
-	lastNameAttribute := s.appConfigService.DbConfig.LdapAttributeUserLastName.Value
-	adminGroupAttribute := s.appConfigService.DbConfig.LdapAttributeAdminGroup.Value
-
-	filter := "(objectClass=person)"
+//nolint:gocognit
+func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.Conn) error {
+	dbConfig := s.appConfigService.GetDbConfig()

 	searchAttrs := []string{
 		"memberOf",
 		"sn",
 		"cn",
-		uniqueIdentifierAttribute,
-		usernameAttribute,
-		emailAttribute,
-		firstNameAttribute,
-		lastNameAttribute,
+		dbConfig.LdapAttributeUserUniqueIdentifier.Value,
+		dbConfig.LdapAttributeUserUsername.Value,
+		dbConfig.LdapAttributeUserEmail.Value,
+		dbConfig.LdapAttributeUserFirstName.Value,
+		dbConfig.LdapAttributeUserLastName.Value,
+		dbConfig.LdapAttributeUserProfilePicture.Value,
 	}

 	// Filters must start and finish with ()!
-	searchReq := ldap.NewSearchRequest(baseDN, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, searchAttrs, []ldap.Control{})
+	searchReq := ldap.NewSearchRequest(
+		dbConfig.LdapBase.Value,
+		ldap.ScopeWholeSubtree,
+		0, 0, 0, false,
+		dbConfig.LdapUserSearchFilter.Value,
+		searchAttrs,
+		[]ldap.Control{},
+	)

 	result, err := client.Search(searchReq)
 	if err != nil {
-		fmt.Println(fmt.Errorf("failed to query LDAP: %w", err))
+		return fmt.Errorf("failed to query LDAP: %w", err)
 	}

 	// Create a mapping for users that exist
-	ldapUserIDs := make(map[string]bool)
+	ldapUserIDs := make(map[string]struct{}, len(result.Entries))

 	for _, value := range result.Entries {
-		ldapId := value.GetAttributeValue(uniqueIdentifierAttribute)
-		ldapUserIDs[ldapId] = true
+		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value)
+
+		// Skip users without a valid LDAP ID
+		if ldapId == "" {
+			log.Printf("Skipping LDAP user without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeUserUniqueIdentifier.Value)
+			continue
+		}
+
+		ldapUserIDs[ldapId] = struct{}{}

 		// Get the user from the database
 		var databaseUser model.User
-		s.db.Where("ldap_id = ?", ldapId).First(&databaseUser)
+		err = tx.
+			WithContext(ctx).
+			Where("ldap_id = ?", ldapId).
+			First(&databaseUser).
+			Error
+
+		// If a user is found (even if disabled), enable them since they're now back in LDAP
+		if databaseUser.ID != "" && databaseUser.Disabled {
+			// Use the transaction instead of the direct context
+			err = tx.
+				WithContext(ctx).
+				Model(&model.User{}).
+				Where("id = ?", databaseUser.ID).
+				Update("disabled", false).
+				Error
+
+			if err != nil {
+				log.Printf("Failed to enable user %s: %v", databaseUser.Username, err)
+			}
+		}
+
+		if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+			// This could error with ErrRecordNotFound and we want to ignore that here
+			return fmt.Errorf("failed to query for LDAP user ID '%s': %w", ldapId, err)
+		}

 		// Check if user is admin by checking if they are in the admin group
 		isAdmin := false
 		for _, group := range value.GetAttributeValues("memberOf") {
-			if strings.Contains(group, adminGroupAttribute) {
+			if getDNProperty("cn", group) == dbConfig.LdapAttributeAdminGroup.Value {
 				isAdmin = true
+				break
 			}
 		}

 		newUser := dto.UserCreateDto{
-			Username:  value.GetAttributeValue(usernameAttribute),
-			Email:     value.GetAttributeValue(emailAttribute),
-			FirstName: value.GetAttributeValue(firstNameAttribute),
-			LastName:  value.GetAttributeValue(lastNameAttribute),
+			Username:  value.GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value),
+			Email:     value.GetAttributeValue(dbConfig.LdapAttributeUserEmail.Value),
+			FirstName: value.GetAttributeValue(dbConfig.LdapAttributeUserFirstName.Value),
+			LastName:  value.GetAttributeValue(dbConfig.LdapAttributeUserLastName.Value),
 			IsAdmin:   isAdmin,
 			LdapID:    ldapId,
 		}

 		if databaseUser.ID == "" {
-			_, err = s.userService.CreateUser(newUser)
-			if err != nil {
-				log.Printf("Error syncing user %s: %s", newUser.Username, err)
+			_, err = s.userService.createUserInternal(ctx, newUser, true, tx)
+			if errors.Is(err, &common.AlreadyInUseError{}) {
+				log.Printf("Skipping creating LDAP user '%s': %v", newUser.Username, err)
+				continue
+			} else if err != nil {
+				return fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
 			}
 		} else {
-			_, err = s.userService.UpdateUser(databaseUser.ID, newUser, false, true)
-			if err != nil {
-				log.Printf("Error syncing user %s: %s", newUser.Username, err)
+			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, newUser, false, true, tx)
+			if errors.Is(err, &common.AlreadyInUseError{}) {
+				log.Printf("Skipping updating LDAP user '%s': %v", newUser.Username, err)
+				continue
+			} else if err != nil {
+				return fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
 			}
-
 		}

