use add/remove helper functions in auto (de)provision

Also update in the assign
add send email verification opt out
2026-02-18 02:46:37 +00:00 · 2026-02-17 17:50:41 -08:00 · 2026-02-17 17:34:57 -08:00 · 2026-02-17 17:33:35 -08:00 · 2026-02-17 17:31:41 -08:00 · 2026-02-17 17:10:05 -08:00
134 changed files with 8940 additions and 4727 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -32,4 +32,5 @@ migrations/
 config/
 build.ts
 tsconfig.json
+Dockerfile*
 migrations/
--- a/.gitignore
+++ b/.gitignore
@@ -53,3 +53,4 @@ tsconfig.json
 hydrateSaas.ts
 CLAUDE.md
 drizzle.config.ts
+server/setup/migrations.ts
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -10,7 +10,7 @@
        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[typescript]": {
-        "editor.defaultFormatter": "vscode.typescript-language-features"
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
    },
    "[typescriptreact]": {
        "editor.defaultFormatter": "esbenp.prettier-vscode"
--- a/63
+++ b/63
@@ -1,33 +1,54 @@
-FROM node:24-alpine AS builder
+FROM node:24-alpine AS base

 WORKDIR /app

-ARG BUILD=oss
-ARG DATABASE=sqlite
-
 RUN apk add --no-cache python3 make g++

-# COPY package.json package-lock.json ./
 COPY package*.json ./
+
+FROM base AS builder-dev
+
 RUN npm ci

 COPY . .

+ARG BUILD=oss
+ARG DATABASE=sqlite
+
 RUN if [ "$BUILD" = "oss" ]; then rm -rf server/private; fi && \
    npm run set:$DATABASE && \
    npm run set:$BUILD && \
    npm run db:generate && \
    npm run build && \
-    npm run build:cli
+    npm run build:cli && \
+    test -f dist/server.mjs

-# test to make sure the build output is there and error if not
-RUN test -f dist/server.mjs
+FROM base AS builder

-# Prune dev dependencies and clean up to prepare for copy to runner
-RUN npm prune --omit=dev && npm cache clean --force
+RUN npm ci --omit=dev

 FROM node:24-alpine AS runner

+WORKDIR /app
+
+RUN apk add --no-cache curl tzdata
+
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/package.json ./package.json
+
+COPY --from=builder-dev /app/.next/standalone ./
+COPY --from=builder-dev /app/.next/static ./.next/static
+COPY --from=builder-dev /app/dist ./dist
+COPY --from=builder-dev /app/server/migrations ./dist/init
+
+COPY ./cli/wrapper.sh /usr/local/bin/pangctl
+RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
+
+COPY server/db/names.json ./dist/names.json
+COPY server/db/ios_models.json ./dist/ios_models.json
+COPY server/db/mac_models.json ./dist/mac_models.json
+COPY public ./public
+
 # OCI Image Labels - Build Args for dynamic values
 ARG VERSION="dev"
 ARG REVISION=""
@@ -38,28 +59,6 @@ ARG LICENSE="AGPL-3.0"
 ARG IMAGE_TITLE="Pangolin"
 ARG IMAGE_DESCRIPTION="Identity-aware VPN and proxy for remote access to anything, anywhere"

-WORKDIR /app
-
-# Only curl and tzdata needed at runtime - no build tools!
-RUN apk add --no-cache curl tzdata
-
-# Copy pre-built node_modules from builder (already pruned to production only)
-# This includes the compiled native modules like better-sqlite3
-COPY --from=builder /app/node_modules ./node_modules
-COPY --from=builder /app/.next/standalone ./
-COPY --from=builder /app/.next/static ./.next/static
-COPY --from=builder /app/dist ./dist
-COPY --from=builder /app/server/migrations ./dist/init
-COPY --from=builder /app/package.json ./package.json
-
-COPY ./cli/wrapper.sh /usr/local/bin/pangctl
-RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
-
-COPY server/db/names.json ./dist/names.json
-COPY server/db/ios_models.json ./dist/ios_models.json
-COPY server/db/mac_models.json ./dist/mac_models.json
-COPY public ./public
-
 # OCI Image Labels
 # https://github.com/opencontainers/image-spec/blob/main/annotations.md
 LABEL org.opencontainers.image.source="https://github.com/fosrl/pangolin" \
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,7 +1,9 @@
-FROM node:22-alpine
+FROM node:24-alpine

 WORKDIR /app

+RUN apk add --no-cache python3 make g++
+
 COPY package*.json ./

 # Install dependencies
--- a/esbuild.mjs
+++ b/esbuild.mjs
@@ -281,7 +281,7 @@ esbuild
            })
        ],
        sourcemap: "inline",
-        target: "node22"
+        target: "node24"
    })
    .then((result) => {
        // Check if there were any errors in the build result
--- a/messages/bg-BG.json
+++ b/messages/bg-BG.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Изберете протокол",
    "resourcePortNumber": "Номер на порт",
    "resourcePortNumberDescription": "Външен номер на порт за прокси заявки.",
-    "back": "Back",
    "cancel": "Отмяна",
    "resourceConfig": "Конфигурационни фрагменти",
    "resourceConfigDescription": "Копирайте и поставете тези конфигурационни отрязъци, за да настроите TCP/UDP ресурса",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Възникна грешка при изтриването на организацията.",
    "orgDeleted": "Организацията е изтрита",
    "orgDeletedMessage": "Организацията и нейните данни са изтрити.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Липсва идентификатор на организация",
    "orgMissingMessage": "Невъзможност за регенериране на покана без идентификатор на организация.",
    "accessUsersManage": "Управление на потребители",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Филтрирайте по състояние на одобрение",
    "approvalListEmpty": "Няма одобрения",
    "approvalState": "Състояние на одобрение",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Одобряване",
    "approved": "Одобрен",
    "denied": "Отказан",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Преглед на дневници",
    "noneSelected": "Нищо не е избрано",
    "orgNotFound2": "Няма намерени организации.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Търсене...",
    "create": "Създаване",
    "orgs": "Организации",
    "loginError": "Възникна неочаквана грешка. Моля, опитайте отново.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Сигурни ли сте, че искате да премахнете брандинга за страниците за автентификация?",
    "authPageBrandingDeleteConfirm": "Потвърждение на изтриване на брандинга.",
    "brandingLogoURL": "URL адрес на логото.",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Основен цвят.",
    "brandingLogoWidth": "Ширина (px).",
    "brandingLogoHeight": "Височина (px).",
--- a/messages/cs-CZ.json
+++ b/messages/cs-CZ.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Vybrat protokol",
    "resourcePortNumber": "Číslo portu",
    "resourcePortNumberDescription": "Externí port k požadavkům proxy serveru.",
-    "back": "Back",
    "cancel": "Zrušit",
    "resourceConfig": "Konfigurační snippety",
    "resourceConfigDescription": "Zkopírujte a vložte tyto konfigurační textové bloky pro nastavení TCP/UDP zdroje",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Došlo k chybě při odstraňování organizace.",
    "orgDeleted": "Organizace odstraněna",
    "orgDeletedMessage": "Organizace a její data byla smazána.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Chybí ID organizace",
    "orgMissingMessage": "Nelze obnovit pozvánku bez ID organizace.",
    "accessUsersManage": "Spravovat uživatele",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtrovat podle státu schválení",
    "approvalListEmpty": "Žádná schválení",
    "approvalState": "Země schválení",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Schválit",
    "approved": "Schváleno",
    "denied": "Zamítnuto",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Zobrazit logy",
    "noneSelected": "Není vybráno",
    "orgNotFound2": "Nebyly nalezeny žádné organizace.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Hledat...",
    "create": "Vytvořit",
    "orgs": "Organizace",
    "loginError": "Došlo k neočekávané chybě. Zkuste to prosím znovu.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Jste si jisti, že chcete odstranit branding autentizačních stránek?",
    "authPageBrandingDeleteConfirm": "Potvrzení odstranění brandingu",
    "brandingLogoURL": "URL loga",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Primární barva",
    "brandingLogoWidth": "Šířka (px)",
    "brandingLogoHeight": "Výška (px)",
--- a/messages/de-DE.json
+++ b/messages/de-DE.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Wählen Sie ein Protokoll",
    "resourcePortNumber": "Portnummer",
    "resourcePortNumberDescription": "Die externe Portnummer für Proxy-Anfragen.",
-    "back": "Back",
    "cancel": "Abbrechen",
    "resourceConfig": "Konfiguration Snippets",
    "resourceConfigDescription": "Kopieren und fügen Sie diese Konfigurations-Snippets ein, um die TCP/UDP Ressource einzurichten",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Beim Löschen der Organisation ist ein Fehler aufgetreten.",
    "orgDeleted": "Organisation gelöscht",
    "orgDeletedMessage": "Die Organisation und ihre Daten wurden gelöscht.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Organisations-ID fehlt",
    "orgMissingMessage": "Einladung kann ohne Organisations-ID nicht neu generiert werden.",
    "accessUsersManage": "Benutzer verwalten",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtern nach Genehmigungsstatus",
    "approvalListEmpty": "Keine Genehmigungen",
    "approvalState": "Genehmigungsstatus",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Bestätigen",
    "approved": "Genehmigt",
    "denied": "Verweigert",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Logs anzeigen",
    "noneSelected": "Keine ausgewählt",
    "orgNotFound2": "Keine Organisationen gefunden.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Suche...",
    "create": "Erstellen",
    "orgs": "Organisationen",
    "loginError": "Ein unerwarteter Fehler ist aufgetreten. Bitte versuchen Sie es erneut.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Sind Sie sicher, dass Sie das Branding für Authentifizierungsseiten entfernen möchten?",
    "authPageBrandingDeleteConfirm": "Branding löschen bestätigen",
    "brandingLogoURL": "Logo URL",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Primär-Farbe",
    "brandingLogoWidth": "Breite (px)",
    "brandingLogoHeight": "Höhe (px)",
--- a/messages/en-US.json
+++ b/messages/en-US.json
@@ -201,6 +201,7 @@
    "protocolSelect": "Select a protocol",
    "resourcePortNumber": "Port Number",
    "resourcePortNumberDescription": "The external port number to proxy requests.",
+    "back": "Back",
    "cancel": "Cancel",
    "resourceConfig": "Configuration Snippets",
    "resourceConfigDescription": "Copy and paste these configuration snippets to set up the TCP/UDP resource",
@@ -246,6 +247,17 @@
    "orgErrorDeleteMessage": "An error occurred while deleting the organization.",
    "orgDeleted": "Organization deleted",
    "orgDeletedMessage": "The organization and its data has been deleted.",
+    "deleteAccount": "Delete Account",
+    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
+    "deleteAccountButton": "Delete Account",
+    "deleteAccountConfirmTitle": "Delete Account",
+    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
+    "deleteAccountConfirmString": "delete account",
+    "deleteAccountSuccess": "Account Deleted",
+    "deleteAccountSuccessMessage": "Your account has been deleted.",
+    "deleteAccountError": "Failed to delete account",
+    "deleteAccountPreviewAccount": "Your Account",
+    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Organization ID Missing",
    "orgMissingMessage": "Unable to regenerate invitation without an organization ID.",
    "accessUsersManage": "Manage Users",
@@ -461,6 +473,8 @@
    "filterByApprovalState": "Filter By Approval State",
    "approvalListEmpty": "No approvals",
    "approvalState": "Approval State",
+    "approvalLoadMore": "Load more",
+    "loadingApprovals": "Loading Approvals",
    "approve": "Approve",
    "approved": "Approved",
    "denied": "Denied",
@@ -1169,7 +1183,8 @@
    "actionViewLogs": "View Logs",
    "noneSelected": "None selected",
    "orgNotFound2": "No organizations found.",
-    "searchProgress": "Search...",
+    "searchPlaceholder": "Search...",
+    "emptySearchOptions": "No options found",
    "create": "Create",
    "orgs": "Organizations",
    "loginError": "An unexpected error occurred. Please try again.",
@@ -1251,6 +1266,7 @@
    "sidebarLogAndAnalytics": "Log & Analytics",
    "sidebarBluePrints": "Blueprints",
    "sidebarOrganization": "Organization",
+    "sidebarBillingAndLicenses": "Billing & Licenses",
    "sidebarLogsAnalytics": "Analytics",
    "blueprints": "Blueprints",
    "blueprintsDescription": "Apply declarative configurations and view previous runs",
@@ -1454,6 +1470,7 @@
    "failed": "Failed",
    "createNewOrgDescription": "Create a new organization",
    "organization": "Organization",
+    "primary": "Primary",
    "port": "Port",
    "securityKeyManage": "Manage Security Keys",
    "securityKeyDescription": "Add or remove security keys for passwordless authentication",
@@ -1916,6 +1933,9 @@
    "authPageBrandingQuestionRemove": "Are you sure you want to remove the branding for Auth Pages ?",
    "authPageBrandingDeleteConfirm": "Confirm Delete Branding",
    "brandingLogoURL": "Logo URL",
+    "brandingLogoURLOrPath": "Logo URL or Path",
+    "brandingLogoPathDescription": "Enter a URL or a local path.",
+    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Primary Color",
    "brandingLogoWidth": "Width (px)",
    "brandingLogoHeight": "Height (px)",
--- a/messages/es-ES.json
+++ b/messages/es-ES.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Seleccionar un protocolo",
    "resourcePortNumber": "Número de puerto",
    "resourcePortNumberDescription": "El número de puerto externo a las solicitudes de proxy.",
-    "back": "Back",
    "cancel": "Cancelar",
    "resourceConfig": "Fragmentos de configuración",
    "resourceConfigDescription": "Copia y pega estos fragmentos de configuración para configurar el recurso TCP/UDP",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Se ha producido un error al eliminar la organización.",
    "orgDeleted": "Organización eliminada",
    "orgDeletedMessage": "La organización y sus datos han sido eliminados.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Falta el ID de la organización",
    "orgMissingMessage": "No se puede regenerar la invitación sin el ID de la organización.",
    "accessUsersManage": "Administrar usuarios",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtrar por estado de aprobación",
    "approvalListEmpty": "No hay aprobaciones",
    "approvalState": "Estado de aprobación",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Aprobar",
    "approved": "Aprobado",
    "denied": "Denegado",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Ver registros",
    "noneSelected": "Ninguno seleccionado",
    "orgNotFound2": "No se encontraron organizaciones.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Buscar...",
    "create": "Crear",
    "orgs": "Organizaciones",
    "loginError": "Ocurrió un error inesperado. Por favor, inténtelo de nuevo.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "¿Está seguro de que desea eliminar la marca de las páginas de autenticación?",
    "authPageBrandingDeleteConfirm": "Confirmar eliminación de la marca",
    "brandingLogoURL": "URL del logotipo",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Color primario",
    "brandingLogoWidth": "Ancho (px)",
    "brandingLogoHeight": "Altura (px)",
--- a/messages/fr-FR.json
+++ b/messages/fr-FR.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Choisir un protocole",
    "resourcePortNumber": "Numéro de port",
    "resourcePortNumberDescription": "Le numéro de port externe pour les requêtes de proxy.",
-    "back": "Back",
    "cancel": "Abandonner",
    "resourceConfig": "Snippets de configuration",
    "resourceConfigDescription": "Copiez et collez ces extraits de configuration pour configurer la ressource TCP/UDP",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Une erreur s'est produite lors de la suppression de l'organisation.",
    "orgDeleted": "Organisation supprimée",
    "orgDeletedMessage": "L'organisation et ses données ont été supprimées.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "ID d'organisation manquant",
    "orgMissingMessage": "Impossible de régénérer l'invitation sans un ID d'organisation.",
    "accessUsersManage": "Gérer les utilisateurs",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtrer par État d'Approbation",
    "approvalListEmpty": "Aucune approbation",
    "approvalState": "État d'approbation",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Approuver",
    "approved": "Approuvé",
    "denied": "Refusé",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Voir les logs",
    "noneSelected": "Aucune sélection",
    "orgNotFound2": "Aucune organisation trouvée.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Rechercher...",
    "create": "Créer",
    "orgs": "Organisations",
    "loginError": "Une erreur inattendue s'est produite. Veuillez réessayer.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Êtes-vous sûr de vouloir supprimer la marque des pages d'authentification ?",
    "authPageBrandingDeleteConfirm": "Confirmer la suppression de la marque",
    "brandingLogoURL": "URL du logo",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Couleur principale",
    "brandingLogoWidth": "Largeur (px)",
    "brandingLogoHeight": "Hauteur (px)",
--- a/messages/it-IT.json
+++ b/messages/it-IT.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Seleziona un protocollo",
    "resourcePortNumber": "Numero Porta",
    "resourcePortNumberDescription": "Il numero di porta esterna per le richieste di proxy.",
-    "back": "Back",
    "cancel": "Annulla",
    "resourceConfig": "Snippet Di Configurazione",
    "resourceConfigDescription": "Copia e incolla questi snippet di configurazione per configurare la risorsa TCP/UDP",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Si è verificato un errore durante l'eliminazione dell'organizzazione.",
    "orgDeleted": "Organizzazione eliminata",
    "orgDeletedMessage": "L'organizzazione e i suoi dati sono stati eliminati.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "ID Organizzazione Mancante",
    "orgMissingMessage": "Impossibile rigenerare l'invito senza un ID organizzazione.",
    "accessUsersManage": "Gestisci Utenti",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtra Per Stato Di Approvazione",
    "approvalListEmpty": "Nessuna approvazione",
    "approvalState": "Stato Di Approvazione",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Approva",
    "approved": "Approvato",
    "denied": "Negato",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Visualizza Log",
    "noneSelected": "Nessuna selezione",
    "orgNotFound2": "Nessuna organizzazione trovata.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Ricerca...",
    "create": "Crea",
    "orgs": "Organizzazioni",
    "loginError": "Si è verificato un errore imprevisto. Riprova.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Sei sicuro di voler rimuovere il branding per le pagine di autenticazione?",
    "authPageBrandingDeleteConfirm": "Conferma Eliminazione Branding",
    "brandingLogoURL": "URL Logo",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Colore Primario",
    "brandingLogoWidth": "Larghezza (px)",
    "brandingLogoHeight": "Altezza (px)",
--- a/messages/ko-KR.json
+++ b/messages/ko-KR.json
@@ -201,7 +201,6 @@
    "protocolSelect": "프로토콜 선택",
    "resourcePortNumber": "포트 번호",
    "resourcePortNumberDescription": "요청을 프록시하기 위한 외부 포트 번호입니다.",
-    "back": "Back",
    "cancel": "취소",
    "resourceConfig": "구성 스니펫",
    "resourceConfigDescription": "TCP/UDP 리소스를 설정하기 위해 이 구성 스니펫을 복사하여 붙여넣습니다.",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "조직을 삭제하는 중 오류가 발생했습니다.",
    "orgDeleted": "조직이 삭제되었습니다.",
    "orgDeletedMessage": "조직과 그 데이터가 삭제되었습니다.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "조직 ID가 누락되었습니다",
    "orgMissingMessage": "조직 ID 없이 초대장을 재생성할 수 없습니다.",
    "accessUsersManage": "사용자 관리",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "승인 상태로 필터링",
    "approvalListEmpty": "승인이 없습니다.",
    "approvalState": "승인 상태",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "승인",
    "approved": "승인됨",
    "denied": "거부됨",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "로그 보기",
    "noneSelected": "선택된 항목 없음",
    "orgNotFound2": "조직이 없습니다.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "검색...",
    "create": "생성",
    "orgs": "조직",
    "loginError": "예기치 않은 오류가 발생했습니다. 다시 시도해주세요.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "인증 페이지의 브랜딩을 제거하시겠습니까?",
    "authPageBrandingDeleteConfirm": "브랜딩 삭제 확인",
    "brandingLogoURL": "로고 URL",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "기본 색상",
    "brandingLogoWidth": "너비(px)",
    "brandingLogoHeight": "높이(px)",
--- a/messages/nb-NO.json
+++ b/messages/nb-NO.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Velg en protokoll",
    "resourcePortNumber": "Portnummer",
    "resourcePortNumberDescription": "Det eksterne portnummeret for proxy forespørsler.",
-    "back": "Back",
    "cancel": "Avbryt",
    "resourceConfig": "Konfigurasjonsutdrag",
    "resourceConfigDescription": "Kopier og lim inn disse konfigurasjons-øyeblikkene for å sette opp TCP/UDP ressursen",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Det oppsto en feil under sletting av organisasjonen.",
    "orgDeleted": "Organisasjon slettet",
    "orgDeletedMessage": "Organisasjonen og tilhørende data er slettet.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Organisasjons-ID Mangler",
    "orgMissingMessage": "Kan ikke regenerere invitasjon uten en organisasjons-ID.",
    "accessUsersManage": "Administrer brukere",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtrer etter godkjenningsstatus",
    "approvalListEmpty": "Ingen godkjenninger",
    "approvalState": "Godkjennings tilstand",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Godkjenn",
    "approved": "Godkjent",
    "denied": "Avvist",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Vis logger",
    "noneSelected": "Ingen valgt",
    "orgNotFound2": "Ingen organisasjoner funnet.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Søker...",
    "create": "Opprett",
    "orgs": "Organisasjoner",
    "loginError": "En uventet feil oppstod. Vennligst prøv igjen.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Er du sikker på at du vil fjerne merkevarebyggingen for autentiseringssider?",
    "authPageBrandingDeleteConfirm": "Bekreft sletting av merkevarebygging",
    "brandingLogoURL": "Logo URL",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Primærfarge",
    "brandingLogoWidth": "Bredde (px)",
    "brandingLogoHeight": "Høyde (px)",
--- a/messages/nl-NL.json
+++ b/messages/nl-NL.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Selecteer een protocol",
    "resourcePortNumber": "Nummer van poort",
    "resourcePortNumberDescription": "Het externe poortnummer naar proxyverzoeken.",
-    "back": "Back",
    "cancel": "Annuleren",
    "resourceConfig": "Configuratie tekstbouwstenen",
    "resourceConfigDescription": "Kopieer en plak deze configuratie-snippets om de TCP/UDP-bron in te stellen",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Er is een fout opgetreden tijdens het verwijderen van de organisatie.",
    "orgDeleted": "Organisatie verwijderd",
    "orgDeletedMessage": "De organisatie en haar gegevens zijn verwijderd.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Organisatie-ID ontbreekt",
    "orgMissingMessage": "Niet in staat om de uitnodiging te regenereren zonder organisatie-ID.",
    "accessUsersManage": "Gebruikers beheren",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filter op goedkeuringsstatus",
    "approvalListEmpty": "Geen goedkeuringen",
    "approvalState": "Goedkeuring status",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Goedkeuren",
    "approved": "Goedgekeurd",
    "denied": "Geweigerd",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Logboeken bekijken",
    "noneSelected": "Niet geselecteerd",
    "orgNotFound2": "Geen organisaties gevonden.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Zoeken...",
    "create": "Aanmaken",
    "orgs": "Organisaties",
    "loginError": "Er is een onverwachte fout opgetreden. Probeer het opnieuw.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Weet u zeker dat u de branding voor Auth-pagina's wilt verwijderen?",
    "authPageBrandingDeleteConfirm": "Bevestig verwijder Branding",
    "brandingLogoURL": "Het logo-URL",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Primaire kleur",
    "brandingLogoWidth": "Breedte (px)",
    "brandingLogoHeight": "Hoogte (px)",
--- a/messages/pl-PL.json
+++ b/messages/pl-PL.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Wybierz protokół",
    "resourcePortNumber": "Numer portu",
    "resourcePortNumberDescription": "Numer portu zewnętrznego do żądań proxy.",
-    "back": "Back",
    "cancel": "Anuluj",
    "resourceConfig": "Snippety konfiguracji",
    "resourceConfigDescription": "Skopiuj i wklej te fragmenty konfiguracji, aby skonfigurować zasób TCP/UDP",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Wystąpił błąd podczas usuwania organizacji.",
    "orgDeleted": "Organizacja usunięta",
    "orgDeletedMessage": "Organizacja i jej dane zostały usunięte.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Brak ID organizacji",
    "orgMissingMessage": "Nie można ponownie wygenerować zaproszenia bez ID organizacji.",
    "accessUsersManage": "Zarządzaj użytkownikami",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtruj według państwa zatwierdzenia",
    "approvalListEmpty": "Brak zatwierdzeń",
    "approvalState": "Państwo zatwierdzające",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Zatwierdź",
    "approved": "Zatwierdzone",
    "denied": "Odmowa",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Zobacz dzienniki",
    "noneSelected": "Nie wybrano",
    "orgNotFound2": "Nie znaleziono organizacji.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Szukaj...",
    "create": "Utwórz",
    "orgs": "Organizacje",
    "loginError": "Wystąpił nieoczekiwany błąd. Spróbuj ponownie.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Czy na pewno chcesz usunąć branding dla stron uwierzytelniania?",
    "authPageBrandingDeleteConfirm": "Potwierdź usunięcie brandingu",
    "brandingLogoURL": "URL logo",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Główny kolor",
    "brandingLogoWidth": "Szerokość (piksele)",
    "brandingLogoHeight": "Wysokość (piksele)",
--- a/messages/pt-PT.json
+++ b/messages/pt-PT.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Selecione um protocolo",
    "resourcePortNumber": "Número da Porta",
    "resourcePortNumberDescription": "O número da porta externa para requisições de proxy.",
-    "back": "Back",
    "cancel": "cancelar",
    "resourceConfig": "Snippets de Configuração",
    "resourceConfigDescription": "Copie e cole estes snippets de configuração para configurar o recurso TCP/UDP",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Ocorreu um erro ao apagar a organização.",
    "orgDeleted": "Organização excluída",
    "orgDeletedMessage": "A organização e seus dados foram excluídos.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "ID da Organização Ausente",
    "orgMissingMessage": "Não é possível regenerar o convite sem um ID de organização.",
    "accessUsersManage": "Gerir Utilizadores",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Filtrar por estado de aprovação",
    "approvalListEmpty": "Sem aprovações",
    "approvalState": "Estado de aprovação",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Aprovar",
    "approved": "Aceito",
    "denied": "Negado",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Visualizar registros",
    "noneSelected": "Nenhum selecionado",
    "orgNotFound2": "Nenhuma organização encontrada.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Pesquisar...",
    "create": "Criar",
    "orgs": "Organizações",
    "loginError": "Ocorreu um erro inesperado. Por favor, tente novamente.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Tem certeza de que deseja remover a marcação das Páginas de Autenticação?",
    "authPageBrandingDeleteConfirm": "Confirmar Exclusão de Marca",
    "brandingLogoURL": "URL do Logo",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Cor Primária",
    "brandingLogoWidth": "Largura (px)",
    "brandingLogoHeight": "Altura (px)",
--- a/messages/ru-RU.json
+++ b/messages/ru-RU.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Выберите протокол",
    "resourcePortNumber": "Номер порта",
    "resourcePortNumberDescription": "Внешний номер порта для проксирования запросов.",
-    "back": "Back",
    "cancel": "Отмена",
    "resourceConfig": "Фрагменты конфигурации",
    "resourceConfigDescription": "Скопируйте и вставьте эти сниппеты для настройки TCP/UDP ресурса",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Произошла ошибка при удалении организации.",
    "orgDeleted": "Организация удалена",
    "orgDeletedMessage": "Организация и её данные были удалены.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Отсутствует ID организации",
    "orgMissingMessage": "Невозможно восстановить приглашение без ID организации.",
    "accessUsersManage": "Управление пользователями",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Фильтр по состоянию утверждения",
    "approvalListEmpty": "Нет утверждений",
    "approvalState": "Состояние одобрения",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Одобрить",
    "approved": "Одобрено",
    "denied": "Отказано",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Просмотр журналов",
    "noneSelected": "Ничего не выбрано",
    "orgNotFound2": "Организации не найдены.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Поиск...",
    "create": "Создать",
    "orgs": "Организации",
    "loginError": "Произошла непредвиденная ошибка. Пожалуйста, попробуйте еще раз.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Вы уверены, что хотите удалить брендирование для страниц аутентификации?",
    "authPageBrandingDeleteConfirm": "Подтвердить удаление брендирования",
    "brandingLogoURL": "URL логотипа",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Основной цвет",
    "brandingLogoWidth": "Ширина (px)",
    "brandingLogoHeight": "Высота (px)",
--- a/messages/tr-TR.json
+++ b/messages/tr-TR.json
@@ -201,7 +201,6 @@
    "protocolSelect": "Bir protokol seçin",
    "resourcePortNumber": "Port Numarası",
    "resourcePortNumberDescription": "Vekil istekler için harici port numarası.",
-    "back": "Back",
    "cancel": "İptal",
    "resourceConfig": "Yapılandırma Parçaları",
    "resourceConfigDescription": "TCP/UDP kaynağınızı kurmak için bu yapılandırma parçalarını kopyalayıp yapıştırın",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "Organizasyon silinirken bir hata oluştu.",
    "orgDeleted": "Organizasyon silindi",
    "orgDeletedMessage": "Organizasyon ve verileri silindi.",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "Organizasyon Kimliği Eksik",
    "orgMissingMessage": "Organizasyon kimliği olmadan daveti yeniden oluşturmanız mümkün değildir.",
    "accessUsersManage": "Kullanıcıları Yönet",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "Onay Durumuna Göre Filtrele",
    "approvalListEmpty": "Onay yok",
    "approvalState": "Onay Durumu",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "Onayla",
    "approved": "Onaylandı",
    "denied": "Reddedildi",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "Kayıtları Görüntüle",
    "noneSelected": "Hiçbiri seçili değil",
    "orgNotFound2": "Hiçbir organizasyon bulunamadı.",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "Ara...",
    "create": "Oluştur",
    "orgs": "Organizasyonlar",
    "loginError": "Beklenmeyen bir hata oluştu. Lütfen tekrar deneyin.",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "Kimlik Sayfaları için markayı kaldırmak istediğinizden emin misiniz?",
    "authPageBrandingDeleteConfirm": "Markayı Silmeyi Onayla",
    "brandingLogoURL": "Logo URL",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "Ana Renk",
    "brandingLogoWidth": "Genişlik (px)",
    "brandingLogoHeight": "Yükseklik (px)",
--- a/messages/zh-CN.json
+++ b/messages/zh-CN.json
@@ -201,7 +201,6 @@
    "protocolSelect": "选择协议",
    "resourcePortNumber": "端口号",
    "resourcePortNumberDescription": "代理请求的外部端口号。",
-    "back": "Back",
    "cancel": "取消",
    "resourceConfig": "配置片段",
    "resourceConfigDescription": "复制并粘贴这些配置片段以设置 TCP/UDP 资源",
@@ -247,17 +246,6 @@
    "orgErrorDeleteMessage": "删除组织时出错。",
    "orgDeleted": "组织已删除",
    "orgDeletedMessage": "组织及其数据已被删除。",
-    "deleteAccount": "Delete Account",
-    "deleteAccountDescription": "Permanently delete your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountButton": "Delete Account",
-    "deleteAccountConfirmTitle": "Delete Account",
-    "deleteAccountConfirmMessage": "This will permanently wipe your account, all organizations you own, and all data within those organizations. This cannot be undone.",
-    "deleteAccountConfirmString": "delete account",
-    "deleteAccountSuccess": "Account Deleted",
-    "deleteAccountSuccessMessage": "Your account has been deleted.",
-    "deleteAccountError": "Failed to delete account",
-    "deleteAccountPreviewAccount": "Your Account",
-    "deleteAccountPreviewOrgs": "Organizations you own (and all their data)",
    "orgMissing": "缺少组织 ID",
    "orgMissingMessage": "没有组织ID，无法重新生成邀请。",
    "accessUsersManage": "管理用户",
@@ -473,8 +461,6 @@
    "filterByApprovalState": "按批准状态过滤",
    "approvalListEmpty": "无批准",
    "approvalState": "审批状态",
-    "approvalLoadMore": "Load more",
-    "loadingApprovals": "Loading Approvals",
    "approve": "批准",
    "approved": "已批准",
    "denied": "被拒绝",
@@ -1183,8 +1169,7 @@
    "actionViewLogs": "查看日志",
    "noneSelected": "未选择",
    "orgNotFound2": "未找到组织。",
-    "searchPlaceholder": "Search...",
-    "emptySearchOptions": "No options found",
+    "searchProgress": "搜索中...",
    "create": "创建",
    "orgs": "组织",
    "loginError": "发生意外错误。请重试。",
@@ -1931,9 +1916,6 @@
    "authPageBrandingQuestionRemove": "您确定要移除授权页面的品牌吗？",
    "authPageBrandingDeleteConfirm": "确认删除品牌",
    "brandingLogoURL": "Logo URL",
-    "brandingLogoURLOrPath": "Logo URL or Path",
-    "brandingLogoPathDescription": "Enter a URL or a local path.",
-    "brandingLogoURLDescription": "Enter a publicly accessible URL to your logo image.",
    "brandingPrimaryColor": "主要颜色",
    "brandingLogoWidth": "宽度（px）",
    "brandingLogoHeight": "高度（px）",
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -33,8 +33,8 @@
    },
    "dependencies": {
        "@asteasolutions/zod-to-openapi": "8.4.0",
-        "@aws-sdk/client-s3": "3.971.0",
-        "@faker-js/faker": "10.2.0",
+        "@aws-sdk/client-s3": "3.989.0",
+        "@faker-js/faker": "10.3.0",
        "@headlessui/react": "2.2.9",
        "@hookform/resolvers": "5.2.2",
        "@monaco-editor/react": "4.7.0",
@@ -59,67 +59,66 @@
        "@radix-ui/react-tabs": "1.1.13",
        "@radix-ui/react-toast": "1.2.15",
        "@radix-ui/react-tooltip": "1.2.8",
-        "@react-email/components": "1.0.2",
-        "@react-email/render": "2.0.0",
-        "@react-email/tailwind": "2.0.2",
+        "@react-email/components": "1.0.7",
+        "@react-email/render": "2.0.4",
+        "@react-email/tailwind": "2.0.4",
        "@simplewebauthn/browser": "13.2.2",
        "@simplewebauthn/server": "13.2.2",
        "@tailwindcss/forms": "0.5.11",
-        "@tanstack/react-query": "5.90.12",
+        "@tanstack/react-query": "5.90.21",
        "@tanstack/react-table": "8.21.3",
        "arctic": "3.7.0",
-        "axios": "1.13.2",
+        "axios": "1.13.5",
        "better-sqlite3": "11.9.1",
        "canvas-confetti": "1.9.4",
        "class-variance-authority": "0.7.1",
        "clsx": "2.1.1",
        "cmdk": "1.1.1",
        "cookie-parser": "1.4.7",
-        "cors": "2.8.5",
+        "cors": "2.8.6",
        "crypto-js": "4.2.0",
        "d3": "7.9.0",
-        "date-fns": "4.1.0",
        "drizzle-orm": "0.45.1",
-        "eslint": "9.39.2",
-        "eslint-config-next": "16.1.0",
        "express": "5.2.1",
        "express-rate-limit": "8.2.1",
-        "glob": "13.0.0",
+        "glob": "13.0.3",
        "helmet": "8.1.0",
        "http-errors": "2.0.1",
        "input-otp": "1.4.2",
-        "ioredis": "5.9.2",
+        "ioredis": "5.9.3",
        "jmespath": "0.16.0",
        "js-yaml": "4.1.1",
        "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.562.0",
-        "maxmind": "5.0.1",
+        "lucide-react": "0.563.0",
+        "maxmind": "5.0.5",
        "moment": "2.30.1",
-        "next": "15.5.9",
-        "next-intl": "4.7.0",
+        "next": "15.5.12",
+        "next-intl": "4.8.2",
        "next-themes": "0.4.6",
        "nextjs-toploader": "3.9.17",
        "node-cache": "5.1.2",
-        "nodemailer": "7.0.11",
+        "nodemailer": "8.0.1",
        "oslo": "1.2.1",
-        "pg": "8.17.1",
-        "posthog-node": "5.23.0",
+        "pg": "8.18.0",
+        "posthog-node": "5.24.15",
        "qrcode.react": "4.2.0",
-        "react": "19.2.3",
-        "react-day-picker": "9.13.0",
-        "react-dom": "19.2.3",
+        "react": "19.2.4",
+        "react-day-picker": "9.13.2",
+        "react-dom": "19.2.4",
        "react-easy-sort": "1.8.0",
        "react-hook-form": "7.71.1",
        "react-icons": "5.5.0",
        "recharts": "2.15.4",
        "reodotdev": "1.0.0",
-        "resend": "6.8.0",
-        "semver": "7.7.3",
-        "stripe": "20.2.0",
+        "resend": "6.9.2",
+        "semver": "7.7.4",
+        "sshpk": "^1.18.0",
+        "stripe": "20.3.1",
        "swagger-ui-express": "5.0.1",
        "tailwind-merge": "3.4.0",
        "topojson-client": "3.1.0",
        "tw-animate-css": "1.4.0",
+        "use-debounce": "^10.1.0",
        "uuid": "13.0.0",
        "vaul": "1.1.2",
        "visionscarto-world-atlas": "1.0.0",
@@ -128,14 +127,15 @@
        "ws": "8.19.0",
        "yaml": "2.8.2",
        "yargs": "18.0.0",
-        "zod": "4.3.5",
+        "zod": "4.3.6",
        "zod-validation-error": "5.0.0"
    },
    "devDependencies": {
-        "@dotenvx/dotenvx": "1.51.2",
+        "@dotenvx/dotenvx": "1.52.0",
        "@esbuild-plugins/tsconfig-paths": "0.1.2",
+        "@react-email/preview-server": "5.2.8",
        "@tailwindcss/postcss": "4.1.18",
-        "@tanstack/react-query-devtools": "5.91.1",
+        "@tanstack/react-query-devtools": "5.91.3",
        "@types/better-sqlite3": "7.6.13",
        "@types/cookie-parser": "1.4.10",
        "@types/cors": "2.8.19",
@@ -144,30 +144,33 @@
        "@types/express": "5.0.6",
        "@types/express-session": "1.18.2",
        "@types/jmespath": "0.15.2",
+        "@types/js-yaml": "4.0.9",
        "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "24.10.2",
-        "@types/nodemailer": "7.0.4",
+        "@types/node": "25.2.3",
+        "@types/nodemailer": "7.0.9",
        "@types/nprogress": "0.2.3",
        "@types/pg": "8.16.0",
-        "@types/react": "19.2.7",
+        "@types/react": "19.2.14",
        "@types/react-dom": "19.2.3",
        "@types/semver": "7.7.1",
+        "@types/sshpk": "^1.17.4",
        "@types/swagger-ui-express": "4.1.8",
        "@types/topojson-client": "3.1.5",
        "@types/ws": "8.18.1",
        "@types/yargs": "17.0.35",
-        "@types/js-yaml": "4.0.9",
        "babel-plugin-react-compiler": "1.0.0",
-        "drizzle-kit": "0.31.8",
-        "esbuild": "0.27.2",
+        "drizzle-kit": "0.31.9",
+        "esbuild": "0.27.3",
        "esbuild-node-externals": "1.20.1",
+        "eslint": "9.39.2",
+        "eslint-config-next": "16.1.6",
        "postcss": "8.5.6",
-        "prettier": "3.8.0",
-        "react-email": "5.2.5",
+        "prettier": "3.8.1",
+        "react-email": "5.2.8",
        "tailwindcss": "4.1.18",
        "tsc-alias": "1.8.16",
        "tsx": "4.21.0",
        "typescript": "5.9.3",
-        "typescript-eslint": "8.53.1"
+        "typescript-eslint": "8.55.0"
    }
 }
--- a/server/auth/actions.ts
+++ b/server/auth/actions.ts
@@ -131,7 +131,8 @@ export enum ActionsEnum {
    viewLogs = "viewLogs",
    exportLogs = "exportLogs",
    listApprovals = "listApprovals",
-    updateApprovals = "updateApprovals"
+    updateApprovals = "updateApprovals",
+    signSshKey = "signSshKey"
 }

 export async function checkUserActionPermission(
--- a/server/auth/canUserAccessSiteResource.ts
+++ b/server/auth/canUserAccessSiteResource.ts
@@ -0,0 +1,45 @@
+import { db } from "@server/db";
+import { and, eq } from "drizzle-orm";
+import { roleSiteResources, userSiteResources } from "@server/db";
+
+export async function canUserAccessSiteResource({
+    userId,
+    resourceId,
+    roleId
+}: {
+    userId: string;
+    resourceId: number;
+    roleId: number;
+}): Promise<boolean> {
+    const roleResourceAccess = await db
+        .select()
+        .from(roleSiteResources)
+        .where(
+            and(
+                eq(roleSiteResources.siteResourceId, resourceId),
+                eq(roleSiteResources.roleId, roleId)
+            )
+        )
+        .limit(1);
+
+    if (roleResourceAccess.length > 0) {
+        return true;
+    }
+
+    const userResourceAccess = await db
+        .select()
+        .from(userSiteResources)
+        .where(
+            and(
+                eq(userSiteResources.userId, userId),
+                eq(userSiteResources.siteResourceId, resourceId)
+            )
+        )
+        .limit(1);
+
+    if (userResourceAccess.length > 0) {
+        return true;
+    }
+
+    return false;
+}
--- a/server/db/pg/schema/schema.ts
+++ b/server/db/pg/schema/schema.ts
@@ -1,18 +1,16 @@
-import {
-    pgTable,
-    serial,
-    varchar,
-    boolean,
-    integer,
-    bigint,
-    real,
-    text,
-    index,
-    uniqueIndex
-} from "drizzle-orm/pg-core";
-import { InferSelectModel } from "drizzle-orm";
 import { randomUUID } from "crypto";
-import { alias } from "yargs";
+import { InferSelectModel } from "drizzle-orm";
+import {
+    bigint,
+    boolean,
+    index,
+    integer,
+    pgTable,
+    real,
+    serial,
+    text,
+    varchar
+} from "drizzle-orm/pg-core";

 export const domains = pgTable("domains", {
    domainId: varchar("domainId").primaryKey(),
@@ -55,7 +53,11 @@ export const orgs = pgTable("orgs", {
        .default(0),
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
-        .default(0)
+        .default(0),
+    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
+    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
+    isBillingOrg: boolean("isBillingOrg"),
+    billingOrgId: varchar("billingOrgId")
 });

 export const orgDomains = pgTable("orgDomains", {
@@ -188,7 +190,9 @@ export const targetHealthCheck = pgTable("targetHealthCheck", {
    hcFollowRedirects: boolean("hcFollowRedirects").default(true),
    hcMethod: varchar("hcMethod").default("GET"),
    hcStatus: integer("hcStatus"), // http code
-    hcHealth: text("hcHealth").default("unknown"), // "unknown", "healthy", "unhealthy"
+    hcHealth: text("hcHealth")
+        .$type<"unknown" | "healthy" | "unhealthy">()
+        .default("unknown"), // "unknown", "healthy", "unhealthy"
    hcTlsServerName: text("hcTlsServerName")
 });

@@ -218,7 +222,7 @@ export const siteResources = pgTable("siteResources", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    niceId: varchar("niceId").notNull(),
    name: varchar("name").notNull(),
-    mode: varchar("mode").notNull(), // "host" | "cidr" | "port"
+    mode: varchar("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
    protocol: varchar("protocol"), // only for port mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
@@ -328,7 +332,8 @@ export const userOrgs = pgTable("userOrgs", {
        .notNull()
        .references(() => roles.roleId),
    isOwner: boolean("isOwner").notNull().default(false),
-    autoProvisioned: boolean("autoProvisioned").default(false)
+    autoProvisioned: boolean("autoProvisioned").default(false),
+    pamUsername: varchar("pamUsername") // cleaned username for ssh and such
 });

 export const emailVerificationCodes = pgTable("emailVerificationCodes", {
@@ -984,6 +989,16 @@ export const deviceWebAuthCodes = pgTable("deviceWebAuthCodes", {
    })
 });

+export const roundTripMessageTracker = pgTable("roundTripMessageTracker", {
+    messageId: serial("messageId").primaryKey(),
+    wsClientId: varchar("clientId"),
+    messageType: varchar("messageType"),
+    sentAt: bigint("sentAt", { mode: "number" }).notNull(),
+    receivedAt: bigint("receivedAt", { mode: "number" }),
+    error: text("error"),
+    complete: boolean("complete").notNull().default(false)
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -1044,3 +1059,4 @@ export type SecurityKey = InferSelectModel<typeof securityKeys>;
 export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
 export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
 export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
+export type RoundTripMessageTracker = InferSelectModel<typeof roundTripMessageTracker>;
--- a/server/db/sqlite/schema/schema.ts
+++ b/server/db/sqlite/schema/schema.ts
@@ -1,13 +1,6 @@
 import { randomUUID } from "crypto";
 import { InferSelectModel } from "drizzle-orm";
-import {
-    sqliteTable,
-    text,
-    integer,
-    index,
-    uniqueIndex
-} from "drizzle-orm/sqlite-core";
-import { no } from "zod/v4/locales";
+import { index, integer, sqliteTable, text } from "drizzle-orm/sqlite-core";

 export const domains = sqliteTable("domains", {
    domainId: text("domainId").primaryKey(),
@@ -52,7 +45,11 @@ export const orgs = sqliteTable("orgs", {
        .default(0),
    settingsLogRetentionDaysAction: integer("settingsLogRetentionDaysAction") // where 0 = dont keep logs and -1 = keep forever and 9001 = end of the following year
        .notNull()
-        .default(0)
+        .default(0),
+    sshCaPrivateKey: text("sshCaPrivateKey"), // Encrypted SSH CA private key (PEM format)
+    sshCaPublicKey: text("sshCaPublicKey"), // SSH CA public key (OpenSSH format)
+    isBillingOrg: integer("isBillingOrg", { mode: "boolean" }),
+    billingOrgId: text("billingOrgId")
 });

 export const userDomains = sqliteTable("userDomains", {
@@ -214,7 +211,9 @@ export const targetHealthCheck = sqliteTable("targetHealthCheck", {
    }).default(true),
    hcMethod: text("hcMethod").default("GET"),
    hcStatus: integer("hcStatus"), // http code
-    hcHealth: text("hcHealth").default("unknown"), // "unknown", "healthy", "unhealthy"
+    hcHealth: text("hcHealth")
+        .$type<"unknown" | "healthy" | "unhealthy">()
+        .default("unknown"), // "unknown", "healthy", "unhealthy"
    hcTlsServerName: text("hcTlsServerName")
 });

@@ -246,7 +245,7 @@ export const siteResources = sqliteTable("siteResources", {
        .references(() => orgs.orgId, { onDelete: "cascade" }),
    niceId: text("niceId").notNull(),
    name: text("name").notNull(),
-    mode: text("mode").notNull(), // "host" | "cidr" | "port"
+    mode: text("mode").$type<"host" | "cidr">().notNull(), // "host" | "cidr" | "port"
    protocol: text("protocol"), // only for port mode
    proxyPort: integer("proxyPort"), // only for port mode
    destinationPort: integer("destinationPort"), // only for port mode
@@ -638,7 +637,8 @@ export const userOrgs = sqliteTable("userOrgs", {
    isOwner: integer("isOwner", { mode: "boolean" }).notNull().default(false),
    autoProvisioned: integer("autoProvisioned", {
        mode: "boolean"
-    }).default(false)
+    }).default(false),
+    pamUsername: text("pamUsername") // cleaned username for ssh and such
 });

 export const emailVerificationCodes = sqliteTable("emailVerificationCodes", {
@@ -1080,6 +1080,16 @@ export const deviceWebAuthCodes = sqliteTable("deviceWebAuthCodes", {
    })
 });

+export const roundTripMessageTracker = sqliteTable("roundTripMessageTracker", {
+    messageId: integer("messageId").primaryKey({ autoIncrement: true }),
+    wsClientId: text("clientId"),
+    messageType: text("messageType"),
+    sentAt: integer("sentAt").notNull(),
+    receivedAt: integer("receivedAt"),
+    error: text("error"),
+    complete: integer("complete", { mode: "boolean" }).notNull().default(false)
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -1141,3 +1151,6 @@ export type SecurityKey = InferSelectModel<typeof securityKeys>;
 export type WebauthnChallenge = InferSelectModel<typeof webauthnChallenge>;
 export type RequestAuditLog = InferSelectModel<typeof requestAuditLog>;
 export type DeviceWebAuthCode = InferSelectModel<typeof deviceWebAuthCodes>;
+export type RoundTripMessageTracker = InferSelectModel<
+    typeof roundTripMessageTracker
+>;
--- a/server/lib/billing/features.ts
+++ b/server/lib/billing/features.ts
@@ -4,6 +4,7 @@ export enum FeatureId {
    EGRESS_DATA_MB = "egressDataMb",
    DOMAINS = "domains",
    REMOTE_EXIT_NODES = "remoteExitNodes",
+    ORGINIZATIONS = "organizations",
    TIER1 = "tier1"
 }

@@ -19,6 +20,8 @@ export async function getFeatureDisplayName(featureId: FeatureId): Promise<strin
            return "Domains";
        case FeatureId.REMOTE_EXIT_NODES:
            return "Remote Exit Nodes";
+        case FeatureId.ORGINIZATIONS:
+            return "Organizations";
        case FeatureId.TIER1:
            return "Home Lab";
        default:
--- a/server/lib/billing/limitSet.ts
+++ b/server/lib/billing/limitSet.ts
@@ -7,18 +7,12 @@ export type LimitSet = Partial<{
    };
 }>;

-export const sandboxLimitSet: LimitSet = {
-    [FeatureId.USERS]: { value: 1, description: "Sandbox limit" },
-    [FeatureId.SITES]: { value: 1, description: "Sandbox limit" },
-    [FeatureId.DOMAINS]: { value: 0, description: "Sandbox limit" },
-    [FeatureId.REMOTE_EXIT_NODES]: { value: 0, description: "Sandbox limit" },
-};
-
 export const freeLimitSet: LimitSet = {
-    [FeatureId.USERS]: { value: 5, description: "Starter limit" },
-    [FeatureId.SITES]: { value: 5, description: "Starter limit" },
-    [FeatureId.DOMAINS]: { value: 5, description: "Starter limit" },
-    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Starter limit" },
+    [FeatureId.SITES]: { value: 5, description: "Basic limit" },
+    [FeatureId.USERS]: { value: 5, description: "Basic limit" },
+    [FeatureId.DOMAINS]: { value: 5, description: "Basic limit" },
+    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Basic limit" },
+    [FeatureId.ORGINIZATIONS]: { value: 1, description: "Basic limit" },
 };

 export const tier1LimitSet: LimitSet = {
@@ -26,6 +20,7 @@ export const tier1LimitSet: LimitSet = {
    [FeatureId.SITES]: { value: 10, description: "Home limit" },
    [FeatureId.DOMAINS]: { value: 10, description: "Home limit" },
    [FeatureId.REMOTE_EXIT_NODES]: { value: 1, description: "Home limit" },
+    [FeatureId.ORGINIZATIONS]: { value: 1, description: "Home limit" },
 };

 export const tier2LimitSet: LimitSet = {
@@ -45,6 +40,10 @@ export const tier2LimitSet: LimitSet = {
        value: 3,
        description: "Team limit"
    },
+    [FeatureId.ORGINIZATIONS]: {
+        value: 1,
+        description: "Team limit"
+    }
 };

 export const tier3LimitSet: LimitSet = {
@@ -64,4 +63,8 @@ export const tier3LimitSet: LimitSet = {
        value: 20,
        description: "Business limit"
    },
+    [FeatureId.ORGINIZATIONS]: {
+        value: 20,
+        description: "Business limit"
+    },
 };
--- a/server/lib/billing/tierMatrix.ts
+++ b/server/lib/billing/tierMatrix.ts
@@ -14,7 +14,8 @@ export enum TierFeature {
    TwoFactorEnforcement = "twoFactorEnforcement", // handle downgrade by setting to optional
    SessionDurationPolicies = "sessionDurationPolicies", // handle downgrade by setting to default duration
    PasswordExpirationPolicies = "passwordExpirationPolicies", // handle downgrade by setting to default duration
-    AutoProvisioning = "autoProvisioning" // handle downgrade by disabling auto provisioning
+    AutoProvisioning = "autoProvisioning", // handle downgrade by disabling auto provisioning
+    SshPam = "sshPam"
 }

 export const tierMatrix: Record<TierFeature, Tier[]> = {
@@ -46,5 +47,6 @@ export const tierMatrix: Record<TierFeature, Tier[]> = {
        "tier3",
        "enterprise"
    ],
-    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"]
+    [TierFeature.AutoProvisioning]: ["tier1", "tier3", "enterprise"],
+    [TierFeature.SshPam]: ["enterprise"]
 };
--- a/server/lib/billing/usageService.ts
+++ b/server/lib/billing/usageService.ts
@@ -1,34 +1,19 @@
 import { eq, sql, and } from "drizzle-orm";
-import { v4 as uuidv4 } from "uuid";
-import { PutObjectCommand } from "@aws-sdk/client-s3";
 import {
    db,
    usage,
    customers,
-    sites,
-    newts,
    limits,
    Usage,
    Limit,
-    Transaction
+    Transaction,
+    orgs
 } from "@server/db";
 import { FeatureId, getFeatureMeterId } from "./features";
 import logger from "@server/logger";
-import { sendToClient } from "#dynamic/routers/ws";
 import { build } from "@server/build";
-import { s3Client } from "@server/lib/s3";
 import cache from "@server/lib/cache";