+		// Save profile picture
+		pictureString := value.GetAttributeValue(dbConfig.LdapAttributeUserProfilePicture.Value)
+		if pictureString != "" {
+			err = s.saveProfilePicture(ctx, databaseUser.ID, pictureString)
+			if err != nil {
+				// This is not a fatal error
+				log.Printf("Error saving profile picture for user %s: %v", newUser.Username, err)
+			}
+		}
 	}

 	// Get all LDAP users from the database
 	var ldapUsersInDb []model.User
-	if err := s.db.Find(&ldapUsersInDb, "ldap_id IS NOT NULL").Select("ldap_id").Error; err != nil {
-		fmt.Println(fmt.Errorf("failed to fetch users from database: %v", err))
+	err = tx.
+		WithContext(ctx).
+		Find(&ldapUsersInDb, "ldap_id IS NOT NULL").
+		Select("id, username, ldap_id, disabled").
+		Error
+	if err != nil {
+		return fmt.Errorf("failed to fetch users from database: %w", err)
 	}

-	// Delete users that no longer exist in LDAP
+	// Mark users as disabled or delete users that no longer exist in LDAP
 	for _, user := range ldapUsersInDb {
-		if _, exists := ldapUserIDs[*user.LdapID]; !exists {
-			if err := s.db.Delete(&model.User{}, "ldap_id = ?", user.LdapID).Error; err != nil {
-				log.Printf("Failed to delete user %s with: %v", user.Username, err)
-			} else {
-				log.Printf("Deleted user %s", user.Username)
+		// Skip if the user ID exists in the fetched LDAP results
+		if _, exists := ldapUserIDs[*user.LdapID]; exists {
+			continue
+		}
+
+		if dbConfig.LdapSoftDeleteUsers.IsTrue() {
+			err = s.userService.disableUserInternal(ctx, user.ID, tx)
+			if err != nil {
+				return fmt.Errorf("failed to disable user %s: %w", user.Username, err)
 			}
+
+			log.Printf("Disabled user '%s'", user.Username)
+		} else {
+			err = s.userService.deleteUserInternal(ctx, user.ID, true, tx)
+			target := &common.LdapUserUpdateError{}
+			if errors.As(err, &target) {
+				return fmt.Errorf("failed to delete user %s: LDAP user must be disabled before deletion", user.Username)
+			} else if err != nil {
+				return fmt.Errorf("failed to delete user %s: %w", user.Username, err)
+			}
+
+			log.Printf("Deleted user '%s'", user.Username)
 		}
 	}
+
 	return nil
 }
+
+func (s *LdapService) saveProfilePicture(parentCtx context.Context, userId string, pictureString string) error {
+	var reader io.Reader
+
+	_, err := url.ParseRequestURI(pictureString)
+	if err == nil {
+		ctx, cancel := context.WithTimeout(parentCtx, 15*time.Second)
+		defer cancel()
+
+		var req *http.Request
+		req, err = http.NewRequestWithContext(ctx, http.MethodGet, pictureString, nil)
+		if err != nil {
+			return fmt.Errorf("failed to create request: %w", err)
+		}
+
+		var res *http.Response
+		res, err = s.httpClient.Do(req)
+		if err != nil {
+			return fmt.Errorf("failed to download profile picture: %w", err)
+		}
+		defer res.Body.Close()
+
+		reader = res.Body
+	} else if decodedPhoto, err := base64.StdEncoding.DecodeString(pictureString); err == nil {
+		// If the photo is a base64 encoded string, decode it
+		reader = bytes.NewReader(decodedPhoto)
+	} else {
+		// If the photo is a string, we assume that it's a binary string
+		reader = bytes.NewReader([]byte(pictureString))
+	}
+
+	// Update the profile picture
+	err = s.userService.UpdateProfilePicture(userId, reader)
+	if err != nil {
+		return fmt.Errorf("failed to update profile picture: %w", err)
+	}
+
+	return nil
+}
+
+// getDNProperty returns the value of a property from a LDAP identifier
+// See: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names
+func getDNProperty(property string, str string) string {
+	// Example format is "CN=username,ou=people,dc=example,dc=com"
+	// First we split at the comma
+	property = strings.ToLower(property)
+	l := len(property) + 1
+	for _, v := range strings.Split(str, ",") {
+		v = strings.TrimSpace(v)
+		if len(v) > l && strings.ToLower(v)[0:l] == property+"=" {
+			return v[l:]
+		}
+	}
+
+	// CN not found, return an empty string
+	return ""
+}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .27.0
 .53.0