-interface StripeEvent {
-    identifier?: string;
-    timestamp: number;
-    event_name: string;
-    payload: {
-        value: number;
-        stripe_customer_id: string;
-    };
-}
-
 export function noop() {
    if (build !== "saas") {
        return true;
@@ -37,41 +22,11 @@ export function noop() {
 }

 export class UsageService {
-    private bucketName: string | undefined;
-    private events: StripeEvent[] = [];
-    private lastUploadTime: number = Date.now();
-    private isUploading: boolean = false;

    constructor() {
        if (noop()) {
            return;
        }
-
-        // this.bucketName = process.env.S3_BUCKET || undefined;
-
-        // // Periodically check and upload events
-        // setInterval(() => {
-        //     this.checkAndUploadEvents().catch((err) => {
-        //         logger.error("Error in periodic event upload:", err);
-        //     });
-        // }, 30000); // every 30 seconds
-
-        // // Handle graceful shutdown on SIGTERM
-        // process.on("SIGTERM", async () => {
-        //     logger.info(
-        //         "SIGTERM received, uploading events before shutdown..."
-        //     );
-        //     await this.forceUpload();
-        //     logger.info("Events uploaded, proceeding with shutdown");
-        // });
-
-        // // Handle SIGINT as well (Ctrl+C)
-        // process.on("SIGINT", async () => {
-        //     logger.info("SIGINT received, uploading events before shutdown...");
-        //     await this.forceUpload();
-        //     logger.info("Events uploaded, proceeding with shutdown");
-        //     process.exit(0);
-        // });
    }

    /**
@@ -91,6 +46,8 @@ export class UsageService {
            return null;
        }

+        let orgIdToUse = await this.getBillingOrg(orgId, transaction);
+
        // Truncate value to 11 decimal places
        value = this.truncateValue(value);

@@ -100,20 +57,10 @@ export class UsageService {

        while (attempt <= maxRetries) {
            try {
-                // Get subscription data for this org (with caching)
-                const customerId = await this.getCustomerId(orgId, featureId);
-
-                if (!customerId) {
-                    logger.warn(
-                        `No subscription data found for org ${orgId} and feature ${featureId}`
-                    );
-                    return null;
-                }
-
                let usage;
                if (transaction) {
                    usage = await this.internalAddUsage(
-                        orgId,
+                        orgIdToUse,
                        featureId,
                        value,
                        transaction
@@ -121,7 +68,7 @@ export class UsageService {
                } else {
                    await db.transaction(async (trx) => {
                        usage = await this.internalAddUsage(
-                            orgId,
+                            orgIdToUse,
                            featureId,
                            value,
                            trx
@@ -129,11 +76,6 @@ export class UsageService {
                    });
                }

-                // Log event for Stripe
-                // if (privateConfig.getRawPrivateConfig().flags.usage_reporting) {
-                //     await this.logStripeEvent(featureId, value, customerId);
-                // }
-
                return usage || null;
            } catch (error: any) {
                // Check if this is a deadlock error
@@ -150,7 +92,7 @@ export class UsageService {
                    const delay = baseDelay + jitter;

                    logger.warn(
-                        `Deadlock detected for ${orgId}/${featureId}, retrying attempt ${attempt}/${maxRetries} after ${delay.toFixed(0)}ms`
+                        `Deadlock detected for ${orgIdToUse}/${featureId}, retrying attempt ${attempt}/${maxRetries} after ${delay.toFixed(0)}ms`
                    );

                    await new Promise((resolve) => setTimeout(resolve, delay));
@@ -158,7 +100,7 @@ export class UsageService {
                }

                logger.error(
-                    `Failed to add usage for ${orgId}/${featureId} after ${attempt} attempts:`,
+                    `Failed to add usage for ${orgIdToUse}/${featureId} after ${attempt} attempts:`,
                    error
                );
                break;
@@ -169,7 +111,7 @@ export class UsageService {
    }

    private async internalAddUsage(
-        orgId: string,
+        orgId: string, // here the orgId is the billing org already resolved by getBillingOrg in updateCount
        featureId: FeatureId,
        value: number,
        trx: Transaction
@@ -188,13 +130,14 @@ export class UsageService {
                featureId,
                orgId,
                meterId,
+                instantaneousValue: value,
                latestValue: value,
                updatedAt: Math.floor(Date.now() / 1000)
            })
            .onConflictDoUpdate({
                target: usage.usageId,
                set: {
-                    latestValue: sql`${usage.latestValue} + ${value}`
+                    instantaneousValue: sql`${usage.instantaneousValue} + ${value}`
                }
            })
            .returning();
@@ -221,18 +164,10 @@ export class UsageService {
        if (noop()) {
            return;
        }
-        try {
-            if (!customerId) {
-                customerId =
-                    (await this.getCustomerId(orgId, featureId)) || undefined;
-                if (!customerId) {
-                    logger.warn(
-                        `No subscription data found for org ${orgId} and feature ${featureId}`
-                    );
-                    return;
-                }
-            }

+        let orgIdToUse = await this.getBillingOrg(orgId);
+
+        try {
            // Truncate value to 11 decimal places if provided
            if (value !== undefined && value !== null) {
                value = this.truncateValue(value);
@@ -242,7 +177,7 @@ export class UsageService {

            await db.transaction(async (trx) => {
                // Get existing meter record
-                const usageId = `${orgId}-${featureId}`;
+                const usageId = `${orgIdToUse}-${featureId}`;
                // Get current usage record
                [currentUsage] = await trx
                    .select()
@@ -264,7 +199,7 @@ export class UsageService {
                    await trx.insert(usage).values({
                        usageId,
                        featureId,
-                        orgId,
+                        orgId: orgIdToUse,
                        meterId,
                        instantaneousValue: value || 0,
                        latestValue: value || 0,
@@ -278,7 +213,7 @@ export class UsageService {
            // }
        } catch (error) {
            logger.error(
-                `Failed to update count usage for ${orgId}/${featureId}:`,
+                `Failed to update count usage for ${orgIdToUse}/${featureId}:`,
                error
            );
        }
@@ -288,7 +223,9 @@ export class UsageService {
        orgId: string,
        featureId: FeatureId
    ): Promise<string | null> {
-        const cacheKey = `customer_${orgId}_${featureId}`;
+        let orgIdToUse = await this.getBillingOrg(orgId);
+
+        const cacheKey = `customer_${orgIdToUse}_${featureId}`;
        const cached = cache.get<string>(cacheKey);

        if (cached) {
@@ -302,7 +239,7 @@ export class UsageService {
                    customerId: customers.customerId
                })
                .from(customers)
-                .where(eq(customers.orgId, orgId))
+                .where(eq(customers.orgId, orgIdToUse))
                .limit(1);

            if (!customer) {
@@ -317,112 +254,13 @@ export class UsageService {
            return customerId;
        } catch (error) {
            logger.error(
-                `Failed to get subscription data for ${orgId}/${featureId}:`,
+                `Failed to get subscription data for ${orgIdToUse}/${featureId}:`,
                error
            );
            return null;
        }
    }

-    private async logStripeEvent(
-        featureId: FeatureId,
-        value: number,
-        customerId: string
-    ): Promise<void> {
-        // Truncate value to 11 decimal places before sending to Stripe
-        const truncatedValue = this.truncateValue(value);
-
-        const event: StripeEvent = {
-            identifier: uuidv4(),
-            timestamp: Math.floor(new Date().getTime() / 1000),
-            event_name: featureId,
-            payload: {
-                value: truncatedValue,
-                stripe_customer_id: customerId
-            }
-        };
-
-        this.addEventToMemory(event);
-        await this.checkAndUploadEvents();
-    }
-
-    private addEventToMemory(event: StripeEvent): void {
-        if (!this.bucketName) {
-            logger.warn(
-                "S3 bucket name is not configured, skipping event storage."
-            );
-            return;
-        }
-        this.events.push(event);
-    }
-
-    private async checkAndUploadEvents(): Promise<void> {
-        const now = Date.now();
-        const timeSinceLastUpload = now - this.lastUploadTime;
-
-        // Check if at least 1 minute has passed since last upload
-        if (timeSinceLastUpload >= 60000 && this.events.length > 0) {
-            await this.uploadEventsToS3();
-        }
-    }
-
-    private async uploadEventsToS3(): Promise<void> {
-        if (!this.bucketName) {
-            logger.warn(
-                "S3 bucket name is not configured, skipping S3 upload."
-            );
-            return;
-        }
-
-        if (this.events.length === 0) {
-            return;
-        }
-
-        // Check if already uploading
-        if (this.isUploading) {
-            logger.debug("Already uploading events, skipping");
-            return;
-        }
-
-        this.isUploading = true;
-
-        try {
-            // Take a snapshot of current events and clear the array
-            const eventsToUpload = [...this.events];
-            this.events = [];
-            this.lastUploadTime = Date.now();
-
-            const fileName = this.generateEventFileName();
-            const fileContent = JSON.stringify(eventsToUpload, null, 2);
-
-            // Upload to S3
-            const uploadCommand = new PutObjectCommand({
-                Bucket: this.bucketName,
-                Key: fileName,
-                Body: fileContent,
-                ContentType: "application/json"
-            });
-
-            await s3Client.send(uploadCommand);
-
-            logger.info(
-                `Uploaded ${fileName} to S3 with ${eventsToUpload.length} events`
-            );
-        } catch (error) {
-            logger.error("Failed to upload events to S3:", error);
-            // Note: Events are lost if upload fails. In a production system,
-            // you might want to add the events back to the array or implement retry logic
-        } finally {
-            this.isUploading = false;
-        }
-    }
-
-    private generateEventFileName(): string {
-        const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
-        const uuid = uuidv4().substring(0, 8);
-        return `events-${timestamp}-${uuid}.json`;
-    }
-
    public async getUsage(
        orgId: string,
        featureId: FeatureId,
@@ -432,7 +270,9 @@ export class UsageService {
            return null;
        }

-        const usageId = `${orgId}-${featureId}`;
+        let orgIdToUse = await this.getBillingOrg(orgId, trx);
+
+        const usageId = `${orgIdToUse}-${featureId}`;

        try {
            const [result] = await trx
@@ -444,7 +284,7 @@ export class UsageService {
            if (!result) {
                // Lets create one if it doesn't exist using upsert to handle race conditions
                logger.info(
-                    `Creating new usage record for ${orgId}/${featureId}`
+                    `Creating new usage record for ${orgIdToUse}/${featureId}`
                );
                const meterId = getFeatureMeterId(featureId);

@@ -454,7 +294,7 @@ export class UsageService {
                        .values({
                            usageId,
                            featureId,
-                            orgId,
+                            orgId: orgIdToUse,
                            meterId,
                            latestValue: 0,
                            updatedAt: Math.floor(Date.now() / 1000)
@@ -476,7 +316,7 @@ export class UsageService {
                } catch (insertError) {
                    // Fallback: try to fetch existing record in case of any insert issues
                    logger.warn(
-                        `Insert failed for ${orgId}/${featureId}, attempting to fetch existing record:`,
+                        `Insert failed for ${orgIdToUse}/${featureId}, attempting to fetch existing record:`,
                        insertError
                    );
                    const [existingUsage] = await trx
@@ -491,19 +331,41 @@ export class UsageService {
            return result;
        } catch (error) {
            logger.error(
-                `Failed to get usage for ${orgId}/${featureId}:`,
+                `Failed to get usage for ${orgIdToUse}/${featureId}:`,
                error
            );
            throw error;
        }
    }

-    public async forceUpload(): Promise<void> {
-        if (this.events.length > 0) {
-            // Force upload regardless of time
-            this.lastUploadTime = 0; // Reset to force upload
-            await this.uploadEventsToS3();
+    public async getBillingOrg(
+        orgId: string,
+        trx: Transaction | typeof db = db
+    ): Promise<string> {
+        let orgIdToUse = orgId;
+
+        // get the org
+        const [org] = await trx
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId))
+            .limit(1);
+
+        if (!org) {
+            throw new Error(`Organization with ID ${orgId} not found`);
        }
+
+        if (!org.isBillingOrg) {
+            if (org.billingOrgId) {
+                orgIdToUse = org.billingOrgId;
+            } else {
+                throw new Error(
+                    `Organization ${orgId} is not a billing org and does not have a billingOrgId set`
+                );
+            }
+        }
+
+        return orgIdToUse;
    }

    public async checkLimitSet(
@@ -515,6 +377,9 @@ export class UsageService {
        if (noop()) {
            return false;
        }
+
+        let orgIdToUse = await this.getBillingOrg(orgId, trx);
+
        // This method should check the current usage against the limits set for the organization
        // and kick out all of the sites on the org
        let hasExceededLimits = false;
@@ -528,7 +393,7 @@ export class UsageService {
                    .from(limits)
                    .where(
                        and(
-                            eq(limits.orgId, orgId),
+                            eq(limits.orgId, orgIdToUse),
                            eq(limits.featureId, featureId)
                        )
                    );
@@ -537,11 +402,11 @@ export class UsageService {
                orgLimits = await trx
                    .select()
                    .from(limits)
-                    .where(eq(limits.orgId, orgId));
+                    .where(eq(limits.orgId, orgIdToUse));
            }

            if (orgLimits.length === 0) {
-                logger.debug(`No limits set for org ${orgId}`);
+                logger.debug(`No limits set for org ${orgIdToUse}`);
                return false;
            }

@@ -552,7 +417,7 @@ export class UsageService {
                    currentUsage = usage;
                } else {
                    currentUsage = await this.getUsage(
-                        orgId,
+                        orgIdToUse,
                        limit.featureId as FeatureId,
                        trx
                    );
@@ -563,10 +428,10 @@ export class UsageService {
                    currentUsage?.latestValue ||
                    0;
                logger.debug(
-                    `Current usage for org ${orgId} on feature ${limit.featureId}: ${usageValue}`
+                    `Current usage for org ${orgIdToUse} on feature ${limit.featureId}: ${usageValue}`
                );
                logger.debug(
-                    `Limit for org ${orgId} on feature ${limit.featureId}: ${limit.value}`
+                    `Limit for org ${orgIdToUse} on feature ${limit.featureId}: ${limit.value}`
                );
                if (
                    currentUsage &&
@@ -574,7 +439,7 @@ export class UsageService {
                    usageValue > limit.value
                ) {
                    logger.debug(
-                        `Org ${orgId} has exceeded limit for ${limit.featureId}: ` +
+                        `Org ${orgIdToUse} has exceeded limit for ${limit.featureId}: ` +
                            `${usageValue} > ${limit.value}`
                    );
                    hasExceededLimits = true;
@@ -582,7 +447,7 @@ export class UsageService {
                }
            }
        } catch (error) {
-            logger.error(`Error checking limits for org ${orgId}:`, error);
+            logger.error(`Error checking limits for org ${orgIdToUse}:`, error);
        }

        return hasExceededLimits;
--- a/server/lib/createUserAccountOrg.ts
+++ b/server/lib/createUserAccountOrg.ts
@@ -1,197 +0,0 @@
-import { isValidCIDR } from "@server/lib/validators";
-import { getNextAvailableOrgSubnet } from "@server/lib/ip";
-import {
-    actions,
-    apiKeyOrg,
-    apiKeys,
-    db,
-    domains,
-    Org,
-    orgDomains,
-    orgs,
-    roleActions,
-    roles,
-    userOrgs
-} from "@server/db";
-import { eq } from "drizzle-orm";
-import { defaultRoleAllowedActions } from "@server/routers/role";
-import { FeatureId, limitsService, sandboxLimitSet } from "@server/lib/billing";
-import { createCustomer } from "#dynamic/lib/billing";
-import { usageService } from "@server/lib/billing/usageService";
-import config from "@server/lib/config";
-
-export async function createUserAccountOrg(
-    userId: string,
-    userEmail: string
-): Promise<{
-    success: boolean;
-    org?: {
-        orgId: string;
-        name: string;
-        subnet: string;
-    };
-    error?: string;
-}> {
-    // const subnet = await getNextAvailableOrgSubnet();
-    const orgId = "org_" + userId;
-    const name = `${userEmail}'s Organization`;
-
-    // if (!isValidCIDR(subnet)) {
-    //     return {
-    //         success: false,
-    //         error: "Invalid subnet format. Please provide a valid CIDR notation."
-    //     };
-    // }
-
-    // // make sure the subnet is unique
-    // const subnetExists = await db
-    //     .select()
-    //     .from(orgs)
-    //     .where(eq(orgs.subnet, subnet))
-    //     .limit(1);
-
-    // if (subnetExists.length > 0) {
-    //     return { success: false, error: `Subnet ${subnet} already exists` };
-    // }
-
-    // make sure the orgId is unique
-    const orgExists = await db
-        .select()
-        .from(orgs)
-        .where(eq(orgs.orgId, orgId))
-        .limit(1);
-
-    if (orgExists.length > 0) {
-        return {
-            success: false,
-            error: `Organization with ID ${orgId} already exists`
-        };
-    }
-
-    let error = "";
-    let org: Org | null = null;
-
-    await db.transaction(async (trx) => {
-        const allDomains = await trx
-            .select()
-            .from(domains)
-            .where(eq(domains.configManaged, true));
-
-        const utilitySubnet = config.getRawConfig().orgs.utility_subnet_group;
-
-        const newOrg = await trx
-            .insert(orgs)
-            .values({
-                orgId,
-                name,
-                // subnet
-                subnet: "100.90.128.0/24", // TODO: this should not be hardcoded - or can it be the same in all orgs?
-                utilitySubnet: utilitySubnet,
-                createdAt: new Date().toISOString()
-            })
-            .returning();
-
-        if (newOrg.length === 0) {
-            error = "Failed to create organization";
-            trx.rollback();
-            return;
-        }
-
-        org = newOrg[0];
-
-        // Create admin role within the same transaction
-        const [insertedRole] = await trx
-            .insert(roles)
-            .values({
-                orgId: newOrg[0].orgId,
-                isAdmin: true,
-                name: "Admin",
-                description: "Admin role with the most permissions"
-            })
-            .returning({ roleId: roles.roleId });
-
-        if (!insertedRole || !insertedRole.roleId) {
-            error = "Failed to create Admin role";
-            trx.rollback();
-            return;
-        }
-
-        const roleId = insertedRole.roleId;
-
-        // Get all actions and create role actions
-        const actionIds = await trx.select().from(actions).execute();
-
-        if (actionIds.length > 0) {
-            await trx.insert(roleActions).values(
-                actionIds.map((action) => ({
-                    roleId,
-                    actionId: action.actionId,
-                    orgId: newOrg[0].orgId
-                }))
-            );
-        }
-
-        if (allDomains.length) {
-            await trx.insert(orgDomains).values(
-                allDomains.map((domain) => ({
-                    orgId: newOrg[0].orgId,
-                    domainId: domain.domainId
-                }))
-            );
-        }
-
-        await trx.insert(userOrgs).values({
-            userId,
-            orgId: newOrg[0].orgId,
-            roleId: roleId,
-            isOwner: true
-        });
-
-        const memberRole = await trx
-            .insert(roles)
-            .values({
-                name: "Member",
-                description: "Members can only view resources",
-                orgId
-            })
-            .returning();
-
-        await trx.insert(roleActions).values(
-            defaultRoleAllowedActions.map((action) => ({
-                roleId: memberRole[0].roleId,
-                actionId: action,
-                orgId
-            }))
-        );
-    });
-
-    await limitsService.applyLimitSetToOrg(orgId, sandboxLimitSet);
-
-    if (!org) {
-        return { success: false, error: "Failed to create org" };
-    }
-
-    if (error) {
-        return {
-            success: false,
-            error: `Failed to create org: ${error}`
-        };
-    }
-
-    // make sure we have the stripe customer
-    const customerId = await createCustomer(orgId, userEmail);
-
-    if (customerId) {
-        await usageService.updateCount(orgId, FeatureId.USERS, 1, customerId); // Only 1 because we are crating the org
-    }
-
-    return {
-        org: {
-            orgId,
-            name,
-            // subnet
-            subnet: "100.90.128.0/24"
-        },
-        success: true
-    };
-}
--- a/server/lib/deleteOrg.ts
+++ b/server/lib/deleteOrg.ts
@@ -0,0 +1,170 @@
+import {
+    clients,
+    clientSiteResourcesAssociationsCache,
+    clientSitesAssociationsCache,
+    db,
+    domains,
+    olms,
+    orgDomains,
+    orgs,
+    resources,
+    sites
+} from "@server/db";
+import { newts, newtSessions } from "@server/db";
+import { eq, and, inArray, sql } from "drizzle-orm";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { sendToClient } from "#dynamic/routers/ws";
+import { deletePeer } from "@server/routers/gerbil/peers";
+import { OlmErrorCodes } from "@server/routers/olm/error";
+import { sendTerminateClient } from "@server/routers/client/terminate";
+import { usageService } from "./billing/usageService";
+import { FeatureId } from "./billing";
+
+export type DeleteOrgByIdResult = {
+    deletedNewtIds: string[];
+    olmsToTerminate: string[];
+};
+
+/**
+ * Deletes one organization and its related data. Returns ids for termination
+ * messages; caller should call sendTerminationMessages with the result.
+ * Throws if org not found.
+ */
+export async function deleteOrgById(
+    orgId: string
+): Promise<DeleteOrgByIdResult> {
+    const [org] = await db
+        .select()
+        .from(orgs)
+        .where(eq(orgs.orgId, orgId))
+        .limit(1);
+
+    if (!org) {
+        throw createHttpError(
+            HttpCode.NOT_FOUND,
+            `Organization with ID ${orgId} not found`
+        );
+    }
+
+    const orgSites = await db
+        .select()
+        .from(sites)
+        .where(eq(sites.orgId, orgId))
+        .limit(1);
+
+    const orgClients = await db
+        .select()
+        .from(clients)
+        .where(eq(clients.orgId, orgId));
+
+    const deletedNewtIds: string[] = [];
+    const olmsToTerminate: string[] = [];
+
+    await db.transaction(async (trx) => {
+        for (const site of orgSites) {
+            if (site.pubKey) {
+                if (site.type == "wireguard") {
+                    await deletePeer(site.exitNodeId!, site.pubKey);
+                } else if (site.type == "newt") {
+                    const [deletedNewt] = await trx
+                        .delete(newts)
+                        .where(eq(newts.siteId, site.siteId))
+                        .returning();
+                    if (deletedNewt) {
+                        deletedNewtIds.push(deletedNewt.newtId);
+                        await trx
+                            .delete(newtSessions)
+                            .where(eq(newtSessions.newtId, deletedNewt.newtId));
+                    }
+                }
+            }
+            logger.info(`Deleting site ${site.siteId}`);
+            await trx.delete(sites).where(eq(sites.siteId, site.siteId));
+        }
+        for (const client of orgClients) {
+            const [olm] = await trx
+                .select()
+                .from(olms)
+                .where(eq(olms.clientId, client.clientId))
+                .limit(1);
+            if (olm) {
+                olmsToTerminate.push(olm.olmId);
+            }
+            logger.info(`Deleting client ${client.clientId}`);
+            await trx
+                .delete(clients)
+                .where(eq(clients.clientId, client.clientId));
+            await trx
+                .delete(clientSiteResourcesAssociationsCache)
+                .where(
+                    eq(
+                        clientSiteResourcesAssociationsCache.clientId,
+                        client.clientId
+                    )
+                );
+            await trx
+                .delete(clientSitesAssociationsCache)
+                .where(
+                    eq(clientSitesAssociationsCache.clientId, client.clientId)
+                );
+        }
+        const allOrgDomains = await trx
+            .select()
+            .from(orgDomains)
+            .innerJoin(domains, eq(domains.domainId, orgDomains.domainId))
+            .where(
+                and(
+                    eq(orgDomains.orgId, orgId),
+                    eq(domains.configManaged, false)
+                )
+            );
+        const domainIdsToDelete: string[] = [];
+        for (const orgDomain of allOrgDomains) {
+            const domainId = orgDomain.domains.domainId;
+            const orgCount = await trx
+                .select({ count: sql<number>`count(*)` })
+                .from(orgDomains)
+                .where(eq(orgDomains.domainId, domainId));
+            if (orgCount[0].count === 1) {
+                domainIdsToDelete.push(domainId);
+            }
+        }
+        if (domainIdsToDelete.length > 0) {
+            await trx
+                .delete(domains)
+                .where(inArray(domains.domainId, domainIdsToDelete));
+        }
+        await trx.delete(resources).where(eq(resources.orgId, orgId));
+
+        await usageService.add(orgId, FeatureId.ORGINIZATIONS, -1, trx); // here we are decreasing the org count BEFORE deleting the org because we need to still be able to get the org to get the billing org inside of here
+
+        await trx.delete(orgs).where(eq(orgs.orgId, orgId));
+    });
+
+    return { deletedNewtIds, olmsToTerminate };
+}
+
+export function sendTerminationMessages(result: DeleteOrgByIdResult): void {
+    for (const newtId of result.deletedNewtIds) {
+        sendToClient(newtId, { type: `newt/wg/terminate`, data: {} }).catch(
+            (error) => {
+                logger.error(
+                    "Failed to send termination message to newt:",
+                    error
+                );
+            }
+        );
+    }
+    for (const olmId of result.olmsToTerminate) {
+        sendTerminateClient(0, OlmErrorCodes.TERMINATED_REKEYED, olmId).catch(
+            (error) => {
+                logger.error(
+                    "Failed to send termination message to olm:",
+                    error
+                );
+            }
+        );
+    }
+}
--- a/server/lib/userOrg.ts
+++ b/server/lib/userOrg.ts
@@ -0,0 +1,142 @@
+import {
+    db,
+    Org,
+    orgs,
+    resources,
+    siteResources,
+    sites,
+    Transaction,
+    UserOrg,
+    userOrgs,
+    userResources,
+    userSiteResources,
+    userSites
+} from "@server/db";
+import { eq, and, inArray, ne, exists } from "drizzle-orm";
+import { usageService } from "@server/lib/billing/usageService";
+import { FeatureId } from "@server/lib/billing";
+
+export async function assignUserToOrg(
+    org: Org,
+    values: typeof userOrgs.$inferInsert,
+    trx: Transaction | typeof db = db
+) {
+    const [userOrg] = await trx.insert(userOrgs).values(values).returning();
+
+    // calculate if the user is in any other of the orgs before we count it as an add to the billing org
+    if (org.billingOrgId) {
+        const otherBillingOrgs = await trx
+            .select()
+            .from(orgs)
+            .where(
+                and(
+                    eq(orgs.billingOrgId, org.billingOrgId),
+                    ne(orgs.orgId, org.orgId)
+                )
+            );
+
+        const billingOrgIds = otherBillingOrgs.map((o) => o.orgId);
+
+        const orgsInBillingDomainThatTheUserIsStillIn = await trx
+            .select()
+            .from(userOrgs)
+            .where(
+                and(
+                    eq(userOrgs.userId, userOrg.userId),
+                    inArray(userOrgs.orgId, billingOrgIds)
+                )
+            );
+
+        if (orgsInBillingDomainThatTheUserIsStillIn.length === 0) {
+            await usageService.add(org.orgId, FeatureId.USERS, 1, trx);
+        }
+    }
+}
+
+export async function removeUserFromOrg(
+    org: Org,
+    userId: string,
+    trx: Transaction | typeof db = db
+) {
+    await trx
+        .delete(userOrgs)
+        .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, org.orgId)));
+
+    await trx.delete(userResources).where(
+        and(
+            eq(userResources.userId, userId),
+            exists(
+                trx
+                    .select()
+                    .from(resources)
+                    .where(
+                        and(
+                            eq(resources.resourceId, userResources.resourceId),
+                            eq(resources.orgId, org.orgId)
+                        )
+                    )
+            )
+        )
+    );
+
+    await trx.delete(userSiteResources).where(
+        and(
+            eq(userSiteResources.userId, userId),
+            exists(
+                trx
+                    .select()
+                    .from(siteResources)
+                    .where(
+                        and(
+                            eq(
+                                siteResources.siteResourceId,
+                                userSiteResources.siteResourceId
+                            ),
+                            eq(siteResources.orgId, org.orgId)
+                        )
+                    )
+            )
+        )
+    );
+
+    await trx.delete(userSites).where(
+        and(
+            eq(userSites.userId, userId),
+            exists(
+                db
+                    .select()
+                    .from(sites)
+                    .where(
+                        and(
+                            eq(sites.siteId, userSites.siteId),
+                            eq(sites.orgId, org.orgId)
+                        )
+                    )
+            )
+        )
+    );
+
+    // calculate if the user is in any other of the orgs before we count it as an remove to the billing org
+    if (org.billingOrgId) {
+        const billingOrgs = await trx
+            .select()
+            .from(orgs)
+            .where(eq(orgs.billingOrgId, org.billingOrgId));
+
+        const billingOrgIds = billingOrgs.map((o) => o.orgId);
+
+        const orgsInBillingDomainThatTheUserIsStillIn = await trx
+            .select()
+            .from(userOrgs)
+            .where(
+                and(
+                    eq(userOrgs.userId, userId),
+                    inArray(userOrgs.orgId, billingOrgIds)
+                )
+            );
+
+        if (orgsInBillingDomainThatTheUserIsStillIn.length === 0) {
+            await usageService.add(org.orgId, FeatureId.USERS, -1, trx);
+        }
+    }
+}
--- a/server/openApi.ts
+++ b/server/openApi.ts
@@ -16,5 +16,6 @@ export enum OpenAPITags {
    Client = "Client",
    ApiKey = "API Key",
    Domain = "Domain",
-    Blueprint = "Blueprint"
+    Blueprint = "Blueprint",
+    Ssh = "SSH"
 }
--- a/server/private/lib/sshCA.ts
+++ b/server/private/lib/sshCA.ts
@@ -0,0 +1,442 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import * as crypto from "crypto";
+
+/**
+ * SSH CA "Server" - Pure TypeScript Implementation
+ *
+ * This module provides basic SSH Certificate Authority functionality using
+ * only Node.js built-in crypto module. No external dependencies or subprocesses.
+ *
+ * Usage:
+ *   1. generateCA() - Creates a new CA key pair, returns CA info including the
+ *      TrustedUserCAKeys line to add to servers
+ *   2. signPublicKey() - Signs a user's public key with the CA, returns a certificate
+ */
+
+// ============================================================================
+// SSH Wire Format Helpers
+// ============================================================================
+
+/**
+ * Encode a string in SSH wire format (4-byte length prefix + data)
+ */
+function encodeString(data: Buffer | string): Buffer {
+    const buf = typeof data === "string" ? Buffer.from(data, "utf8") : data;
+    const len = Buffer.alloc(4);
+    len.writeUInt32BE(buf.length, 0);
+    return Buffer.concat([len, buf]);
+}
+
+/**
+ * Encode a uint32 in SSH wire format (big-endian)
+ */
+function encodeUInt32(value: number): Buffer {
+    const buf = Buffer.alloc(4);
+    buf.writeUInt32BE(value, 0);
+    return buf;
+}
+
+/**
+ * Encode a uint64 in SSH wire format (big-endian)
+ */
+function encodeUInt64(value: bigint): Buffer {
+    const buf = Buffer.alloc(8);
+    buf.writeBigUInt64BE(value, 0);
+    return buf;
+}
+
+/**
+ * Decode a string from SSH wire format at the given offset
+ * Returns the string buffer and the new offset
+ */
+function decodeString(data: Buffer, offset: number): { value: Buffer; newOffset: number } {
+    const len = data.readUInt32BE(offset);
+    const value = data.subarray(offset + 4, offset + 4 + len);
+    return { value, newOffset: offset + 4 + len };
+}
+
+// ============================================================================
+// SSH Public Key Parsing/Encoding
+// ============================================================================
+
+/**
+ * Parse an OpenSSH public key line (e.g., "ssh-ed25519 AAAA... comment")
+ */
+function parseOpenSSHPublicKey(pubKeyLine: string): {
+    keyType: string;
+    keyData: Buffer;
+    comment: string;
+} {
+    const parts = pubKeyLine.trim().split(/\s+/);
+    if (parts.length < 2) {
+        throw new Error("Invalid public key format");
+    }
+
+    const keyType = parts[0];
+    const keyData = Buffer.from(parts[1], "base64");
+    const comment = parts.slice(2).join(" ") || "";
+
+    // Verify the key type in the blob matches
+    const { value: blobKeyType } = decodeString(keyData, 0);
+    if (blobKeyType.toString("utf8") !== keyType) {
+        throw new Error(`Key type mismatch: ${blobKeyType.toString("utf8")} vs ${keyType}`);
+    }
+
+    return { keyType, keyData, comment };
+}
+
+/**
+ * Encode an Ed25519 public key in OpenSSH format
+ */
+function encodeEd25519PublicKey(publicKey: Buffer): Buffer {
+    return Buffer.concat([
+        encodeString("ssh-ed25519"),
+        encodeString(publicKey)
+    ]);
+}
+
+/**
+ * Format a public key blob as an OpenSSH public key line
+ */
+function formatOpenSSHPublicKey(keyBlob: Buffer, comment: string = ""): string {
+    const { value: keyType } = decodeString(keyBlob, 0);
+    const base64 = keyBlob.toString("base64");
+    return `${keyType.toString("utf8")} ${base64}${comment ? " " + comment : ""}`;
+}
+
+// ============================================================================
+// SSH Certificate Building
+// ============================================================================
+
+interface CertificateOptions {
+    /** Serial number for the certificate */
+    serial?: bigint;
+    /** Certificate type: 1 = user, 2 = host */
+    certType?: number;
+    /** Key ID (usually username or identifier) */
+    keyId: string;
+    /** List of valid principals (usernames the cert is valid for) */
+    validPrincipals: string[];
+    /** Valid after timestamp (seconds since epoch) */
+    validAfter?: bigint;
+    /** Valid before timestamp (seconds since epoch) */
+    validBefore?: bigint;
+    /** Critical options (usually empty for user certs) */
+    criticalOptions?: Map<string, string>;
+    /** Extensions to enable */
+    extensions?: string[];
+}
+
+/**
+ * Build the extensions section of the certificate
+ */
+function buildExtensions(extensions: string[]): Buffer {
+    // Extensions are a series of name-value pairs, sorted by name
+    // For boolean extensions, the value is empty
+    const sortedExtensions = [...extensions].sort();
+
+    const parts: Buffer[] = [];
+    for (const ext of sortedExtensions) {
+        parts.push(encodeString(ext));
+        parts.push(encodeString("")); // Empty value for boolean extensions
+    }
+
+    return encodeString(Buffer.concat(parts));
+}
+
+/**
+ * Build the critical options section
+ */
+function buildCriticalOptions(options: Map<string, string>): Buffer {
+    const sortedKeys = [...options.keys()].sort();
+
+    const parts: Buffer[] = [];
+    for (const key of sortedKeys) {
+        parts.push(encodeString(key));
+        parts.push(encodeString(encodeString(options.get(key)!)));
+    }
+
+    return encodeString(Buffer.concat(parts));
+}
+
+/**
+ * Build the valid principals section
+ */
+function buildPrincipals(principals: string[]): Buffer {
+    const parts: Buffer[] = [];
+    for (const principal of principals) {
+        parts.push(encodeString(principal));
+    }
+    return encodeString(Buffer.concat(parts));
+}
+
+/**
+ * Extract the raw Ed25519 public key from an OpenSSH public key blob
+ */
+function extractEd25519PublicKey(keyBlob: Buffer): Buffer {
+    const { newOffset } = decodeString(keyBlob, 0); // Skip key type
+    const { value: publicKey } = decodeString(keyBlob, newOffset);
+    return publicKey;
+}
+
+// ============================================================================
+// CA Interface
+// ============================================================================
+
+export interface CAKeyPair {
+    /** CA private key in PEM format (keep this secret!) */
+    privateKeyPem: string;
+    /** CA public key in PEM format */
+    publicKeyPem: string;
+    /** CA public key in OpenSSH format (for TrustedUserCAKeys) */
+    publicKeyOpenSSH: string;
+    /** Raw CA public key bytes (Ed25519) */
+    publicKeyRaw: Buffer;
+}
+
+export interface SignedCertificate {
+    /** The certificate in OpenSSH format (save as id_ed25519-cert.pub or similar) */
+    certificate: string;
+    /** The certificate type string */
+    certType: string;
+    /** Serial number */
+    serial: bigint;
+    /** Key ID */
+    keyId: string;
+    /** Valid principals */
+    validPrincipals: string[];
+    /** Valid from timestamp */
+    validAfter: Date;
+    /** Valid until timestamp */
+    validBefore: Date;
+}
+
+// ============================================================================
+// Main Functions
+// ============================================================================
+
+/**
+ * Generate a new SSH Certificate Authority key pair.
+ *
+ * Returns the CA keys and the line to add to /etc/ssh/sshd_config:
+ *   TrustedUserCAKeys /etc/ssh/ca.pub
+ *
+ * Then save the publicKeyOpenSSH to /etc/ssh/ca.pub on the server.
+ *
+ * @param comment - Optional comment for the CA public key
+ * @returns CA key pair and configuration info
+ */
+export function generateCA(comment: string = "ssh-ca"): CAKeyPair {
+    // Generate Ed25519 key pair
+    const { publicKey, privateKey } = crypto.generateKeyPairSync("ed25519", {
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" }
+    });
+
+    // Get raw public key bytes
+    const pubKeyObj = crypto.createPublicKey(publicKey);
+    const rawPubKey = pubKeyObj.export({ type: "spki", format: "der" });
+    // Ed25519 SPKI format: 12 byte header + 32 byte key
+    const ed25519PubKey = rawPubKey.subarray(rawPubKey.length - 32);
+
+    // Create OpenSSH format public key
+    const pubKeyBlob = encodeEd25519PublicKey(ed25519PubKey);
+    const publicKeyOpenSSH = formatOpenSSHPublicKey(pubKeyBlob, comment);
+
+    return {
+        privateKeyPem: privateKey,
+        publicKeyPem: publicKey,
+        publicKeyOpenSSH,
+        publicKeyRaw: ed25519PubKey
+    };
+}
+
+// ============================================================================
+// Helper Functions
+// ============================================================================
+
+/**
+ * Get and decrypt the SSH CA keys for an organization.
+ * 
+ * @param orgId - Organization ID
+ * @param decryptionKey - Key to decrypt the CA private key (typically server.secret from config)
+ * @returns CA key pair or null if not found
+ */
+export async function getOrgCAKeys(
+    orgId: string,
+    decryptionKey: string
+): Promise<CAKeyPair | null> {
+    const { db, orgs } = await import("@server/db");
+    const { eq } = await import("drizzle-orm");
+    const { decrypt } = await import("@server/lib/crypto");
+
+    const [org] = await db
+        .select({
+            sshCaPrivateKey: orgs.sshCaPrivateKey,
+            sshCaPublicKey: orgs.sshCaPublicKey
+        })
+        .from(orgs)
+        .where(eq(orgs.orgId, orgId))
+        .limit(1);
+
+    if (!org || !org.sshCaPrivateKey || !org.sshCaPublicKey) {
+        return null;
+    }
+
+    const privateKeyPem = decrypt(org.sshCaPrivateKey, decryptionKey);
+
+    // Extract raw public key from the OpenSSH format
+    const { keyData } = parseOpenSSHPublicKey(org.sshCaPublicKey);
+    const { newOffset } = decodeString(keyData, 0); // Skip key type
+    const { value: publicKeyRaw } = decodeString(keyData, newOffset);
+
+    // Get PEM format of public key
+    const pubKeyObj = crypto.createPublicKey({
+        key: privateKeyPem,
+        format: "pem"
+    });
+    const publicKeyPem = pubKeyObj.export({ type: "spki", format: "pem" }) as string;
+
+    return {
+        privateKeyPem,
+        publicKeyPem,
+        publicKeyOpenSSH: org.sshCaPublicKey,
+        publicKeyRaw
+    };
+}
+
+/**
+ * Sign a user's SSH public key with the CA, producing a certificate.
+ *
+ * The resulting certificate should be saved alongside the user's private key
+ * with a -cert.pub suffix. For example:
+ *   - Private key: ~/.ssh/id_ed25519
+ *   - Certificate: ~/.ssh/id_ed25519-cert.pub
+ *
+ * @param caPrivateKeyPem - CA private key in PEM format
+ * @param userPublicKeyLine - User's public key in OpenSSH format
+ * @param options - Certificate options (principals, validity, etc.)
+ * @returns Signed certificate
+ */
+export function signPublicKey(
+    caPrivateKeyPem: string,
+    userPublicKeyLine: string,
+    options: CertificateOptions
+): SignedCertificate {
+    // Parse the user's public key
+    const { keyType, keyData } = parseOpenSSHPublicKey(userPublicKeyLine);
+
+    // Determine certificate type string
+    let certTypeString: string;
+    if (keyType === "ssh-ed25519") {
+        certTypeString = "ssh-ed25519-cert-v01@openssh.com";
+    } else if (keyType === "ssh-rsa") {
+        certTypeString = "ssh-rsa-cert-v01@openssh.com";
+    } else if (keyType === "ecdsa-sha2-nistp256") {
+        certTypeString = "ecdsa-sha2-nistp256-cert-v01@openssh.com";
+    } else if (keyType === "ecdsa-sha2-nistp384") {
+        certTypeString = "ecdsa-sha2-nistp384-cert-v01@openssh.com";
+    } else if (keyType === "ecdsa-sha2-nistp521") {
+        certTypeString = "ecdsa-sha2-nistp521-cert-v01@openssh.com";
+    } else {
+        throw new Error(`Unsupported key type: ${keyType}`);
+    }
+
+    // Get CA public key from private key
+    const caPrivKey = crypto.createPrivateKey(caPrivateKeyPem);
+    const caPubKey = crypto.createPublicKey(caPrivKey);
+    const caRawPubKey = caPubKey.export({ type: "spki", format: "der" });
+    const caEd25519PubKey = caRawPubKey.subarray(caRawPubKey.length - 32);
+    const caPubKeyBlob = encodeEd25519PublicKey(caEd25519PubKey);
+
+    // Set defaults
+    const serial = options.serial ?? BigInt(Date.now());
+    const certType = options.certType ?? 1; // 1 = user cert
+    const now = BigInt(Math.floor(Date.now() / 1000));
+    const validAfter = options.validAfter ?? (now - 60n); // 1 minute ago
+    const validBefore = options.validBefore ?? (now + 86400n * 365n); // 1 year from now
+
+    // Default extensions for user certificates
+    const defaultExtensions = [
+        "permit-X11-forwarding",
+        "permit-agent-forwarding",
+        "permit-port-forwarding",
+        "permit-pty",
+        "permit-user-rc"
+    ];
+    const extensions = options.extensions ?? defaultExtensions;
+    const criticalOptions = options.criticalOptions ?? new Map();
+
+    // Generate nonce (random bytes)
+    const nonce = crypto.randomBytes(32);
+
+    // Extract the public key portion from the user's key blob
+    // For Ed25519: skip the key type string, get the public key (already encoded)
+    let userKeyPortion: Buffer;
+    if (keyType === "ssh-ed25519") {
+        // Skip the key type string, take the rest (which is encodeString(32-byte-key))
+        const { newOffset } = decodeString(keyData, 0);
+        userKeyPortion = keyData.subarray(newOffset);
+    } else {
+        // For other key types, extract everything after the key type
+        const { newOffset } = decodeString(keyData, 0);
+        userKeyPortion = keyData.subarray(newOffset);
+    }
+
+    // Build the certificate body (to be signed)
+    const certBody = Buffer.concat([
+        encodeString(certTypeString),
+        encodeString(nonce),
+        userKeyPortion,
+        encodeUInt64(serial),
+        encodeUInt32(certType),
+        encodeString(options.keyId),
+        buildPrincipals(options.validPrincipals),
+        encodeUInt64(validAfter),
+        encodeUInt64(validBefore),
+        buildCriticalOptions(criticalOptions),
+        buildExtensions(extensions),
+        encodeString(""), // reserved
+        encodeString(caPubKeyBlob) // signature key (CA public key)
+    ]);
+
+    // Sign the certificate body
+    const signature = crypto.sign(null, certBody, caPrivKey);
+
+    // Build the full signature blob (algorithm + signature)
+    const signatureBlob = Buffer.concat([
+        encodeString("ssh-ed25519"),
+        encodeString(signature)
+    ]);
+
+    // Build complete certificate
+    const certificate = Buffer.concat([
+        certBody,
+        encodeString(signatureBlob)
+    ]);
+
+    // Format as OpenSSH certificate line
+    const certLine = `${certTypeString} ${certificate.toString("base64")} ${options.keyId}`;
+
+    return {
+        certificate: certLine,
+        certType: certTypeString,
+        serial,
+        keyId: options.keyId,
+        validPrincipals: options.validPrincipals,
+        validAfter: new Date(Number(validAfter) * 1000),
+        validBefore: new Date(Number(validBefore) * 1000)
+    };
+}
--- a/server/private/routers/approvals/countApprovals.ts
+++ b/server/private/routers/approvals/countApprovals.ts
@@ -19,7 +19,7 @@ import { fromError } from "zod-validation-error";

 import type { Request, Response, NextFunction } from "express";
 import { approvals, db, type Approval } from "@server/db";
-import { eq, sql, and } from "drizzle-orm";
+import { eq, sql, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";

 const paramsSchema = z.strictObject({
@@ -88,7 +88,7 @@ export async function countApprovals(
            .where(
                and(
                    eq(approvals.orgId, orgId),
-                    sql`${approvals.decision} in ${state}`
+                    inArray(approvals.decision, state)
                )
            );

--- a/server/private/routers/approvals/listApprovals.ts
+++ b/server/private/routers/approvals/listApprovals.ts
@@ -28,7 +28,7 @@ import {
    currentFingerprint,
    type Approval
 } from "@server/db";
-import { eq, isNull, sql, not, and, desc } from "drizzle-orm";
+import { eq, isNull, sql, not, and, desc, gte, lte } from "drizzle-orm";
 import response from "@server/lib/response";
 import { getUserDeviceName } from "@server/db/names";

@@ -37,18 +37,26 @@ const paramsSchema = z.strictObject({
 });

 const querySchema = z.strictObject({
-    limit: z
-        .string()
+    limit: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
        .optional()
-        .default("1000")
-        .transform(Number)
-        .pipe(z.int().nonnegative()),
-    offset: z
-        .string()
+        .catch(20)
+        .default(20),
+    cursorPending: z.coerce // pending cursor
+        .number<string>()
+        .int()
+        .max(1) // 0 means non pending
+        .min(0) // 1 means pending
        .optional()
-        .default("0")
-        .transform(Number)
-        .pipe(z.int().nonnegative()),
+        .catch(undefined),
+    cursorTimestamp: z.coerce
+        .number<string>()
+        .int()
+        .positive()
+        .optional()
+        .catch(undefined),
    approvalState: z
        .enum(["pending", "approved", "denied", "all"])
        .optional()
@@ -61,13 +69,21 @@ const querySchema = z.strictObject({
        .pipe(z.number().int().positive().optional())
 });

-async function queryApprovals(
-    orgId: string,
-    limit: number,
-    offset: number,
-    approvalState: z.infer<typeof querySchema>["approvalState"],
-    clientId?: number
-) {
+async function queryApprovals({
+    orgId,
+    limit,
+    approvalState,
+    cursorPending,
+    cursorTimestamp,
+    clientId
+}: {
+    orgId: string;
+    limit: number;
+    approvalState: z.infer<typeof querySchema>["approvalState"];
+    cursorPending?: number;
+    cursorTimestamp?: number;
+    clientId?: number;
+}) {
    let state: Array<Approval["decision"]> = [];
    switch (approvalState) {
        case "pending":
@@ -83,6 +99,26 @@ async function queryApprovals(
            state = ["approved", "denied", "pending"];
    }

+    const conditions = [
+        eq(approvals.orgId, orgId),
+        sql`${approvals.decision} in ${state}`
+    ];
+
+    if (clientId) {
+        conditions.push(eq(approvals.clientId, clientId));
+    }
+
+    const pendingSortKey = sql`CASE ${approvals.decision} WHEN 'pending' THEN 1 ELSE 0 END`;
+
+    if (cursorPending != null && cursorTimestamp != null) {
+        // https://stackoverflow.com/a/79720298/10322846
+        // composite cursor, next data means (pending, timestamp) <= cursor
+        conditions.push(
+            lte(pendingSortKey, cursorPending),
+            lte(approvals.timestamp, cursorTimestamp)
+        );
+    }
+
    const res = await db
        .select({
            approvalId: approvals.approvalId,
@@ -105,7 +141,8 @@ async function queryApprovals(
            fingerprintArch: currentFingerprint.arch,
            fingerprintSerialNumber: currentFingerprint.serialNumber,
            fingerprintUsername: currentFingerprint.username,
-            fingerprintHostname: currentFingerprint.hostname
+            fingerprintHostname: currentFingerprint.hostname,
+            timestamp: approvals.timestamp
        })
        .from(approvals)
        .innerJoin(users, and(eq(approvals.userId, users.userId)))
@@ -118,22 +155,12 @@ async function queryApprovals(
        )
        .leftJoin(olms, eq(clients.clientId, olms.clientId))
        .leftJoin(currentFingerprint, eq(olms.olmId, currentFingerprint.olmId))
-        .where(
-            and(
-                eq(approvals.orgId, orgId),
-                sql`${approvals.decision} in ${state}`,
-                ...(clientId ? [eq(approvals.clientId, clientId)] : [])
-            )
-        )
-        .orderBy(
-            sql`CASE ${approvals.decision} WHEN 'pending' THEN 0 ELSE 1 END`,
-            desc(approvals.timestamp)
-        )
-        .limit(limit)
-        .offset(offset);
+        .where(and(...conditions))
+        .orderBy(desc(pendingSortKey), desc(approvals.timestamp))
+        .limit(limit + 1); // the `+1` is used for the cursor

    // Process results to format device names and build fingerprint objects
-    return res.map((approval) => {
+    const approvalsList = res.slice(0, limit).map((approval) => {
        const model = approval.deviceModel || null;
        const deviceName = approval.clientName
            ? getUserDeviceName(model, approval.clientName)
@@ -152,15 +179,15 @@ async function queryApprovals(

        const fingerprint = hasFingerprintData
            ? {
-                platform: approval.fingerprintPlatform || null,
-                osVersion: approval.fingerprintOsVersion || null,
-                kernelVersion: approval.fingerprintKernelVersion || null,
-                arch: approval.fingerprintArch || null,
-                deviceModel: approval.deviceModel || null,
-                serialNumber: approval.fingerprintSerialNumber || null,
-                username: approval.fingerprintUsername || null,
-                hostname: approval.fingerprintHostname || null
-            }
+                  platform: approval.fingerprintPlatform ?? null,
+                  osVersion: approval.fingerprintOsVersion ?? null,
+                  kernelVersion: approval.fingerprintKernelVersion ?? null,
+                  arch: approval.fingerprintArch ?? null,
+                  deviceModel: approval.deviceModel ?? null,
+                  serialNumber: approval.fingerprintSerialNumber ?? null,
+                  username: approval.fingerprintUsername ?? null,
+                  hostname: approval.fingerprintHostname ?? null
+              }
            : null;

        const {
@@ -183,11 +210,30 @@ async function queryApprovals(
            niceId: approval.niceId || null
        };
    });
+    let nextCursorPending: number | null = null;
+    let nextCursorTimestamp: number | null = null;
+    if (res.length > limit) {
+        const lastItem = res[limit];
+        nextCursorPending = lastItem.decision === "pending" ? 1 : 0;
+        nextCursorTimestamp = lastItem.timestamp;
+    }
+    return {
+        approvalsList,
+        nextCursorPending,
+        nextCursorTimestamp
+    };
 }

 export type ListApprovalsResponse = {
-    approvals: NonNullable<Awaited<ReturnType<typeof queryApprovals>>>;
-    pagination: { total: number; limit: number; offset: number };
+    approvals: NonNullable<
+        Awaited<ReturnType<typeof queryApprovals>>
+    >["approvalsList"];
+    pagination: {
+        total: number;
+        limit: number;
+        cursorPending: number | null;
+        cursorTimestamp: number | null;
+    };
 };

 export async function listApprovals(
@@ -215,17 +261,25 @@ export async function listApprovals(
                )
            );
        }
-        const { limit, offset, approvalState, clientId } = parsedQuery.data;
+        const {
+            limit,
+            cursorPending,
+            cursorTimestamp,
+            approvalState,
+            clientId
+        } = parsedQuery.data;

        const { orgId } = parsedParams.data;

-        const approvalsList = await queryApprovals(
-            orgId.toString(),
-            limit,
-            offset,
-            approvalState,
-            clientId
-        );
+        const { approvalsList, nextCursorPending, nextCursorTimestamp } =
+            await queryApprovals({
+                orgId: orgId.toString(),
+                limit,
+                cursorPending,
+                cursorTimestamp,
+                approvalState,
+                clientId
+            });

        const [{ count }] = await db
            .select({ count: sql<number>`count(*)` })
@@ -237,7 +291,8 @@ export async function listApprovals(
                pagination: {
                    total: count,
                    limit,
-                    offset
+                    cursorPending: nextCursorPending,
+                    cursorTimestamp: nextCursorTimestamp
                }
            },
            success: true,
--- a/server/private/routers/billing/getOrgUsage.ts
+++ b/server/private/routers/billing/getOrgUsage.ts
@@ -85,10 +85,14 @@ export async function getOrgUsage(
            orgId,
            FeatureId.REMOTE_EXIT_NODES
        );
-        const egressData = await usageService.getUsage(
+        const organizations = await usageService.getUsage(
            orgId,
-            FeatureId.EGRESS_DATA_MB
+            FeatureId.ORGINIZATIONS
        );
+        // const egressData = await usageService.getUsage(
+        //     orgId,
+        //     FeatureId.EGRESS_DATA_MB
+        // );

        if (sites) {
            usageData.push(sites);
@@ -96,15 +100,18 @@ export async function getOrgUsage(
        if (users) {
            usageData.push(users);
        }
-        if (egressData) {
-            usageData.push(egressData);
-        }
+        // if (egressData) {
+        //     usageData.push(egressData);
+        // }
        if (domains) {
            usageData.push(domains);
        }
        if (remoteExitNodes) {
            usageData.push(remoteExitNodes);
        }
+        if (organizations) {
+            usageData.push(organizations);
+        }

        const orgLimits = await db
            .select()
--- a/server/private/routers/external.ts
+++ b/server/private/routers/external.ts
@@ -25,6 +25,7 @@ import * as logs from "#private/routers/auditLogs";
 import * as misc from "#private/routers/misc";
 import * as reKey from "#private/routers/re-key";
 import * as approval from "#private/routers/approvals";
+import * as ssh from "#private/routers/ssh";

 import {
    verifyOrgAccess,
@@ -506,3 +507,14 @@ authenticated.put(
    verifyUserHasAction(ActionsEnum.reGenerateSecret),
    reKey.reGenerateExitNodeSecret
 );
+
+authenticated.post(
+    "/org/:orgId/ssh/sign-key",
+    verifyValidLicense,
+    verifyValidSubscription(tierMatrix.sshPam),
+    verifyOrgAccess,
+    verifyLimits,
+    // verifyUserHasAction(ActionsEnum.signSshKey),
+    logActionAudit(ActionsEnum.signSshKey),
+    ssh.signSshKey
+);
--- a/server/private/routers/generatedLicense/generateNewEnterpriseLicense.ts
+++ b/server/private/routers/generatedLicense/generateNewEnterpriseLicense.ts
@@ -37,8 +37,9 @@ export async function generateNewEnterpriseLicense(
    next: NextFunction
 ): Promise<any> {
    try {
-
-        const parsedParams = generateNewEnterpriseLicenseParamsSchema.safeParse(req.params);
+        const parsedParams = generateNewEnterpriseLicenseParamsSchema.safeParse(
+            req.params
+        );
        if (!parsedParams.success) {
            return next(
                createHttpError(
@@ -63,7 +64,10 @@ export async function generateNewEnterpriseLicense(

        const licenseData = req.body;

-        if (licenseData.tier != "big_license" && licenseData.tier != "small_license") {
+        if (
+            licenseData.tier != "big_license" &&
+            licenseData.tier != "small_license"
+        ) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
@@ -79,7 +83,8 @@ export async function generateNewEnterpriseLicense(
            return next(
                createHttpError(
                    apiResponse.status || HttpCode.BAD_REQUEST,
-                    apiResponse.message || "Failed to create license from Fossorial API"
+                    apiResponse.message ||
+                        "Failed to create license from Fossorial API"
                )
            );
        }
@@ -112,7 +117,10 @@ export async function generateNewEnterpriseLicense(
            );
        }

-        const tier = licenseData.tier === "big_license" ? LicenseId.BIG_LICENSE : LicenseId.SMALL_LICENSE;
+        const tier =
+            licenseData.tier === "big_license"
+                ? LicenseId.BIG_LICENSE
+                : LicenseId.SMALL_LICENSE;
        const tierPrice = getLicensePriceSet()[tier];

        const session = await stripe!.checkout.sessions.create({
@@ -122,7 +130,7 @@ export async function generateNewEnterpriseLicense(
                {
                    price: tierPrice, // Use the standard tier
                    quantity: 1
-                },
+                }
            ], // Start with the standard feature set that matches the free limits
            customer: customer.customerId,
            mode: "subscription",
--- a/server/private/routers/loginPage/upsertLoginPageBranding.ts
+++ b/server/private/routers/loginPage/upsertLoginPageBranding.ts
@@ -26,6 +26,7 @@ import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { eq, InferInsertModel } from "drizzle-orm";
 import { build } from "@server/build";
+import { validateLocalPath } from "@app/lib/validateLocalPath";
 import config from "#private/lib/config";

 const paramsSchema = z.strictObject({
@@ -37,14 +38,36 @@ const bodySchema = z.strictObject({
        .union([
            z.literal(""),
            z
-                .url("Must be a valid URL")
-                .superRefine(async (url, ctx) => {
+                .string()
+                .superRefine(async (urlOrPath, ctx) => {
+                    const parseResult = z.url().safeParse(urlOrPath);
+                    if (!parseResult.success) {
+                        if (build !== "enterprise") {
+                            ctx.addIssue({
+                                code: "custom",
+                                message: "Must be a valid URL"
+                            });
+                            return;
+                        } else {
+                            try {
+                                validateLocalPath(urlOrPath);
+                            } catch (error) {
+                                ctx.addIssue({
+                                    code: "custom",
+                                    message: "Must be either a valid image URL or a valid pathname starting with `/` and not containing query parameters, `..` or `*`"
+                                });
+                            } finally {
+                                return;
+                            }
+                        }
+                    }
+
                    try {
-                        const response = await fetch(url, {
+                        const response = await fetch(urlOrPath, {
                            method: "HEAD"
                        }).catch(() => {
                            // If HEAD fails (CORS or method not allowed), try GET
-                            return fetch(url, { method: "GET" });
+                            return fetch(urlOrPath, { method: "GET" });
                        });

                        if (response.status !== 200) {
--- a/server/private/routers/orgIdp/createOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/createOrgOidcIdp.ts
@@ -28,6 +28,7 @@ import { CreateOrgIdpResponse } from "@server/routers/orgIdp/types";
 import { isSubscribed } from "#private/lib/isSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import privateConfig from "#private/lib/config";
+import { build } from "@server/build";

 const paramsSchema = z.strictObject({ orgId: z.string().nonempty() });

@@ -122,12 +123,14 @@ export async function createOrgOidcIdp(

        let { autoProvision } = parsedBody.data;

-        const subscribed = await isSubscribed(
-            orgId,
-            tierMatrix.deviceApprovals
-        );
-        if (!subscribed) {
-            autoProvision = false;
+        if (build == "saas") { // this is not paywalled with a ee license because this whole endpoint is restricted
+            const subscribed = await isSubscribed(
+                orgId,
+                tierMatrix.deviceApprovals
+            );
+            if (!subscribed) {
+                autoProvision = false;
+            }
        }

        const key = config.getRawConfig().server.secret!;
--- a/server/private/routers/orgIdp/updateOrgOidcIdp.ts
+++ b/server/private/routers/orgIdp/updateOrgOidcIdp.ts
@@ -27,6 +27,7 @@ import config from "@server/lib/config";
 import { isSubscribed } from "#private/lib/isSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
 import privateConfig from "#private/lib/config";
+import { build } from "@server/build";

 const paramsSchema = z
    .object({
@@ -127,12 +128,15 @@ export async function updateOrgOidcIdp(

        let { autoProvision } = parsedBody.data;

-        const subscribed = await isSubscribed(
-            orgId,
-            tierMatrix.deviceApprovals
-        );
-        if (!subscribed) {
-            autoProvision = false;
+        if (build == "saas") {
+            // this is not paywalled with a ee license because this whole endpoint is restricted
+            const subscribed = await isSubscribed(
+                orgId,
+                tierMatrix.deviceApprovals
+            );
+            if (!subscribed) {
+                autoProvision = false;
+            }
        }

        // Check if IDP exists and is of type OIDC
--- a/server/private/routers/remoteExitNode/createRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/createRemoteExitNode.ts
@@ -12,7 +12,14 @@
 */

 import { NextFunction, Request, Response } from "express";
-import { db, exitNodes, exitNodeOrgs, ExitNode, ExitNodeOrg } from "@server/db";
+import {
+    db,
+    exitNodes,
+    exitNodeOrgs,
+    ExitNode,
+    ExitNodeOrg,
+    orgs
+} from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
 import { remoteExitNodes } from "@server/db";
@@ -25,7 +32,7 @@ import { createRemoteExitNodeSession } from "#private/auth/sessions/remoteExitNo
 import { fromError } from "zod-validation-error";
 import { hashPassword, verifyPassword } from "@server/auth/password";
 import logger from "@server/logger";
-import { and, eq } from "drizzle-orm";
+import { and, eq, inArray, ne } from "drizzle-orm";
 import { getNextAvailableSubnet } from "@server/lib/exitNodes";
 import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
@@ -169,7 +176,17 @@ export async function createRemoteExitNode(
            );
        }

-        let numExitNodeOrgs: ExitNodeOrg[] | undefined;
+        const [org] = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId))
+            .limit(1);
+
+        if (!org) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
+        }

        await db.transaction(async (trx) => {
            if (!existingExitNode) {
@@ -217,19 +234,43 @@ export async function createRemoteExitNode(
                });
            }

-            numExitNodeOrgs = await trx
-                .select()
-                .from(exitNodeOrgs)
-                .where(eq(exitNodeOrgs.orgId, orgId));
-        });
+            // calculate if the node is in any other of the orgs before we count it as an add to the billing org
+            if (org.billingOrgId) {
+                const otherBillingOrgs = await trx
+                    .select()
+                    .from(orgs)
+                    .where(
+                        and(
+                            eq(orgs.billingOrgId, org.billingOrgId),
+                            ne(orgs.orgId, orgId)
+                        )
+                    );

-        if (numExitNodeOrgs) {
-            await usageService.updateCount(
-                orgId,
-                FeatureId.REMOTE_EXIT_NODES,
-                numExitNodeOrgs.length
-            );
-        }
+                const billingOrgIds = otherBillingOrgs.map((o) => o.orgId);
+
+                const orgsInBillingDomainThatTheNodeIsStillIn = await trx
+                    .select()
+                    .from(exitNodeOrgs)
+                    .where(
+                        and(
+                            eq(
+                                exitNodeOrgs.exitNodeId,
+                                existingExitNode.exitNodeId
+                            ),
+                            inArray(exitNodeOrgs.orgId, billingOrgIds)
+                        )
+                    );
+
+                if (orgsInBillingDomainThatTheNodeIsStillIn.length === 0) {
+                    await usageService.add(
+                        orgId,
+                        FeatureId.REMOTE_EXIT_NODES,
+                        1,
+                        trx
+                    );
+                }
+            }
+        });

        const token = generateSessionToken();
        await createRemoteExitNodeSession(token, remoteExitNodeId);
--- a/server/private/routers/remoteExitNode/deleteRemoteExitNode.ts
+++ b/server/private/routers/remoteExitNode/deleteRemoteExitNode.ts
@@ -13,9 +13,9 @@

 import { NextFunction, Request, Response } from "express";
 import { z } from "zod";
-import { db, ExitNodeOrg, exitNodeOrgs, exitNodes } from "@server/db";
+import { db, ExitNodeOrg, exitNodeOrgs, exitNodes, orgs } from "@server/db";
 import { remoteExitNodes } from "@server/db";
-import { and, count, eq } from "drizzle-orm";
+import { and, count, eq, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -50,7 +50,8 @@ export async function deleteRemoteExitNode(
        const [remoteExitNode] = await db
            .select()
            .from(remoteExitNodes)
-            .where(eq(remoteExitNodes.remoteExitNodeId, remoteExitNodeId));
+            .where(eq(remoteExitNodes.remoteExitNodeId, remoteExitNodeId))
+            .limit(1);

        if (!remoteExitNode) {
            return next(
@@ -70,7 +71,17 @@ export async function deleteRemoteExitNode(
            );
        }

-        let numExitNodeOrgs: ExitNodeOrg[] | undefined;
+        const [org] = await db.select().from(orgs).where(eq(orgs.orgId, orgId));
+
+        if (!org) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Org with ID ${orgId} not found`
+                )
+            );
+        }
+
        await db.transaction(async (trx) => {
            await trx
                .delete(exitNodeOrgs)
@@ -81,38 +92,39 @@ export async function deleteRemoteExitNode(
                    )
                );

-            const [remainingExitNodeOrgs] = await trx
-                .select({ count: count() })
-                .from(exitNodeOrgs)
-                .where(eq(exitNodeOrgs.exitNodeId, remoteExitNode.exitNodeId!));
+            // calculate if the user is in any other of the orgs before we count it as an remove to the billing org
+            if (org.billingOrgId) {
+                const otherBillingOrgs = await trx
+                    .select()
+                    .from(orgs)
+                    .where(eq(orgs.billingOrgId, org.billingOrgId));

-            if (remainingExitNodeOrgs.count === 0) {
-                await trx
-                    .delete(remoteExitNodes)
+                const billingOrgIds = otherBillingOrgs.map((o) => o.orgId);
+
+                const orgsInBillingDomainThatTheNodeIsStillIn = await trx
+                    .select()
+                    .from(exitNodeOrgs)
                    .where(
-                        eq(remoteExitNodes.remoteExitNodeId, remoteExitNodeId)
+                        and(
+                            eq(
+                                exitNodeOrgs.exitNodeId,
+                                remoteExitNode.exitNodeId!
+                            ),
+                            inArray(exitNodeOrgs.orgId, billingOrgIds)
+                        )
                    );
-                await trx
-                    .delete(exitNodes)
-                    .where(
-                        eq(exitNodes.exitNodeId, remoteExitNode.exitNodeId!)
+
+                if (orgsInBillingDomainThatTheNodeIsStillIn.length === 0) {
+                    await usageService.add(
+                        orgId,
+                        FeatureId.REMOTE_EXIT_NODES,
+                        -1,
+                        trx
                    );
+                }
            }
-
-            numExitNodeOrgs = await trx
-                .select()
-                .from(exitNodeOrgs)
-                .where(eq(exitNodeOrgs.orgId, orgId));
        });

-        if (numExitNodeOrgs) {
-            await usageService.updateCount(
-                orgId,
-                FeatureId.REMOTE_EXIT_NODES,
-                numExitNodeOrgs.length
-            );
-        }
-
        return response(res, {
            data: null,
            success: true,
--- a/server/private/routers/ssh/index.ts
+++ b/server/private/routers/ssh/index.ts
@@ -0,0 +1,14 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+export * from "./signSshKey";
--- a/server/private/routers/ssh/signSshKey.ts
+++ b/server/private/routers/ssh/signSshKey.ts
@@ -0,0 +1,403 @@
+/*
+ * This file is part of a proprietary work.
+ *
+ * Copyright (c) 2025 Fossorial, Inc.
+ * All rights reserved.
+ *
+ * This file is licensed under the Fossorial Commercial License.
+ * You may not use this file except in compliance with the License.
+ * Unauthorized use, copying, modification, or distribution is strictly prohibited.
+ *
+ * This file is not licensed under the AGPLv3.
+ */
+
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db, newts, orgs, roundTripMessageTracker, siteResources, sites, userOrgs } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { eq, or, and } from "drizzle-orm";
+import { canUserAccessSiteResource } from "@server/auth/canUserAccessSiteResource";
+import { signPublicKey, getOrgCAKeys } from "#private/lib/sshCA";
+import config from "@server/lib/config";
+import { sendToClient } from "#private/routers/ws";
+
+const paramsSchema = z.strictObject({
+    orgId: z.string().nonempty()
+});
+
+const bodySchema = z
+    .strictObject({
+        publicKey: z.string().nonempty(),
+        resourceId: z.number().int().positive().optional(),
+        resource: z.string().nonempty().optional() // this is either the nice id or the alias
+    })
+    .refine(
+        (data) => {
+            const fields = [data.resourceId, data.resource];
+            const definedFields = fields.filter((field) => field !== undefined);
+            return definedFields.length === 1;
+        },
+        {
+            message:
+                "Exactly one of resourceId, niceId, or alias must be provided"
+        }
+    );
+
+export type SignSshKeyResponse = {
+    certificate: string;
+    messageId: number;
+    sshUsername: string;
+    sshHost: string;
+    resourceId: number;
+    keyId: string;
+    validPrincipals: string[];
+    validAfter: string;
+    validBefore: string;
+    expiresIn: number;
+};
+
+// registry.registerPath({
+//     method: "post",
+//     path: "/org/{orgId}/ssh/sign-key",
+//     description: "Sign an SSH public key for access to a resource.",
+//     tags: [OpenAPITags.Org, OpenAPITags.Ssh],
+//     request: {
+//         params: paramsSchema,
+//         body: {
+//             content: {
+//                 "application/json": {
+//                     schema: bodySchema
+//                 }
+//             }
+//         }
+//     },
+//     responses: {}
+// });
+
+export async function signSshKey(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = paramsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = bodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId } = parsedParams.data;
+        const {
+            publicKey,
+            resourceId,
+            resource: resourceQueryString
+        } = parsedBody.data;
+        const userId = req.user?.userId;
+        const roleId = req.userOrgRoleId!;
+
+        if (!userId) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
+            );
+        }
+
+        const [userOrg] = await db
+            .select()
+            .from(userOrgs)
+            .where(and(eq(userOrgs.orgId, orgId), eq(userOrgs.userId, userId)))
+            .limit(1);
+
+        if (!userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not belong to the specified organization"
+                )
+            );
+        }
+
+        let usernameToUse;
+        if (!userOrg.pamUsername) {
+            if (req.user?.email) {
+                // Extract username from email (first part before @)
+                usernameToUse = req.user?.email.split("@")[0];
+                if (!usernameToUse) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Unable to extract username from email"
+                        )
+                    );
+                }
+            } else if (req.user?.username) {
+                usernameToUse = req.user.username;
+                // We need to clean out any spaces or special characters from the username to ensure it's valid for SSH certificates
+                usernameToUse = usernameToUse.replace(/[^a-zA-Z0-9_-]/g, "");
+                if (!usernameToUse) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "Username is not valid for SSH certificate"
+                        )
+                    );
+                }
+            } else {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "User does not have a valid email or username for SSH certificate"
+                    )
+                );
+            }
+
+            // check if we have a existing user in this org with the same
+            const [existingUserWithSameName] = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.orgId, orgId),
+                        eq(userOrgs.pamUsername, usernameToUse)
+                    )
+                )
+                .limit(1);
+
+            if (existingUserWithSameName) {
+                let foundUniqueUsername = false;
+                for (let attempt = 0; attempt < 20; attempt++) {
+                    const randomNum = Math.floor(Math.random() * 101); // 0 to 100
+                    const candidateUsername = `${usernameToUse}${randomNum}`;
+
+                    const [existingUser] = await db
+                        .select()
+                        .from(userOrgs)
+                        .where(
+                            and(
+                                eq(userOrgs.orgId, orgId),
+                                eq(userOrgs.pamUsername, candidateUsername)
+                            )
+                        )
+                        .limit(1);
+
+                    if (!existingUser) {
+                        usernameToUse = candidateUsername;
+                        foundUniqueUsername = true;
+                        break;
+                    }
+                }
+
+                if (!foundUniqueUsername) {
+                    return next(
+                        createHttpError(
+                            HttpCode.CONFLICT,
+                            "Unable to generate a unique username for SSH certificate"
+                        )
+                    );
+                }
+            }
+        } else {
+            usernameToUse = userOrg.pamUsername;
+        }
+
+        // Get and decrypt the org's CA keys
+        const caKeys = await getOrgCAKeys(
+            orgId,
+            config.getRawConfig().server.secret!
+        );
+
+        if (!caKeys) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "SSH CA not configured for this organization"
+                )
+            );
+        }
+
+        // Verify the resource exists and belongs to the org
+        // Build the where clause dynamically based on which field is provided
+        let whereClause;
+        if (resourceId !== undefined) {
+            whereClause = eq(siteResources.siteResourceId, resourceId);
+        } else if (resourceQueryString !== undefined) {
+            whereClause = or(
+                eq(siteResources.niceId, resourceQueryString),
+                eq(siteResources.alias, resourceQueryString)
+            );
+        } else {
+            // This should never happen due to the schema validation, but TypeScript doesn't know that
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "One of resourceId, niceId, or alias must be provided"
+                )
+            );
+        }
+
+        const resources = await db
+            .select()
+            .from(siteResources)
+            .where(and(whereClause, eq(siteResources.orgId, orgId)));
+
+        if (!resources || resources.length === 0) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, `Resource not found`)
+            );
+        }
+
+        if (resources.length > 1) {
+            // error but this should not happen because the nice id cant contain a dot and the alias has to have a dot and both have to be unique within the org so there should never be multiple matches
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    `Multiple resources found matching the criteria`
+                )
+            );
+        }
+
+        const resource = resources[0];
+
+        if (resource.orgId !== orgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Resource does not belong to the specified organization"
+                )
+            );
+        }
+
+        // Check if the user has access to the resource
+        const hasAccess = await canUserAccessSiteResource({
+            userId: userId,
+            resourceId: resource.siteResourceId,
+            roleId: roleId
+        });
+
+        if (!hasAccess) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this resource"
+                )
+            );
+        }
+
+        // get the site
+        const [newt] = await db
+            .select()
+            .from(newts)
+            .where(eq(newts.siteId, resource.siteId))
+            .limit(1);
+
+        if (!newt) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Site associated with resource not found"
+                )
+            );
+        }
+
+        // Sign the public key
+        const now = BigInt(Math.floor(Date.now() / 1000));
+        // only valid for 5 minutes
+        const validFor = 300n;
+
+        const cert = signPublicKey(caKeys.privateKeyPem, publicKey, {
+            keyId: `${usernameToUse}@${resource.niceId}`,
+            validPrincipals: [usernameToUse, resource.niceId],
+            validAfter: now - 60n, // Start 1 min ago for clock skew
+            validBefore: now + validFor
+        });
+
+        const [message] = await db
+            .insert(roundTripMessageTracker)
+            .values({
+                wsClientId: newt.newtId,
+                messageType: `newt/pam/connection`,
+                sentAt: Math.floor(Date.now() / 1000),
+            })
+            .returning();
+
+        if (!message) {
+            return next(
+                createHttpError(
+                    HttpCode.INTERNAL_SERVER_ERROR,
+                    "Failed to create message tracker entry"
+                )
+            );
+        }
+
+        await sendToClient(newt.newtId, {
+            type: `newt/pam/connection`,
+            data: {
+                messageId: message.messageId,
+                orgId: orgId,
+                agentPort: 22123,
+                agentHost: resource.destination,
+                caCert: caKeys.publicKeyOpenSSH,
+                username: usernameToUse,
+                niceId: resource.niceId,
+                metadata: {
+                    sudo: true, // we are hardcoding these for now but should make configurable from the role or something
+                    homedir: true
+                }
+            }
+        });
+
+        const expiresIn = Number(validFor); // seconds
+
+        let sshHost;
+        if (resource.alias && resource.alias != "") {
+            sshHost = resource.alias;
+        } else {
+            sshHost = resource.destination;
+        }
+
+        return response<SignSshKeyResponse>(res, {
+            data: {
+                certificate: cert.certificate,
+                messageId: message.messageId,
+                sshUsername: usernameToUse,
+                sshHost: sshHost,
+                resourceId: resource.siteResourceId,
+                keyId: cert.keyId,
+                validPrincipals: cert.validPrincipals,
+                validAfter: cert.validAfter.toISOString(),
+                validBefore: cert.validBefore.toISOString(),
+                expiresIn
+            },
+            success: true,
+            error: false,
+            message: "SSH key signed successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error("Error signing SSH key:", error);
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "An error occurred while signing the SSH key"
+            )
+        );
+    }
+}
--- a/server/routers/auth/deleteMyAccount.ts
+++ b/server/routers/auth/deleteMyAccount.ts
@@ -0,0 +1,236 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db, orgs, userOrgs, users } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { verifySession } from "@server/auth/sessions/verifySession";
+import {
+    invalidateSession,
+    createBlankSessionTokenCookie
+} from "@server/auth/sessions/app";
+import { verifyPassword } from "@server/auth/password";
+import { verifyTotpCode } from "@server/auth/totp";
+import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
+import { deleteOrgById, sendTerminationMessages } from "@server/lib/deleteOrg";
+import { UserType } from "@server/types/UserTypes";
+import { build } from "@server/build";
+import { getOrgTierData } from "#dynamic/lib/billing";
+
+const deleteMyAccountBody = z.strictObject({
+    password: z.string().optional(),
+    code: z.string().optional()
+});
+
+export type DeleteMyAccountPreviewResponse = {
+    preview: true;
+    orgs: { orgId: string; name: string }[];
+    twoFactorEnabled: boolean;
+};
+
+export type DeleteMyAccountCodeRequestedResponse = {
+    codeRequested: true;
+};
+
+export type DeleteMyAccountSuccessResponse = {
+    success: true;
+};
+
+export async function deleteMyAccount(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const { user, session } = await verifySession(req);
+        if (!user || !session) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Not authenticated")
+            );
+        }
+
+        if (user.serverAdmin) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Server admins cannot delete their account this way"
+                )
+            );
+        }
+
+        if (user.type !== UserType.Internal) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Account deletion with password is only supported for internal users"
+                )
+            );
+        }
+
+        const parsed = deleteMyAccountBody.safeParse(req.body ?? {});
+        if (!parsed.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsed.error).toString()
+                )
+            );
+        }
+        const { password, code } = parsed.data;
+
+        const userId = user.userId;
+
+        const ownedOrgsRows = await db
+            .select({
+                orgId: userOrgs.orgId,
+                isOwner: userOrgs.isOwner,
+                isBillingOrg: orgs.isBillingOrg
+            })
+            .from(userOrgs)
+            .innerJoin(orgs, eq(userOrgs.orgId, orgs.orgId))
+            .where(
+                and(eq(userOrgs.userId, userId), eq(userOrgs.isOwner, true))
+            );
+
+        const orgIds = ownedOrgsRows.map((r) => r.orgId);
+
+        if (build === "saas" && orgIds.length > 0) {
+            const primaryOrgId = ownedOrgsRows.find(
+                (r) => r.isBillingOrg && r.isOwner
+            )?.orgId;
+            if (primaryOrgId) {
+                const { tier, active } = await getOrgTierData(primaryOrgId);
+                if (active && tier) {
+                    return next(
+                        createHttpError(
+                            HttpCode.BAD_REQUEST,
+                            "You must cancel your subscription before deleting your account"
+                        )
+                    );
+                }
+            }
+        }
+
+        if (!password) {
+            const orgsWithNames =
+                orgIds.length > 0
+                    ? await db
+                          .select({
+                              orgId: orgs.orgId,
+                              name: orgs.name
+                          })
+                          .from(orgs)
+                          .where(inArray(orgs.orgId, orgIds))
+                    : [];
+            return response<DeleteMyAccountPreviewResponse>(res, {
+                data: {
+                    preview: true,
+                    orgs: orgsWithNames.map((o) => ({
+                        orgId: o.orgId,
+                        name: o.name ?? ""
+                    })),
+                    twoFactorEnabled: user.twoFactorEnabled ?? false
+                },
+                success: true,
+                error: false,
+                message: "Preview",
+                status: HttpCode.OK
+            });
+        }
+
+        const validPassword = await verifyPassword(
+            password,
+            user.passwordHash!
+        );
+        if (!validPassword) {
+            return next(
+                createHttpError(HttpCode.UNAUTHORIZED, "Invalid password")
+            );
+        }
+
+        if (user.twoFactorEnabled) {
+            if (!code) {
+                return response<DeleteMyAccountCodeRequestedResponse>(res, {
+                    data: { codeRequested: true },
+                    success: true,
+                    error: false,
+                    message: "Two-factor code required",
+                    status: HttpCode.ACCEPTED
+                });
+            }
+            const validOTP = await verifyTotpCode(
+                code,
+                user.twoFactorSecret!,
+                user.userId
+            );
+            if (!validOTP) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "The two-factor code you entered is incorrect"
+                    )
+                );
+            }
+        }
+
+        const allDeletedNewtIds: string[] = [];
+        const allOlmsToTerminate: string[] = [];
+
+        for (const row of ownedOrgsRows) {
+            try {
+                const result = await deleteOrgById(row.orgId);
+                allDeletedNewtIds.push(...result.deletedNewtIds);
+                allOlmsToTerminate.push(...result.olmsToTerminate);
+            } catch (err) {
+                logger.error(
+                    `Failed to delete org ${row.orgId} during account deletion`,
+                    err
+                );
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Failed to delete organization"
+                    )
+                );
+            }
+        }
+
+        sendTerminationMessages({
+            deletedNewtIds: allDeletedNewtIds,
+            olmsToTerminate: allOlmsToTerminate
+        });
+
+        await db.transaction(async (trx) => {
+            await trx.delete(users).where(eq(users.userId, userId));
+            await calculateUserClientsForOrgs(userId, trx);
+        });
+
+        try {
+            await invalidateSession(session.sessionId);
+        } catch (error) {
+            logger.error(
+                "Failed to invalidate session after account deletion",
+                error
+            );
+        }
+
+        const isSecure = req.protocol === "https";
+        res.setHeader("Set-Cookie", createBlankSessionTokenCookie(isSecure));
+
+        return response<DeleteMyAccountSuccessResponse>(res, {
+            data: { success: true },
+            success: true,
+            error: false,
+            message: "Account deleted successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/routers/auth/index.ts
+++ b/server/routers/auth/index.ts
@@ -17,4 +17,5 @@ export * from "./securityKey";
 export * from "./startDeviceWebAuth";
 export * from "./verifyDeviceWebAuth";
 export * from "./pollDeviceWebAuth";
-export * from "./lookupUser";
+export * from "./lookupUser";
+export * from "./deleteMyAccount";
--- a/server/routers/auth/signup.ts
+++ b/server/routers/auth/signup.ts
@@ -1,7 +1,7 @@
 import { NextFunction, Request, Response } from "express";
 import { db, users } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
-import { z } from "zod";
+import { email, z } from "zod";
 import { fromError } from "zod-validation-error";
 import createHttpError from "http-errors";
 import response from "@server/lib/response";
@@ -21,7 +21,6 @@ import { hashPassword } from "@server/auth/password";
 import { checkValidInvite } from "@server/auth/checkValidInvite";
 import { passwordSchema } from "@server/auth/passwordSchema";
 import { UserType } from "@server/types/UserTypes";
-import { createUserAccountOrg } from "@server/lib/createUserAccountOrg";
 import { build } from "@server/build";
 import resend, { AudienceIds, moveEmailToAudience } from "#dynamic/lib/resend";

@@ -31,7 +30,8 @@ export const signupBodySchema = z.object({
    inviteToken: z.string().optional(),
    inviteId: z.string().optional(),
    termsAcceptedTimestamp: z.string().nullable().optional(),
-    marketingEmailConsent: z.boolean().optional()
+    marketingEmailConsent: z.boolean().optional(),
+    skipVerificationEmail: z.boolean().optional()
 });

 export type SignUpBody = z.infer<typeof signupBodySchema>;
@@ -62,7 +62,8 @@ export async function signup(
        inviteToken,
        inviteId,
        termsAcceptedTimestamp,
-        marketingEmailConsent
+        marketingEmailConsent,
+        skipVerificationEmail
    } = parsedBody.data;

    const passwordHash = await hashPassword(password);
@@ -198,26 +199,6 @@ export async function signup(
        //     orgId: null,
        // });

-        if (build == "saas") {
-            const { success, error, org } = await createUserAccountOrg(
-                userId,
-                email
-            );
-            if (!success) {
-                if (error) {
-                    return next(
-                        createHttpError(HttpCode.INTERNAL_SERVER_ERROR, error)
-                    );
-                }
-                return next(
-                    createHttpError(
-                        HttpCode.INTERNAL_SERVER_ERROR,
-                        "Failed to create user account and organization"
-                    )
-                );
-            }
-        }
-
        const token = generateSessionToken();
        const sess = await createSession(token, userId);
        const isSecure = req.protocol === "https";
@@ -235,7 +216,13 @@ export async function signup(
        }

        if (config.getRawConfig().flags?.require_email_verification) {
-            sendEmailVerificationCode(email, userId);
+            if (!skipVerificationEmail) {
+                sendEmailVerificationCode(email, userId);
+            } else {
+                logger.debug(
+                    `User ${email} opted out of verification email during signup.`
+                );
+            }

            return response<SignUpResponse>(res, {
                data: {
@@ -243,7 +230,9 @@ export async function signup(
                },
                success: true,
                error: false,
-                message: `User created successfully. We sent an email to ${email} with a verification code.`,
+                message: skipVerificationEmail
+                    ? "User created successfully. Please verify your email."
+                    : `User created successfully. We sent an email to ${email} with a verification code.`,
                status: HttpCode.OK
            });
        }
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -797,7 +797,7 @@ async function notAllowed(
 ) {
    let loginPage: LoginPage | null = null;
    if (orgId) {
-        const subscribed = await isSubscribed(
+        const subscribed = await isSubscribed( // this is fine because the org login page is only a saas feature
            orgId,
            tierMatrix.loginPageDomain
        );
@@ -854,7 +854,7 @@ async function headerAuthChallenged(
 ) {
    let loginPage: LoginPage | null = null;
    if (orgId) {
-        const subscribed = await isSubscribed(orgId, tierMatrix.loginPageDomain);
+        const subscribed = await isSubscribed(orgId, tierMatrix.loginPageDomain); // this is fine because the org login page is only a saas feature
        if (subscribed) {
            loginPage = await getOrgLoginPage(orgId);
        }
--- a/server/routers/client/index.ts
+++ b/server/routers/client/index.ts
@@ -6,6 +6,7 @@ export * from "./unarchiveClient";
 export * from "./blockClient";
 export * from "./unblockClient";
 export * from "./listClients";
+export * from "./listUserDevices";
 export * from "./updateClient";
 export * from "./getClient";
 export * from "./createUserClient";
--- a/server/routers/client/listClients.ts
+++ b/server/routers/client/listClients.ts
@@ -1,34 +1,38 @@
-import { db, olms, users } from "@server/db";
 import {
    clients,
+    clientSitesAssociationsCache,
+    currentFingerprint,
+    db,
+    olms,
    orgs,
    roleClients,
    sites,
    userClients,
-    clientSitesAssociationsCache,
-    currentFingerprint
+    users
 } from "@server/db";
-import logger from "@server/logger";
-import HttpCode from "@server/types/HttpCode";
 import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import type { PaginatedResponse } from "@server/types/Pagination";
 import {
    and,
-    count,
+    asc,
+    desc,
    eq,
    inArray,
-    isNotNull,
    isNull,
+    like,
    or,
-    sql
+    sql,
+    type SQL
 } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
-import { z } from "zod";
-import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
 import NodeCache from "node-cache";
 import semver from "semver";
-import { getUserDeviceName } from "@server/db/names";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";

 const olmVersionCache = new NodeCache({ stdTTL: 3600 });

@@ -89,38 +93,86 @@ const listClientsParamsSchema = z.strictObject({
 });

 const listClientsSchema = z.object({
-    limit: z
-        .string()
+    pageSize: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
        .optional()
-        .default("1000")
-        .transform(Number)
-        .pipe(z.int().positive()),
-    offset: z
-        .string()
+        .catch(20)
+        .default(20)
+        .openapi({
+            type: "integer",
+            default: 20,
+            description: "Number of items per page"
+        }),
+    page: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .min(0)
        .optional()
-        .default("0")
-        .transform(Number)
-        .pipe(z.int().nonnegative()),
-    filter: z.enum(["user", "machine"]).optional()
+        .catch(1)
+        .default(1)
+        .openapi({
+            type: "integer",
+            default: 1,
+            description: "Page number to retrieve"
+        }),
+    query: z.string().optional(),
+    sort_by: z
+        .enum(["megabytesIn", "megabytesOut"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["megabytesIn", "megabytesOut"],
+            description: "Field to sort by"
+        }),
+    order: z
+        .enum(["asc", "desc"])
+        .optional()
+        .default("asc")
+        .catch("asc")
+        .openapi({
+            type: "string",
+            enum: ["asc", "desc"],
+            default: "asc",
+            description: "Sort order"
+        }),
+    online: z
+        .enum(["true", "false"])
+        .transform((v) => v === "true")
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "boolean",
+            description: "Filter by online status"
+        }),
+    status: z.preprocess(
+        (val: string | undefined) => {
+            if (val) {
+                return val.split(","); // the search query array is an array joined by commas
+            }
+            return undefined;
+        },
+        z
+            .array(z.enum(["active", "blocked", "archived"]))
+            .optional()
+            .default(["active"])
+            .catch(["active"])
+            .openapi({
+                type: "array",
+                items: {
+                    type: "string",
+                    enum: ["active", "blocked", "archived"]
+                },
+                default: ["active"],
+                description:
+                    "Filter by client status. Can be a comma-separated list of values. Defaults to 'active'."
+            })
+    )
 });

-function queryClients(
-    orgId: string,
-    accessibleClientIds: number[],
-    filter?: "user" | "machine"
-) {
-    const conditions = [
-        inArray(clients.clientId, accessibleClientIds),
-        eq(clients.orgId, orgId)
-    ];
-
-    // Add filter condition based on filter type
-    if (filter === "user") {
-        conditions.push(isNotNull(clients.userId));
-    } else if (filter === "machine") {
-        conditions.push(isNull(clients.userId));
-    }
-
+function queryClientsBase() {
    return db
        .select({
            clientId: clients.clientId,
@@ -142,22 +194,13 @@ function queryClients(
            approvalState: clients.approvalState,
            olmArchived: olms.archived,
            archived: clients.archived,
-            blocked: clients.blocked,
-            deviceModel: currentFingerprint.deviceModel,
-            fingerprintPlatform: currentFingerprint.platform,
-            fingerprintOsVersion: currentFingerprint.osVersion,
-            fingerprintKernelVersion: currentFingerprint.kernelVersion,
-            fingerprintArch: currentFingerprint.arch,
-            fingerprintSerialNumber: currentFingerprint.serialNumber,
-            fingerprintUsername: currentFingerprint.username,
-            fingerprintHostname: currentFingerprint.hostname
+            blocked: clients.blocked
        })
        .from(clients)
        .leftJoin(orgs, eq(clients.orgId, orgs.orgId))
        .leftJoin(olms, eq(clients.clientId, olms.clientId))
        .leftJoin(users, eq(clients.userId, users.userId))
-        .leftJoin(currentFingerprint, eq(olms.olmId, currentFingerprint.olmId))
-        .where(and(...conditions));
+        .leftJoin(currentFingerprint, eq(olms.olmId, currentFingerprint.olmId));
 }

 async function getSiteAssociations(clientIds: number[]) {
@@ -175,7 +218,7 @@ async function getSiteAssociations(clientIds: number[]) {
        .where(inArray(clientSitesAssociationsCache.clientId, clientIds));
 }

-type ClientWithSites = Awaited<ReturnType<typeof queryClients>>[0] & {
+type ClientWithSites = Awaited<ReturnType<typeof queryClientsBase>>[0] & {
    sites: Array<{
        siteId: number;
        siteName: string | null;
@@ -186,10 +229,9 @@ type ClientWithSites = Awaited<ReturnType<typeof queryClients>>[0] & {

 type OlmWithUpdateAvailable = ClientWithSites;

-export type ListClientsResponse = {
+export type ListClientsResponse = PaginatedResponse<{
    clients: Array<ClientWithSites>;
-    pagination: { total: number; limit: number; offset: number };
-};
+}>;

 registry.registerPath({
    method: "get",
@@ -218,7 +260,8 @@ export async function listClients(
                )
            );
        }
-        const { limit, offset, filter } = parsedQuery.data;
+        const { page, pageSize, online, query, status, sort_by, order } =
+            parsedQuery.data;

        const parsedParams = listClientsParamsSchema.safeParse(req.params);
        if (!parsedParams.success) {
@@ -267,28 +310,73 @@ export async function listClients(
        const accessibleClientIds = accessibleClients.map(
            (client) => client.clientId
        );
-        const baseQuery = queryClients(orgId, accessibleClientIds, filter);

        // Get client count with filter
-        const countConditions = [
-            inArray(clients.clientId, accessibleClientIds),
-            eq(clients.orgId, orgId)
+        const conditions = [
+            and(
+                inArray(clients.clientId, accessibleClientIds),
+                eq(clients.orgId, orgId),
+                isNull(clients.userId)
+            )
        ];

-        if (filter === "user") {
-            countConditions.push(isNotNull(clients.userId));
-        } else if (filter === "machine") {
-            countConditions.push(isNull(clients.userId));
+        if (typeof online !== "undefined") {
+            conditions.push(eq(clients.online, online));
        }

-        const countQuery = db
-            .select({ count: count() })
-            .from(clients)
-            .where(and(...countConditions));
+        if (status.length > 0) {
+            const filterAggregates: (SQL<unknown> | undefined)[] = [];

-        const clientsList = await baseQuery.limit(limit).offset(offset);
-        const totalCountResult = await countQuery;
-        const totalCount = totalCountResult[0].count;
+            if (status.includes("active")) {
+                filterAggregates.push(
+                    and(eq(clients.archived, false), eq(clients.blocked, false))
+                );
+            }
+
+            if (status.includes("archived")) {
+                filterAggregates.push(eq(clients.archived, true));
+            }
+            if (status.includes("blocked")) {
+                filterAggregates.push(eq(clients.blocked, true));
+            }
+
+            conditions.push(or(...filterAggregates));
+        }
+
+        if (query) {
+            conditions.push(
+                or(
+                    like(
+                        sql`LOWER(${clients.name})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${clients.niceId})`,
+                        "%" + query.toLowerCase() + "%"
+                    )
+                )
+            );
+        }
+
+        const baseQuery = queryClientsBase().where(and(...conditions));
+
+        const countQuery = db.$count(baseQuery.as("filtered_clients"));
+
+        const listMachinesQuery = baseQuery
+            .limit(page)
+            .offset(pageSize * (page - 1))
+            .orderBy(
+                sort_by
+                    ? order === "asc"
+                        ? asc(clients[sort_by])
+                        : desc(clients[sort_by])
+                    : asc(clients.clientId)
+            );
+
+        const [clientsList, totalCount] = await Promise.all([
+            listMachinesQuery,
+            countQuery
+        ]);

        // Get associated sites for all clients
        const clientIds = clientsList.map((client) => client.clientId);
@@ -319,14 +407,8 @@ export async function listClients(

        // Merge clients with their site associations and replace name with device name
        const clientsWithSites = clientsList.map((client) => {
-            const model = client.deviceModel || null;
-            let newName = client.name;
-            if (filter === "user") {
-                newName = getUserDeviceName(model, client.name);
-            }
            return {
                ...client,
-                name: newName,
                sites: sitesByClient[client.clientId] || []
            };
        });
@@ -371,8 +453,8 @@ export async function listClients(
                clients: olmsWithUpdates,
                pagination: {
                    total: totalCount,
-                    limit,
-                    offset
+                    page,
+                    pageSize
                }
            },
            success: true,
--- a/server/routers/client/listUserDevices.ts
+++ b/server/routers/client/listUserDevices.ts
@@ -0,0 +1,500 @@
+import { build } from "@server/build";
+import {
+    clients,
+    currentFingerprint,
+    db,
+    olms,
+    orgs,
+    roleClients,
+    userClients,
+    users
+} from "@server/db";
+import { getUserDeviceName } from "@server/db/names";
+import response from "@server/lib/response";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import type { PaginatedResponse } from "@server/types/Pagination";
+import {
+    and,
+    asc,
+    desc,
+    eq,
+    inArray,
+    isNotNull,
+    isNull,
+    like,
+    or,
+    sql,
+    type SQL
+} from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import NodeCache from "node-cache";
+import semver from "semver";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+
+const olmVersionCache = new NodeCache({ stdTTL: 3600 });
+
+async function getLatestOlmVersion(): Promise<string | null> {
+    try {
+        const cachedVersion = olmVersionCache.get<string>("latestOlmVersion");
+        if (cachedVersion) {
+            return cachedVersion;
+        }
+
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), 1500);
+
+        const response = await fetch(
+            "https://api.github.com/repos/fosrl/olm/tags",
+            {
+                signal: controller.signal
+            }
+        );
+
+        clearTimeout(timeoutId);
+
+        if (!response.ok) {
+            logger.warn(
+                `Failed to fetch latest Olm version from GitHub: ${response.status} ${response.statusText}`
+            );
+            return null;
+        }
+
+        let tags = await response.json();
+        if (!Array.isArray(tags) || tags.length === 0) {
+            logger.warn("No tags found for Olm repository");
+            return null;
+        }
+        tags = tags.filter((version) => !version.name.includes("rc"));
+        const latestVersion = tags[0].name;
+
+        olmVersionCache.set("latestOlmVersion", latestVersion);
+
+        return latestVersion;
+    } catch (error: any) {
+        if (error.name === "AbortError") {
+            logger.warn("Request to fetch latest Olm version timed out (1.5s)");
+        } else if (error.cause?.code === "UND_ERR_CONNECT_TIMEOUT") {
+            logger.warn("Connection timeout while fetching latest Olm version");
+        } else {
+            logger.warn(
+                "Error fetching latest Olm version:",
+                error.message || error
+            );
+        }
+        return null;
+    }
+}
+
+const listUserDevicesParamsSchema = z.strictObject({
+    orgId: z.string()
+});
+
+const listUserDevicesSchema = z.object({
+    pageSize: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
+        .optional()
+        .catch(20)
+        .default(20)
+        .openapi({
+            type: "integer",
+            default: 20,
+            description: "Number of items per page"
+        }),
+    page: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .min(0)
+        .optional()
+        .catch(1)
+        .default(1)
+        .openapi({
+            type: "integer",
+            default: 1,
+            description: "Page number to retrieve"
+        }),
+    query: z.string().optional(),
+    sort_by: z
+        .enum(["megabytesIn", "megabytesOut"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["megabytesIn", "megabytesOut"],
+            description: "Field to sort by"
+        }),
+    order: z
+        .enum(["asc", "desc"])
+        .optional()
+        .default("asc")
+        .catch("asc")
+        .openapi({
+            type: "string",
+            enum: ["asc", "desc"],
+            default: "asc",
+            description: "Sort order"
+        }),
+    online: z
+        .enum(["true", "false"])
+        .transform((v) => v === "true")
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "boolean",
+            description: "Filter by online status"
+        }),
+    agent: z
+        .enum([
+            "windows",
+            "android",
+            "cli",
+            "olm",
+            "macos",
+            "ios",
+            "ipados",
+            "unknown"
+        ])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: [
+                "windows",
+                "android",
+                "cli",
+                "olm",
+                "macos",
+                "ios",
+                "ipados",
+                "unknown"
+            ],
+            description:
+                "Filter by agent type. Use 'unknown' to filter clients with no agent detected."
+        }),
+    status: z.preprocess(
+        (val: string | undefined) => {
+            if (val) {
+                return val.split(","); // the search query array is an array joined by commas
+            }
+            return undefined;
+        },
+        z
+            .array(
+                z.enum(["active", "pending", "denied", "blocked", "archived"])
+            )
+            .optional()
+            .default(["active", "pending"])
+            .catch(["active", "pending"])
+            .openapi({
+                type: "array",
+                items: {
+                    type: "string",
+                    enum: ["active", "pending", "denied", "blocked", "archived"]
+                },
+                default: ["active", "pending"],
+                description:
+                    "Filter by device status. Can include multiple values separated by commas. 'active' means not archived, not blocked, and if approval is enabled, approved. 'pending' and 'denied' are only applicable if approval is enabled."
+            })
+    )
+});
+
+function queryUserDevicesBase() {
+    return db
+        .select({
+            clientId: clients.clientId,
+            orgId: clients.orgId,
+            name: clients.name,
+            pubKey: clients.pubKey,
+            subnet: clients.subnet,
+            megabytesIn: clients.megabytesIn,
+            megabytesOut: clients.megabytesOut,
+            orgName: orgs.name,
+            type: clients.type,
+            online: clients.online,
+            olmVersion: olms.version,
+            userId: clients.userId,
+            username: users.username,
+            userEmail: users.email,
+            niceId: clients.niceId,
+            agent: olms.agent,
+            approvalState: clients.approvalState,
+            olmArchived: olms.archived,
+            archived: clients.archived,
+            blocked: clients.blocked,
+            deviceModel: currentFingerprint.deviceModel,
+            fingerprintPlatform: currentFingerprint.platform,
+            fingerprintOsVersion: currentFingerprint.osVersion,
+            fingerprintKernelVersion: currentFingerprint.kernelVersion,
+            fingerprintArch: currentFingerprint.arch,
+            fingerprintSerialNumber: currentFingerprint.serialNumber,
+            fingerprintUsername: currentFingerprint.username,
+            fingerprintHostname: currentFingerprint.hostname
+        })
+        .from(clients)
+        .leftJoin(orgs, eq(clients.orgId, orgs.orgId))
+        .leftJoin(olms, eq(clients.clientId, olms.clientId))
+        .leftJoin(users, eq(clients.userId, users.userId))
+        .leftJoin(currentFingerprint, eq(olms.olmId, currentFingerprint.olmId));
+}
+
+type OlmWithUpdateAvailable = Awaited<
+    ReturnType<typeof queryUserDevicesBase>
+>[0] & {
+    olmUpdateAvailable?: boolean;
+};
+
+export type ListUserDevicesResponse = PaginatedResponse<{
+    devices: Array<OlmWithUpdateAvailable>;
+}>;
+
+registry.registerPath({
+    method: "get",
+    path: "/org/{orgId}/user-devices",
+    description: "List all user devices for an organization.",
+    tags: [OpenAPITags.Client, OpenAPITags.Org],
+    request: {
+        query: listUserDevicesSchema,
+        params: listUserDevicesParamsSchema
+    },
+    responses: {}
+});
+
+export async function listUserDevices(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedQuery = listUserDevicesSchema.safeParse(req.query);
+        if (!parsedQuery.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedQuery.error)
+                )
+            );
+        }
+        const { page, pageSize, query, sort_by, online, status, agent, order } =
+            parsedQuery.data;
+
+        const parsedParams = listUserDevicesParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error)
+                )
+            );
+        }
+        const { orgId } = parsedParams.data;
+
+        if (req.user && orgId && orgId !== req.userOrgId) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "User does not have access to this organization"
+                )
+            );
+        }
+
+        let accessibleClients;
+        if (req.user) {
+            accessibleClients = await db
+                .select({
+                    clientId: sql<number>`COALESCE(${userClients.clientId}, ${roleClients.clientId})`
+                })
+                .from(userClients)
+                .fullJoin(
+                    roleClients,
+                    eq(userClients.clientId, roleClients.clientId)
+                )
+                .where(
+                    or(
+                        eq(userClients.userId, req.user!.userId),
+                        eq(roleClients.roleId, req.userOrgRoleId!)
+                    )
+                );
+        } else {
+            accessibleClients = await db
+                .select({ clientId: clients.clientId })
+                .from(clients)
+                .where(eq(clients.orgId, orgId));
+        }
+
+        const accessibleClientIds = accessibleClients.map(
+            (client) => client.clientId
+        );
+        // Get client count with filter
+        const conditions = [
+            and(
+                inArray(clients.clientId, accessibleClientIds),
+                eq(clients.orgId, orgId),
+                isNotNull(clients.userId)
+            )
+        ];
+
+        if (query) {
+            conditions.push(
+                or(
+                    like(
+                        sql`LOWER(${clients.name})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${clients.niceId})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${users.email})`,
+                        "%" + query.toLowerCase() + "%"
+                    )
+                )
+            );
+        }
+
+        if (typeof online !== "undefined") {
+            conditions.push(eq(clients.online, online));
+        }
+
+        const agentValueMap = {
+            windows: "Pangolin Windows",
+            android: "Pangolin Android",
+            ios: "Pangolin iOS",
+            ipados: "Pangolin iPadOS",
+            macos: "Pangolin macOS",
+            cli: "Pangolin CLI",
+            olm: "Olm CLI"
+        } satisfies Record<
+            Exclude<typeof agent, undefined | "unknown">,
+            string
+        >;
+        if (typeof agent !== "undefined") {
+            if (agent === "unknown") {
+                conditions.push(isNull(olms.agent));
+            } else {
+                conditions.push(eq(olms.agent, agentValueMap[agent]));
+            }
+        }
+
+        if (status.length > 0) {
+            const filterAggregates: (SQL<unknown> | undefined)[] = [];
+
+            if (status.includes("active")) {
+                filterAggregates.push(
+                    and(
+                        eq(clients.archived, false),
+                        eq(clients.blocked, false),
+                        build !== "oss"
+                            ? or(
+                                  eq(clients.approvalState, "approved"),
+                                  isNull(clients.approvalState) // approval state of `NULL` means approved by default
+                              )
+                            : undefined // undefined are automatically ignored by `drizzle-orm`
+                    )
+                );
+            }
+
+            if (status.includes("archived")) {
+                filterAggregates.push(eq(clients.archived, true));
+            }
+            if (status.includes("blocked")) {
+                filterAggregates.push(eq(clients.blocked, true));
+            }
+
+            if (build !== "oss") {
+                if (status.includes("pending")) {
+                    filterAggregates.push(eq(clients.approvalState, "pending"));
+                }
+                if (status.includes("denied")) {
+                    filterAggregates.push(eq(clients.approvalState, "denied"));
+                }
+            }
+
+            conditions.push(or(...filterAggregates));
+        }
+
+        const baseQuery = queryUserDevicesBase().where(and(...conditions));
+
+        const countQuery = db.$count(baseQuery.as("filtered_clients"));
+
+        const listDevicesQuery = baseQuery
+            .limit(pageSize)
+            .offset(pageSize * (page - 1))
+            .orderBy(
+                sort_by
+                    ? order === "asc"
+                        ? asc(clients[sort_by])
+                        : desc(clients[sort_by])
+                    : asc(clients.clientId)
+            );
+
+        const [clientsList, totalCount] = await Promise.all([
+            listDevicesQuery,
+            countQuery
+        ]);
+
+        // Merge clients with their site associations and replace name with device name
+        const olmsWithUpdates: OlmWithUpdateAvailable[] = clientsList.map(
+            (client) => {
+                const model = client.deviceModel || null;
+                const newName = getUserDeviceName(model, client.name);
+                const OlmWithUpdate: OlmWithUpdateAvailable = {
+                    ...client,
+                    name: newName
+                };
+                // Initially set to false, will be updated if version check succeeds
+                OlmWithUpdate.olmUpdateAvailable = false;
+                return OlmWithUpdate;
+            }
+        );
+
+        // Try to get the latest version, but don't block if it fails
+        try {
+            const latestOlmVersion = await getLatestOlmVersion();
+
+            if (latestOlmVersion) {
+                olmsWithUpdates.forEach((client) => {
+                    try {
+                        client.olmUpdateAvailable = semver.lt(
+                            client.olmVersion ? client.olmVersion : "",
+                            latestOlmVersion
+                        );
+                    } catch (error) {
+                        client.olmUpdateAvailable = false;
+                    }
+                });
+            }
+        } catch (error) {
+            // Log the error but don't let it block the response
+            logger.warn(
+                "Failed to check for OLM updates, continuing without update info:",
+                error
+            );
+        }
+
+        return response<ListUserDevicesResponse>(res, {
+            data: {
+                devices: olmsWithUpdates,
+                pagination: {
+                    total: totalCount,
+                    page,
+                    pageSize
+                }
+            },
+            success: true,
+            error: false,
+            message: "Clients retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/routers/domain/createOrgDomain.ts
+++ b/server/routers/domain/createOrgDomain.ts
@@ -148,7 +148,6 @@ export async function createOrgDomain(
            }
        }

-        let numOrgDomains: OrgDomains[] | undefined;
        let aRecords: CreateDomainResponse["aRecords"];
        let cnameRecords: CreateDomainResponse["cnameRecords"];
        let txtRecords: CreateDomainResponse["txtRecords"];
@@ -347,20 +346,9 @@ export async function createOrgDomain(
                await trx.insert(dnsRecords).values(recordsToInsert);
            }

-            numOrgDomains = await trx
-                .select()
-                .from(orgDomains)
-                .where(eq(orgDomains.orgId, orgId));
+            await usageService.add(orgId, FeatureId.DOMAINS, 1, trx);
        });

-        if (numOrgDomains) {
-            await usageService.updateCount(
-                orgId,
-                FeatureId.DOMAINS,
-                numOrgDomains.length
-            );
-        }
-
        if (!returned) {
            return next(
                createHttpError(
--- a/server/routers/domain/deleteOrgDomain.ts
+++ b/server/routers/domain/deleteOrgDomain.ts
@@ -36,8 +36,6 @@ export async function deleteAccountDomain(
        }
        const { domainId, orgId } = parsed.data;

-        let numOrgDomains: OrgDomains[] | undefined;
-
        await db.transaction(async (trx) => {
            const [existing] = await trx
                .select()
@@ -79,20 +77,9 @@ export async function deleteAccountDomain(

            await trx.delete(domains).where(eq(domains.domainId, domainId));

-            numOrgDomains = await trx
-                .select()
-                .from(orgDomains)
-                .where(eq(orgDomains.orgId, orgId));
+            await usageService.add(orgId, FeatureId.DOMAINS, -1, trx);
        });

-        if (numOrgDomains) {
-            await usageService.updateCount(
-                orgId,
-                FeatureId.DOMAINS,
-                numOrgDomains.length
-            );
-        }
-
        return response<DeleteAccountDomainResponse>(res, {
            data: { success: true },
            success: true,
--- a/server/routers/external.ts
+++ b/server/routers/external.ts
@@ -50,6 +50,7 @@ import createHttpError from "http-errors";
 import { build } from "@server/build";
 import { createStore } from "#dynamic/lib/rateLimitStore";
 import { logActionAudit } from "#dynamic/middlewares";
+import { checkRoundTripMessage } from "./ws";

 // Root routes
 export const unauthenticated = Router();
@@ -64,9 +65,8 @@ authenticated.use(verifySessionUserMiddleware);

 authenticated.get("/pick-org-defaults", org.pickOrgDefaults);
 authenticated.get("/org/checkId", org.checkId);
-if (build === "oss" || build === "enterprise") {
-    authenticated.put("/org", getUserOrgs, org.createOrg);
-}
+
+authenticated.put("/org", getUserOrgs, org.createOrg);

 authenticated.get("/orgs", verifyUserIsServerAdmin, org.listOrgs);
 authenticated.get("/user/:userId/orgs", verifyIsLoggedInUser, org.listUserOrgs);
@@ -86,16 +86,14 @@ authenticated.post(
    org.updateOrg
 );

-if (build !== "saas") {
-    authenticated.delete(
-        "/org/:orgId",
-        verifyOrgAccess,
-        verifyUserIsOrgOwner,
-        verifyUserHasAction(ActionsEnum.deleteOrg),
-        logActionAudit(ActionsEnum.deleteOrg),
-        org.deleteOrg
-    );
-}
+authenticated.delete(
+    "/org/:orgId",
+    verifyOrgAccess,
+    verifyUserIsOrgOwner,
+    verifyUserHasAction(ActionsEnum.deleteOrg),
+    logActionAudit(ActionsEnum.deleteOrg),
+    org.deleteOrg
+);

 authenticated.put(
    "/org/:orgId/site",
@@ -145,6 +143,13 @@ authenticated.get(
    client.listClients
 );

+authenticated.get(
+    "/org/:orgId/user-devices",
+    verifyOrgAccess,
+    verifyUserHasAction(ActionsEnum.listClients),
+    client.listUserDevices
+);
+
 authenticated.get(
    "/client/:clientId",
    verifyClientAccess,
@@ -1116,6 +1121,8 @@ authenticated.get(
    blueprints.getBlueprint
 );

+authenticated.get("/ws/round-trip-message/:messageId", checkRoundTripMessage);
+
 // Auth routes
 export const authRouter = Router();
 unauthenticated.use("/auth", authRouter);
@@ -1164,6 +1171,7 @@ authRouter.post(
    auth.login
 );
 authRouter.post("/logout", auth.logout);
+authRouter.post("/delete-my-account", auth.deleteMyAccount);
 authRouter.post(
    "/lookup-user",
    rateLimit({
--- a/server/routers/idp/createIdpOrgPolicy.ts
+++ b/server/routers/idp/createIdpOrgPolicy.ts
@@ -70,6 +70,15 @@ export async function createIdpOrgPolicy(
        const { idpId, orgId } = parsedParams.data;
        const { roleMapping, orgMapping } = parsedBody.data;

+        if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Global IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'global' in the private configuration to enable this feature."
+                )
+            );
+        }
+
        const [existing] = await db
            .select()
            .from(idp)
--- a/server/routers/idp/createOidcIdp.ts
+++ b/server/routers/idp/createOidcIdp.ts
@@ -80,6 +80,17 @@ export async function createOidcIdp(
            tags
        } = parsedBody.data;

+        if (
+            process.env.IDENTITY_PROVIDER_MODE === "org"
+        ) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Global IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'global' in the private configuration to enable this feature."
+                )
+            );
+        }
+
        const key = config.getRawConfig().server.secret!;

        const encryptedSecret = encrypt(clientSecret, key);
--- a/server/routers/idp/updateIdpOrgPolicy.ts
+++ b/server/routers/idp/updateIdpOrgPolicy.ts
@@ -69,6 +69,15 @@ export async function updateIdpOrgPolicy(
        const { idpId, orgId } = parsedParams.data;
        const { roleMapping, orgMapping } = parsedBody.data;

+        if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Global IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'global' in the private configuration to enable this feature."
+                )
+            );
+        }
+
        // Check if IDP and policy exist
        const [existing] = await db
            .select()
--- a/server/routers/idp/updateOidcIdp.ts
+++ b/server/routers/idp/updateOidcIdp.ts
@@ -99,6 +99,15 @@ export async function updateOidcIdp(
            tags
        } = parsedBody.data;

+        if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Global IdP creation is not allowed in the current identity provider mode. Set app.identity_provider_mode to 'global' in the private configuration to enable this feature."
+                )
+            );
+        }
+
        // Check if IDP exists and is of type OIDC
        const [existingIdp] = await db
            .select()
--- a/server/routers/idp/validateOidcCallback.ts
+++ b/server/routers/idp/validateOidcCallback.ts
@@ -36,6 +36,10 @@ import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import {
+    assignUserToOrg,
+    removeUserFromOrg
+} from "@server/lib/userOrg";

 const ensureTrailingSlash = (url: string): string => {
    return url;
@@ -436,6 +440,7 @@ export async function validateOidcCallback(
                }
            }

+            // These are the orgs that the user should be provisioned into based on the IdP mappings and the token claims
            logger.debug("User org info", { userOrgInfo });

            let existingUserId = existingUser?.userId;
@@ -454,15 +459,32 @@ export async function validateOidcCallback(
                        );

                    if (!existingUserOrgs.length) {
-                        // delete all auto -provisioned user orgs
-                        await db
-                            .delete(userOrgs)
+                        // delete all auto-provisioned user orgs
+                        const autoProvisionedUserOrgs = await db
+                            .select()
+                            .from(userOrgs)
                            .where(
                                and(
                                    eq(userOrgs.userId, existingUser.userId),
                                    eq(userOrgs.autoProvisioned, true)
                                )
                            );
+                        const orgIdsToRemove = autoProvisionedUserOrgs.map(
+                            (uo) => uo.orgId
+                        );
+                        if (orgIdsToRemove.length > 0) {
+                            const orgsToRemove = await db
+                                .select()
+                                .from(orgs)
+                                .where(inArray(orgs.orgId, orgIdsToRemove));
+                            for (const org of orgsToRemove) {
+                                await removeUserFromOrg(
+                                    org,
+                                    existingUser.userId,
+                                    db
+                                );
+                            }
+                        }

                        await calculateUserClientsForOrgs(existingUser.userId);

@@ -484,7 +506,7 @@ export async function validateOidcCallback(
                }
            }

-            const orgUserCounts: { orgId: string; userCount: number }[] = [];
+                const orgUserCounts: { orgId: string; userCount: number }[] = [];

            // sync the user with the orgs and roles
            await db.transaction(async (trx) => {
@@ -538,15 +560,14 @@ export async function validateOidcCallback(
                );

                if (orgsToDelete.length > 0) {
-                    await trx.delete(userOrgs).where(
-                        and(
-                            eq(userOrgs.userId, userId!),
-                            inArray(
-                                userOrgs.orgId,
-                                orgsToDelete.map((org) => org.orgId)
-                            )
-                        )
-                    );
+                    const orgIdsToRemove = orgsToDelete.map((org) => org.orgId);
+                    const fullOrgsToRemove = await trx
+                        .select()
+                        .from(orgs)
+                        .where(inArray(orgs.orgId, orgIdsToRemove));
+                    for (const org of fullOrgsToRemove) {
+                        await removeUserFromOrg(org, userId!, trx);
+                    }
                }

                // Update roles for existing auto-provisioned orgs where the role has changed
@@ -587,15 +608,24 @@ export async function validateOidcCallback(
                );

                if (orgsToAdd.length > 0) {
-                    await trx.insert(userOrgs).values(
-                        orgsToAdd.map((org) => ({
-                            userId: userId!,
-                            orgId: org.orgId,
-                            roleId: org.roleId,
-                            autoProvisioned: true,
-                            dateCreated: new Date().toISOString()
-                        }))
-                    );
+                    for (const org of orgsToAdd) {
+                        const [fullOrg] = await trx
+                            .select()
+                            .from(orgs)
+                            .where(eq(orgs.orgId, org.orgId));
+                        if (fullOrg) {
+                            await assignUserToOrg(
+                                fullOrg,
+                                {
+                                    orgId: org.orgId,
+                                    userId: userId!,
+                                    roleId: org.roleId,
+                                    autoProvisioned: true,
+                                },
+                                trx
+                            );
+                        }
+                    }
                }

                // Loop through all the orgs and get the total number of users from the userOrgs table
--- a/server/routers/integration.ts
+++ b/server/routers/integration.ts
@@ -866,6 +866,13 @@ authenticated.get(
    client.listClients
 );

+authenticated.get(
+    "/org/:orgId/user-devices",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyHasAction(ActionsEnum.listClients),
+    client.listUserDevices
+);
+
 authenticated.get(
    "/client/:clientId",
    verifyApiKeyClientAccess,
--- a/server/routers/org/createOrg.ts
+++ b/server/routers/org/createOrg.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { eq } from "drizzle-orm";
+import { and, count, eq } from "drizzle-orm";
 import {
    domains,
    Org,
@@ -24,10 +24,12 @@ import { OpenAPITags, registry } from "@server/openApi";
 import { isValidCIDR } from "@server/lib/validators";
 import { createCustomer } from "#dynamic/lib/billing";
 import { usageService } from "@server/lib/billing/usageService";
-import { FeatureId } from "@server/lib/billing";
+import { FeatureId, limitsService, freeLimitSet } from "@server/lib/billing";
 import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { doCidrsOverlap } from "@server/lib/ip";
+import { generateCA } from "@server/private/lib/sshCA";
+import { encrypt } from "@server/lib/crypto";

 const createOrgSchema = z.strictObject({
    orgId: z.string(),
@@ -108,6 +110,7 @@ export async function createOrg(
        //         )
        //     );
        // }
+        //

        // make sure the orgId is unique
        const orgExists = await db
@@ -134,8 +137,80 @@ export async function createOrg(
            );
        }

+        let isFirstOrg: boolean | null = null;
+        let billingOrgIdForNewOrg: string | null = null;
+        if (build === "saas" && req.user) {
+            const ownedOrgs = await db
+                .select()
+                .from(userOrgs)
+                .where(
+                    and(
+                        eq(userOrgs.userId, req.user.userId),
+                        eq(userOrgs.isOwner, true)
+                    )
+                );
+            if (ownedOrgs.length === 0) {
+                isFirstOrg = true;
+            } else {
+                isFirstOrg = false;
+                const [billingOrg] = await db
+                    .select({ orgId: orgs.orgId })
+                    .from(orgs)
+                    .innerJoin(userOrgs, eq(orgs.orgId, userOrgs.orgId))
+                    .where(
+                        and(
+                            eq(userOrgs.userId, req.user.userId),
+                            eq(userOrgs.isOwner, true),
+                            eq(orgs.isBillingOrg, true)
+                        )
+                    )
+                    .limit(1);
+                if (billingOrg) {
+                    billingOrgIdForNewOrg = billingOrg.orgId;
+                }
+            }
+        }
+
+        if (build == "saas") {
+            if (!billingOrgIdForNewOrg) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Billing org not found for user. Cannot create new organization."
+                    )
+                );
+            }
+
+            const usage = await usageService.getUsage(billingOrgIdForNewOrg, FeatureId.ORGINIZATIONS);
+            if (!usage) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        "No usage data found for this organization"
+                    )
+                );
+            }
+            const rejectOrgs = await usageService.checkLimitSet(
+                billingOrgIdForNewOrg,
+                FeatureId.ORGINIZATIONS,
+                {
+                    ...usage,
+                    instantaneousValue: (usage.instantaneousValue || 0) + 1
+                } // We need to add one to know if we are violating the limit
+            );
+            if (rejectOrgs) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Organization limit exceeded. Please upgrade your plan."
+                    )
+                );
+            }
+        }
+
        let error = "";
        let org: Org | null = null;
+        let numOrgs: number | null = null;

        await db.transaction(async (trx) => {
            const allDomains = await trx
@@ -143,6 +218,21 @@ export async function createOrg(
                .from(domains)
                .where(eq(domains.configManaged, true));

+            // Generate SSH CA keys for the org
+            // const ca = generateCA(`${orgId}-ca`);
+            // const encryptionKey = config.getRawConfig().server.secret!;
+            // const encryptedCaPrivateKey = encrypt(ca.privateKeyPem, encryptionKey);
+
+            const saasBillingFields =
+                build === "saas" && req.user && isFirstOrg !== null
+                    ? isFirstOrg
+                        ? { isBillingOrg: true as const, billingOrgId: orgId } // if this is the first org, it becomes the billing org for itself
+                        : {
+                              isBillingOrg: false as const,
+                              billingOrgId: billingOrgIdForNewOrg
+                          }
+                    : {};
+
            const newOrg = await trx
                .insert(orgs)
                .values({
@@ -150,7 +240,10 @@ export async function createOrg(
                    name,
                    subnet,
                    utilitySubnet,
-                    createdAt: new Date().toISOString()
+                    createdAt: new Date().toISOString(),
+                    // sshCaPrivateKey: encryptedCaPrivateKey,
+                    // sshCaPublicKey: ca.publicKeyOpenSSH,
+                    ...saasBillingFields
                })
                .returning();

@@ -252,6 +345,17 @@ export async function createOrg(
            );

            await calculateUserClientsForOrgs(ownerUserId, trx);
+
+            if (billingOrgIdForNewOrg) {
+                const [numOrgsResult] = await trx
+                    .select({ count: count() })
+                    .from(orgs)
+                    .where(eq(orgs.billingOrgId, billingOrgIdForNewOrg)); // all the billable orgs including the primary org that is the billing org itself
+
+                numOrgs = numOrgsResult.count;
+            } else {
+                numOrgs = 1; // we only have one org if there is no billing org found out
+            }
        });

        if (!org) {
@@ -267,8 +371,8 @@ export async function createOrg(
            return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, error));
        }

-        if (build == "saas") {
-            // make sure we have the stripe customer
+        if (build === "saas" && isFirstOrg === true) {
+            await limitsService.applyLimitSetToOrg(orgId, freeLimitSet);
            const customerId = await createCustomer(orgId, req.user?.email);
            if (customerId) {
                await usageService.updateCount(
@@ -280,6 +384,14 @@ export async function createOrg(
            }
        }

+        if (numOrgs) {
+            usageService.updateCount(
+                billingOrgIdForNewOrg || orgId,
+                FeatureId.ORGINIZATIONS,
+                numOrgs
+            );
+        }
+
        return response(res, {
            data: org,
            success: true,
--- a/server/routers/org/deleteOrg.ts
+++ b/server/routers/org/deleteOrg.ts
@@ -1,28 +1,14 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import {
-    clients,
-    clientSiteResourcesAssociationsCache,
-    clientSitesAssociationsCache,
-    db,
-    domains,
-    olms,
-    orgDomains,
-    resources
-} from "@server/db";
-import { newts, newtSessions, orgs, sites, userActions } from "@server/db";
-import { eq, and, inArray, sql } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
-import { sendToClient } from "#dynamic/routers/ws";
-import { deletePeer } from "../gerbil/peers";
 import { OpenAPITags, registry } from "@server/openApi";
-import { OlmErrorCodes } from "../olm/error";
-import { sendTerminateClient } from "../client/terminate";
+import { deleteOrgById, sendTerminationMessages } from "@server/lib/deleteOrg";
+import { db, userOrgs, orgs } from "@server/db";
+import { eq, and } from "drizzle-orm";

 const deleteOrgSchema = z.strictObject({
    orgId: z.string()
@@ -56,16 +42,23 @@ export async function deleteOrg(
                )
            );
        }
-
        const { orgId } = parsedParams.data;

-        const [org] = await db
+        const [data] = await db
            .select()
-            .from(orgs)
-            .where(eq(orgs.orgId, orgId))
-            .limit(1);
+            .from(userOrgs)
+            .innerJoin(orgs, eq(userOrgs.orgId, orgs.orgId))
+            .where(
+                and(
+                    eq(userOrgs.orgId, orgId),
+                    eq(userOrgs.userId, req.user!.userId)
+                )
+            );

-        if (!org) {
+        const org = data?.orgs;
+        const userOrg = data?.userOrgs;
+
+        if (!org || !userOrg) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
@@ -73,153 +66,27 @@ export async function deleteOrg(
                )
            );
        }
-        // we need to handle deleting each site
-        const orgSites = await db
-            .select()
-            .from(sites)
-            .where(eq(sites.orgId, orgId))
-            .limit(1);

-        const orgClients = await db
-            .select()
-            .from(clients)
-            .where(eq(clients.orgId, orgId));
-
-        const deletedNewtIds: string[] = [];
-        const olmsToTerminate: string[] = [];
-
-        await db.transaction(async (trx) => {
-            for (const site of orgSites) {
-                if (site.pubKey) {
-                    if (site.type == "wireguard") {
-                        await deletePeer(site.exitNodeId!, site.pubKey);
-                    } else if (site.type == "newt") {
-                        // get the newt on the site by querying the newt table for siteId
-                        const [deletedNewt] = await trx
-                            .delete(newts)
-                            .where(eq(newts.siteId, site.siteId))
-                            .returning();
-                        if (deletedNewt) {
-                            deletedNewtIds.push(deletedNewt.newtId);
-
-                            // delete all of the sessions for the newt
-                            await trx
-                                .delete(newtSessions)
-                                .where(
-                                    eq(newtSessions.newtId, deletedNewt.newtId)
-                                );
-                        }
-                    }
-                }
-
-                logger.info(`Deleting site ${site.siteId}`);
-                await trx.delete(sites).where(eq(sites.siteId, site.siteId));
-            }
-            for (const client of orgClients) {
-                const [olm] = await trx
-                    .select()
-                    .from(olms)
-                    .where(eq(olms.clientId, client.clientId))
-                    .limit(1);
-
-                if (olm) {
-                    olmsToTerminate.push(olm.olmId);
-                }
-
-                logger.info(`Deleting client ${client.clientId}`);
-                await trx
-                    .delete(clients)
-                    .where(eq(clients.clientId, client.clientId));
-
-                // also delete the associations
-                await trx
-                    .delete(clientSiteResourcesAssociationsCache)
-                    .where(
-                        eq(
-                            clientSiteResourcesAssociationsCache.clientId,
-                            client.clientId
-                        )
-                    );
-
-                await trx
-                    .delete(clientSitesAssociationsCache)
-                    .where(
-                        eq(
-                            clientSitesAssociationsCache.clientId,
-                            client.clientId
-                        )
-                    );
-            }
-
-            const allOrgDomains = await trx
-                .select()
-                .from(orgDomains)
-                .innerJoin(domains, eq(domains.domainId, orgDomains.domainId))
-                .where(
-                    and(
-                        eq(orgDomains.orgId, orgId),
-                        eq(domains.configManaged, false)
-                    )
-                );
-
-            // For each domain, check if it belongs to multiple organizations
-            const domainIdsToDelete: string[] = [];
-            for (const orgDomain of allOrgDomains) {
-                const domainId = orgDomain.domains.domainId;
-
-                // Count how many organizations this domain belongs to
-                const orgCount = await trx
-                    .select({ count: sql<number>`count(*)` })
-                    .from(orgDomains)
-                    .where(eq(orgDomains.domainId, domainId));
-
-                // Only delete the domain if it belongs to exactly 1 organization (the one being deleted)
-                if (orgCount[0].count === 1) {
-                    domainIdsToDelete.push(domainId);
-                }
-            }
-
-            // Delete domains that belong exclusively to this organization
-            if (domainIdsToDelete.length > 0) {
-                await trx
-                    .delete(domains)
-                    .where(inArray(domains.domainId, domainIdsToDelete));
-            }
-
-            // Delete resources
-            await trx.delete(resources).where(eq(resources.orgId, orgId));
-
-            await trx.delete(orgs).where(eq(orgs.orgId, orgId));
-        });
-
-        // Send termination messages outside of transaction to prevent blocking
-        for (const newtId of deletedNewtIds) {
-            const payload = {
-                type: `newt/wg/terminate`,
-                data: {}
-            };
-            // Don't await this to prevent blocking the response
-            sendToClient(newtId, payload).catch((error) => {
-                logger.error(
-                    "Failed to send termination message to newt:",
-                    error
-                );
-            });
+        if (!userOrg.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Only organization owners can delete the organization"
+                )
+            );
        }

-        for (const olmId of olmsToTerminate) {
-            sendTerminateClient(
-                0, // clientId not needed since we're passing olmId
-                OlmErrorCodes.TERMINATED_REKEYED,
-                olmId
-            ).catch((error) => {
-                logger.error(
-                    "Failed to send termination message to olm:",
-                    error
-                );
-            });
+        if (org.isBillingOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Cannot delete a primary organization"
+                )
+            );
        }

+        const result = await deleteOrgById(orgId);
+        sendTerminationMessages(result);
        return response(res, {
            data: null,
            success: true,
@@ -228,6 +95,9 @@ export async function deleteOrg(
            status: HttpCode.OK
        });
    } catch (error) {
+        if (createHttpError.isHttpError(error)) {
+            return next(error);
+        }
        logger.error(error);
        return next(
            createHttpError(
--- a/server/routers/org/listUserOrgs.ts
+++ b/server/routers/org/listUserOrgs.ts
@@ -40,7 +40,11 @@ const listOrgsSchema = z.object({
 //     responses: {}
 // });

-type ResponseOrg = Org & { isOwner?: boolean; isAdmin?: boolean };
+type ResponseOrg = Org & {
+    isOwner?: boolean;
+    isAdmin?: boolean;
+    isPrimaryOrg?: boolean;
+};

 export type ListUserOrgsResponse = {
    orgs: ResponseOrg[];
@@ -132,6 +136,9 @@ export async function listUserOrgs(
            if (val.roles && val.roles.isAdmin) {
                res.isAdmin = val.roles.isAdmin;
            }
+            if (val.userOrgs?.isOwner && val.orgs?.isBillingOrg) {
+                res.isPrimaryOrg = val.orgs.isBillingOrg;
+            }
            return res;
        });

--- a/server/routers/resource/listResources.ts
+++ b/server/routers/resource/listResources.ts
@@ -1,74 +1,99 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
 import {
    db,
    resourceHeaderAuth,
-    resourceHeaderAuthExtendedCompatibility
-} from "@server/db";
-import {
-    resources,
-    userResources,
-    roleResources,
+    resourceHeaderAuthExtendedCompatibility,
    resourcePassword,
    resourcePincode,
+    resources,
+    roleResources,
+    targetHealthCheck,
    targets,
-    targetHealthCheck
+    userResources
 } from "@server/db";
 import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { sql, eq, or, inArray, and, count } from "drizzle-orm";
 import logger from "@server/logger";
-import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import type { PaginatedResponse } from "@server/types/Pagination";
+import {
+    and,
+    asc,
+    count,
+    eq,
+    inArray,
+    isNull,
+    like,
+    not,
+    or,
+    sql,
+    type SQL
+} from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromZodError } from "zod-validation-error";

 const listResourcesParamsSchema = z.strictObject({
    orgId: z.string()
 });

 const listResourcesSchema = z.object({
-    limit: z
-        .string()
+    pageSize: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
        .optional()
-        .default("1000")
-        .transform(Number)
-        .pipe(z.int().nonnegative()),
-
-    offset: z
-        .string()
+        .catch(20)
+        .default(20)
+        .openapi({
+            type: "integer",
+            default: 20,
+            description: "Number of items per page"
+        }),
+    page: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .min(0)
        .optional()
-        .default("0")
-        .transform(Number)
-        .pipe(z.int().nonnegative())
+        .catch(1)
+        .default(1)
+        .openapi({
+            type: "integer",
+            default: 1,
+            description: "Page number to retrieve"
+        }),
+    query: z.string().optional(),
+    enabled: z
+        .enum(["true", "false"])
+        .transform((v) => v === "true")
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "boolean",
+            description: "Filter resources based on enabled status"
+        }),
+    authState: z
+        .enum(["protected", "not_protected", "none"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["protected", "not_protected", "none"],
+            description:
+                "Filter resources based on authentication state. `protected` means the resource has at least one auth mechanism (password, pincode, header auth, SSO, or email whitelist). `not_protected` means the resource has no auth mechanisms. `none` means the resource is not protected by HTTP (i.e. it has no auth mechanisms and http is false)."
+        }),
+    healthStatus: z
+        .enum(["no_targets", "healthy", "degraded", "offline", "unknown"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["no_targets", "healthy", "degraded", "offline", "unknown"],
+            description:
+                "Filter resources based on health status of their targets. `healthy` means all targets are healthy. `degraded` means at least one target is unhealthy, but not all are unhealthy. `offline` means all targets are unhealthy. `unknown` means all targets have unknown health status. `no_targets` means the resource has no targets."
+        })
 });

-// (resource fields + a single joined target)
-type JoinedRow = {
-    resourceId: number;
-    niceId: string;
-    name: string;
-    ssl: boolean;
-    fullDomain: string | null;
-    passwordId: number | null;
-    sso: boolean;
-    pincodeId: number | null;
-    whitelist: boolean;
-    http: boolean;
-    protocol: string;
-    proxyPort: number | null;
-    enabled: boolean;
-    domainId: string | null;
-    headerAuthId: number | null;
-
-    targetId: number | null;
-    targetIp: string | null;
-    targetPort: number | null;
-    targetEnabled: boolean | null;
-
-    hcHealth: string | null;
-    hcEnabled: boolean | null;
-};
-
 // grouped by resource with targets[])
 export type ResourceWithTargets = {
    resourceId: number;
@@ -91,11 +116,32 @@ export type ResourceWithTargets = {
        ip: string;
        port: number;
        enabled: boolean;
-        healthStatus?: "healthy" | "unhealthy" | "unknown";
+        healthStatus: "healthy" | "unhealthy" | "unknown" | null;
    }>;
 };

-function queryResources(accessibleResourceIds: number[], orgId: string) {
+// Aggregate filters
+const total_targets = count(targets.targetId);
+const healthy_targets = sql<number>`SUM(
+                    CASE
+                    WHEN ${targetHealthCheck.hcHealth} = 'healthy' THEN 1
+                    ELSE 0
+                    END
+                ) `;
+const unknown_targets = sql<number>`SUM(
+                    CASE
+                    WHEN ${targetHealthCheck.hcHealth} = 'unknown' THEN 1
+                    ELSE 0
+                    END
+                ) `;
+const unhealthy_targets = sql<number>`SUM(
+                    CASE
+                    WHEN ${targetHealthCheck.hcHealth} = 'unhealthy' THEN 1
+                    ELSE 0
+                    END
+                ) `;
+
+function queryResourcesBase() {
    return db
        .select({
            resourceId: resources.resourceId,
@@ -114,14 +160,7 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
            niceId: resources.niceId,
            headerAuthId: resourceHeaderAuth.headerAuthId,
            headerAuthExtendedCompatibilityId:
-                resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId,
-            targetId: targets.targetId,
-            targetIp: targets.ip,
-            targetPort: targets.port,
-            targetEnabled: targets.enabled,
-
-            hcHealth: targetHealthCheck.hcHealth,
-            hcEnabled: targetHealthCheck.hcEnabled
+                resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId
        })
        .from(resources)
        .leftJoin(
@@ -148,18 +187,18 @@ function queryResources(accessibleResourceIds: number[], orgId: string) {
            targetHealthCheck,
            eq(targetHealthCheck.targetId, targets.targetId)
        )
-        .where(
-            and(
-                inArray(resources.resourceId, accessibleResourceIds),
-                eq(resources.orgId, orgId)
-            )
+        .groupBy(
+            resources.resourceId,
+            resourcePassword.passwordId,
+            resourcePincode.pincodeId,
+            resourceHeaderAuth.headerAuthId,
+            resourceHeaderAuthExtendedCompatibility.headerAuthExtendedCompatibilityId
        );
 }

-export type ListResourcesResponse = {
+export type ListResourcesResponse = PaginatedResponse<{
    resources: ResourceWithTargets[];
-    pagination: { total: number; limit: number; offset: number };
-};
+}>;

 registry.registerPath({
    method: "get",
@@ -190,7 +229,8 @@ export async function listResources(
                )
            );
        }
-        const { limit, offset } = parsedQuery.data;
+        const { page, pageSize, authState, enabled, query, healthStatus } =
+            parsedQuery.data;

        const parsedParams = listResourcesParamsSchema.safeParse(req.params);
        if (!parsedParams.success) {
@@ -252,14 +292,133 @@ export async function listResources(
            (resource) => resource.resourceId
        );

-        const countQuery: any = db
-            .select({ count: count() })
-            .from(resources)
-            .where(inArray(resources.resourceId, accessibleResourceIds));
+        const conditions = [
+            and(
+                inArray(resources.resourceId, accessibleResourceIds),
+                eq(resources.orgId, orgId)
+            )
+        ];

-        const baseQuery = queryResources(accessibleResourceIds, orgId);
+        if (query) {
+            conditions.push(
+                or(
+                    like(
+                        sql`LOWER(${resources.name})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${resources.niceId})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${resources.fullDomain})`,
+                        "%" + query.toLowerCase() + "%"
+                    )
+                )
+            );
+        }
+        if (typeof enabled !== "undefined") {
+            conditions.push(eq(resources.enabled, enabled));
+        }

-        const rows: JoinedRow[] = await baseQuery.limit(limit).offset(offset);
+        if (typeof authState !== "undefined") {
+            switch (authState) {
+                case "none":
+                    conditions.push(eq(resources.http, false));
+                    break;
+                case "protected":
+                    conditions.push(
+                        or(
+                            eq(resources.sso, true),
+                            eq(resources.emailWhitelistEnabled, true),
+                            not(isNull(resourceHeaderAuth.headerAuthId)),
+                            not(isNull(resourcePincode.pincodeId)),
+                            not(isNull(resourcePassword.passwordId))
+                        )
+                    );
+                    break;
+                case "not_protected":
+                    conditions.push(
+                        not(eq(resources.sso, true)),
+                        not(eq(resources.emailWhitelistEnabled, true)),
+                        isNull(resourceHeaderAuth.headerAuthId),
+                        isNull(resourcePincode.pincodeId),
+                        isNull(resourcePassword.passwordId)
+                    );
+                    break;
+            }
+        }
+
+        let aggregateFilters: SQL<any> | undefined = sql`1 = 1`;
+
+        if (typeof healthStatus !== "undefined") {
+            switch (healthStatus) {
+                case "healthy":
+                    aggregateFilters = and(
+                        sql`${total_targets} > 0`,
+                        sql`${healthy_targets} = ${total_targets}`
+                    );
+                    break;
+                case "degraded":
+                    aggregateFilters = and(
+                        sql`${total_targets} > 0`,
+                        sql`${unhealthy_targets} > 0`
+                    );
+                    break;
+                case "no_targets":
+                    aggregateFilters = sql`${total_targets} = 0`;
+                    break;
+                case "offline":
+                    aggregateFilters = and(
+                        sql`${total_targets} > 0`,
+                        sql`${healthy_targets} = 0`,
+                        sql`${unhealthy_targets} = ${total_targets}`
+                    );
+                    break;
+                case "unknown":
+                    aggregateFilters = and(
+                        sql`${total_targets} > 0`,
+                        sql`${unknown_targets} = ${total_targets}`
+                    );
+                    break;
+            }
+        }
+
+        const baseQuery = queryResourcesBase()
+            .where(and(...conditions))
+            .having(aggregateFilters);
+
+        // we need to add `as` so that drizzle filters the result as a subquery
+        const countQuery = db.$count(baseQuery.as("filtered_resources"));
+
+        const [rows, totalCount] = await Promise.all([
+            baseQuery
+                .limit(pageSize)
+                .offset(pageSize * (page - 1))
+                .orderBy(asc(resources.resourceId)),
+            countQuery
+        ]);
+
+        const resourceIdList = rows.map((row) => row.resourceId);
+        const allResourceTargets =
+            resourceIdList.length === 0
+                ? []
+                : await db
+                      .select({
+                          targetId: targets.targetId,
+                          resourceId: targets.resourceId,
+                          ip: targets.ip,
+                          port: targets.port,
+                          enabled: targets.enabled,
+                          healthStatus: targetHealthCheck.hcHealth,
+                          hcEnabled: targetHealthCheck.hcEnabled
+                      })
+                      .from(targets)
+                      .where(inArray(targets.resourceId, resourceIdList))
+                      .leftJoin(
+                          targetHealthCheck,
+                          eq(targetHealthCheck.targetId, targets.targetId)
+                      );

        // avoids TS issues with reduce/never[]
        const map = new Map<number, ResourceWithTargets>();
@@ -288,44 +447,20 @@ export async function listResources(
                map.set(row.resourceId, entry);
            }

-            if (
-                row.targetId != null &&
-                row.targetIp &&
-                row.targetPort != null &&
-                row.targetEnabled != null
-            ) {
-                let healthStatus: "healthy" | "unhealthy" | "unknown" =
-                    "unknown";
-
-                if (row.hcEnabled && row.hcHealth) {
-                    healthStatus = row.hcHealth as
-                        | "healthy"
-                        | "unhealthy"
-                        | "unknown";
-                }
-
-                entry.targets.push({
-                    targetId: row.targetId,
-                    ip: row.targetIp,
-                    port: row.targetPort,
-                    enabled: row.targetEnabled,
-                    healthStatus: healthStatus
-                });
-            }
+            entry.targets = allResourceTargets.filter(
+                (t) => t.resourceId === entry.resourceId
+            );
        }

        const resourcesList: ResourceWithTargets[] = Array.from(map.values());

-        const totalCountResult = await countQuery;
-        const totalCount = totalCountResult[0]?.count ?? 0;
-
        return response<ListResourcesResponse>(res, {
            data: {
                resources: resourcesList,
                pagination: {
                    total: totalCount,
-                    limit,
-                    offset
+                    pageSize,
+                    page
                }
            },
            success: true,
--- a/server/routers/resource/updateResource.ts
+++ b/server/routers/resource/updateResource.ts
@@ -33,7 +33,7 @@ const updateResourceParamsSchema = z.strictObject({
 const updateHttpResourceBodySchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
-        niceId: z.string().min(1).max(255).optional(),
+        niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
        subdomain: subdomainSchema.nullable().optional(),
        ssl: z.boolean().optional(),
        sso: z.boolean().optional(),
--- a/server/routers/site/createSite.ts
+++ b/server/routers/site/createSite.ts
@@ -6,7 +6,7 @@ import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
-import { eq, and } from "drizzle-orm";
+import { eq, and, count } from "drizzle-orm";
 import { getUniqueSiteName } from "../../db/names";
 import { addPeer } from "../gerbil/peers";
 import { fromError } from "zod-validation-error";
@@ -288,7 +288,6 @@ export async function createSite(
        const niceId = await getUniqueSiteName(orgId);

        let newSite: Site | undefined;
-        let numSites: Site[] | undefined;
        await db.transaction(async (trx) => {
            if (type == "newt") {
                [newSite] = await trx
@@ -443,20 +442,9 @@ export async function createSite(
                });
            }

-            numSites = await trx
-                .select()
-                .from(sites)
-                .where(eq(sites.orgId, orgId));
+            await usageService.add(orgId, FeatureId.SITES, 1, trx);
        });

-        if (numSites) {
-            await usageService.updateCount(
-                orgId,
-                FeatureId.SITES,
-                numSites.length
-            );
-        }
-
        if (!newSite) {
            return next(
                createHttpError(
--- a/server/routers/site/deleteSite.ts
+++ b/server/routers/site/deleteSite.ts
@@ -64,7 +64,6 @@ export async function deleteSite(
        }

        let deletedNewtId: string | null = null;
-        let numSites: Site[] | undefined;

        await db.transaction(async (trx) => {
            if (site.type == "wireguard") {
@@ -101,21 +100,9 @@ export async function deleteSite(
                }
            }

-            await trx.delete(sites).where(eq(sites.siteId, siteId));
-
-            numSites = await trx
-                .select()
-                .from(sites)
-                .where(eq(sites.orgId, site.orgId));
+            await usageService.add(site.orgId, FeatureId.SITES, -1, trx);
        });

-        if (numSites) {
-            await usageService.updateCount(
-                site.orgId,
-                FeatureId.SITES,
-                numSites.length
-            );
-        }
        // Send termination message outside of transaction to prevent blocking
        if (deletedNewtId) {
            const payload = {
--- a/server/routers/site/listSites.ts
+++ b/server/routers/site/listSites.ts
@@ -1,17 +1,25 @@
-import { db, exitNodes, newts } from "@server/db";
-import { orgs, roleSites, sites, userSites } from "@server/db";
-import { remoteExitNodes } from "@server/db";
-import logger from "@server/logger";
-import HttpCode from "@server/types/HttpCode";
+import {
+    db,
+    exitNodes,
+    newts,
+    orgs,
+    remoteExitNodes,
+    roleSites,
+    sites,
+    userSites
+} from "@server/db";
+import cache from "@server/lib/cache";
 import response from "@server/lib/response";
-import { and, count, eq, inArray, or, sql } from "drizzle-orm";
+import logger from "@server/logger";
+import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import type { PaginatedResponse } from "@server/types/Pagination";
+import { and, asc, desc, eq, inArray, like, or, sql } from "drizzle-orm";
 import { NextFunction, Request, Response } from "express";
 import createHttpError from "http-errors";
+import semver from "semver";
 import { z } from "zod";
 import { fromError } from "zod-validation-error";
-import { OpenAPITags, registry } from "@server/openApi";
-import semver from "semver";
-import cache from "@server/lib/cache";

 async function getLatestNewtVersion(): Promise<string | null> {
    try {
@@ -74,21 +82,63 @@ const listSitesParamsSchema = z.strictObject({
 });

 const listSitesSchema = z.object({
-    limit: z
-        .string()
+    pageSize: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
        .optional()
-        .default("1000")
-        .transform(Number)
-        .pipe(z.int().positive()),
-    offset: z
-        .string()
+        .catch(20)
+        .default(20)
+        .openapi({
+            type: "integer",
+            default: 20,
+            description: "Number of items per page"
+        }),
+    page: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .min(0)
        .optional()
-        .default("0")
-        .transform(Number)
-        .pipe(z.int().nonnegative())
+        .catch(1)
+        .default(1)
+        .openapi({
+            type: "integer",
+            default: 1,
+            description: "Page number to retrieve"
+        }),
+    query: z.string().optional(),
+    sort_by: z
+        .enum(["megabytesIn", "megabytesOut"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["megabytesIn", "megabytesOut"],
+            description: "Field to sort by"
+        }),
+    order: z
+        .enum(["asc", "desc"])
+        .optional()
+        .default("asc")
+        .catch("asc")
+        .openapi({
+            type: "string",
+            enum: ["asc", "desc"],
+            default: "asc",
+            description: "Sort order"
+        }),
+    online: z
+        .enum(["true", "false"])
+        .transform((v) => v === "true")
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "boolean",
+            description: "Filter by online status"
+        })
 });

-function querySites(orgId: string, accessibleSiteIds: number[]) {
+function querySitesBase() {
    return db
        .select({
            siteId: sites.siteId,
@@ -115,23 +165,16 @@ function querySites(orgId: string, accessibleSiteIds: number[]) {
        .leftJoin(
            remoteExitNodes,
            eq(remoteExitNodes.exitNodeId, sites.exitNodeId)
-        )
-        .where(
-            and(
-                inArray(sites.siteId, accessibleSiteIds),
-                eq(sites.orgId, orgId)
-            )
        );
 }

-type SiteWithUpdateAvailable = Awaited<ReturnType<typeof querySites>>[0] & {
+type SiteWithUpdateAvailable = Awaited<ReturnType<typeof querySitesBase>>[0] & {
    newtUpdateAvailable?: boolean;
 };

-export type ListSitesResponse = {
+export type ListSitesResponse = PaginatedResponse<{
    sites: SiteWithUpdateAvailable[];
-    pagination: { total: number; limit: number; offset: number };
-};
+}>;

 registry.registerPath({
    method: "get",
@@ -160,7 +203,6 @@ export async function listSites(
                )
            );
        }
-        const { limit, offset } = parsedQuery.data;

        const parsedParams = listSitesParamsSchema.safeParse(req.params);
        if (!parsedParams.success) {
@@ -203,34 +245,67 @@ export async function listSites(
                .where(eq(sites.orgId, orgId));
        }

-        const accessibleSiteIds = accessibleSites.map((site) => site.siteId);
-        const baseQuery = querySites(orgId, accessibleSiteIds);
+        const { pageSize, page, query, sort_by, order, online } =
+            parsedQuery.data;

-        const countQuery = db
-            .select({ count: count() })
-            .from(sites)
-            .where(
-                and(
-                    inArray(sites.siteId, accessibleSiteIds),
-                    eq(sites.orgId, orgId)
+        const accessibleSiteIds = accessibleSites.map((site) => site.siteId);
+
+        const conditions = [
+            and(
+                inArray(sites.siteId, accessibleSiteIds),
+                eq(sites.orgId, orgId)
+            )
+        ];
+        if (query) {
+            conditions.push(
+                or(
+                    like(
+                        sql`LOWER(${sites.name})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${sites.niceId})`,
+                        "%" + query.toLowerCase() + "%"
+                    )
                )
            );
+        }
+        if (typeof online !== "undefined") {
+            conditions.push(eq(sites.online, online));
+        }

-        const sitesList = await baseQuery.limit(limit).offset(offset);
-        const totalCountResult = await countQuery;
-        const totalCount = totalCountResult[0].count;
+        const baseQuery = querySitesBase().where(and(...conditions));
+
+        // we need to add `as` so that drizzle filters the result as a subquery
+        const countQuery = db.$count(
+            querySitesBase().where(and(...conditions))
+        );
+
+        const siteListQuery = baseQuery
+            .limit(pageSize)
+            .offset(pageSize * (page - 1))
+            .orderBy(
+                sort_by
+                    ? order === "asc"
+                        ? asc(sites[sort_by])
+                        : desc(sites[sort_by])
+                    : asc(sites.siteId)
+            );
+
+        const [totalCount, rows] = await Promise.all([
+            countQuery,
+            siteListQuery
+        ]);

        // Get latest version asynchronously without blocking the response
        const latestNewtVersionPromise = getLatestNewtVersion();

-        const sitesWithUpdates: SiteWithUpdateAvailable[] = sitesList.map(
-            (site) => {
-                const siteWithUpdate: SiteWithUpdateAvailable = { ...site };
-                // Initially set to false, will be updated if version check succeeds
-                siteWithUpdate.newtUpdateAvailable = false;
-                return siteWithUpdate;
-            }
-        );
+        const sitesWithUpdates: SiteWithUpdateAvailable[] = rows.map((site) => {
+            const siteWithUpdate: SiteWithUpdateAvailable = { ...site };
+            // Initially set to false, will be updated if version check succeeds
+            siteWithUpdate.newtUpdateAvailable = false;
+            return siteWithUpdate;
+        });

        // Try to get the latest version, but don't block if it fails
        try {
@@ -267,8 +342,8 @@ export async function listSites(
                sites: sitesWithUpdates,
                pagination: {
                    total: totalCount,
-                    limit,
-                    offset
+                    pageSize,
+                    page
                }
            },
            success: true,
--- a/server/routers/siteResource/createSiteResource.ts
+++ b/server/routers/siteResource/createSiteResource.ts
@@ -284,7 +284,7 @@ export async function createSiteResource(
                    niceId,
                    orgId,
                    name,
-                    mode,
+                    mode: mode as "host" | "cidr",
                    // protocol: mode === "port" ? protocol : null,
                    // proxyPort: mode === "port" ? proxyPort : null,
                    // destinationPort: mode === "port" ? destinationPort : null,
--- a/server/routers/siteResource/listAllSiteResourcesByOrg.ts
+++ b/server/routers/siteResource/listAllSiteResourcesByOrg.ts
@@ -1,41 +1,90 @@
-import { Request, Response, NextFunction } from "express";
-import { z } from "zod";
-import { db } from "@server/db";
-import { siteResources, sites, SiteResource } from "@server/db";
+import { db, SiteResource, siteResources, sites } from "@server/db";
 import response from "@server/lib/response";
-import HttpCode from "@server/types/HttpCode";
-import createHttpError from "http-errors";
-import { eq, and } from "drizzle-orm";
-import { fromError } from "zod-validation-error";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";
+import HttpCode from "@server/types/HttpCode";
+import type { PaginatedResponse } from "@server/types/Pagination";
+import { and, asc, eq, like, or, sql } from "drizzle-orm";
+import { NextFunction, Request, Response } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";

 const listAllSiteResourcesByOrgParamsSchema = z.strictObject({
    orgId: z.string()
 });

 const listAllSiteResourcesByOrgQuerySchema = z.object({
-    limit: z
-        .string()
+    pageSize: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .positive()
        .optional()
-        .default("1000")
-        .transform(Number)
-        .pipe(z.int().positive()),
-    offset: z
-        .string()
+        .catch(20)
+        .default(20)
+        .openapi({
+            type: "integer",
+            default: 20,
+            description: "Number of items per page"
+        }),
+    page: z.coerce
+        .number<string>() // for prettier formatting
+        .int()
+        .min(0)
        .optional()
-        .default("0")
-        .transform(Number)
-        .pipe(z.int().nonnegative())
+        .catch(1)
+        .default(1)
+        .openapi({
+            type: "integer",
+            default: 1,
+            description: "Page number to retrieve"
+        }),
+    query: z.string().optional(),
+    mode: z
+        .enum(["host", "cidr"])
+        .optional()
+        .catch(undefined)
+        .openapi({
+            type: "string",
+            enum: ["host", "cidr"],
+            description: "Filter site resources by mode"
+        })
 });

-export type ListAllSiteResourcesByOrgResponse = {
+export type ListAllSiteResourcesByOrgResponse = PaginatedResponse<{
    siteResources: (SiteResource & {
        siteName: string;
        siteNiceId: string;
        siteAddress: string | null;
    })[];
-};
+}>;
+
+function querySiteResourcesBase() {
+    return db
+        .select({
+            siteResourceId: siteResources.siteResourceId,
+            siteId: siteResources.siteId,
+            orgId: siteResources.orgId,
+            niceId: siteResources.niceId,
+            name: siteResources.name,
+            mode: siteResources.mode,
+            protocol: siteResources.protocol,
+            proxyPort: siteResources.proxyPort,
+            destinationPort: siteResources.destinationPort,
+            destination: siteResources.destination,
+            enabled: siteResources.enabled,
+            alias: siteResources.alias,
+            aliasAddress: siteResources.aliasAddress,
+            tcpPortRangeString: siteResources.tcpPortRangeString,
+            udpPortRangeString: siteResources.udpPortRangeString,
+            disableIcmp: siteResources.disableIcmp,
+            siteName: sites.name,
+            siteNiceId: sites.niceId,
+            siteAddress: sites.address
+        })
+        .from(siteResources)
+        .innerJoin(sites, eq(siteResources.siteId, sites.siteId));
+}

 registry.registerPath({
    method: "get",
@@ -80,39 +129,67 @@ export async function listAllSiteResourcesByOrg(
        }

        const { orgId } = parsedParams.data;
-        const { limit, offset } = parsedQuery.data;
+        const { page, pageSize, query, mode } = parsedQuery.data;

-        // Get all site resources for the org with site names
-        const siteResourcesList = await db
-            .select({
-                siteResourceId: siteResources.siteResourceId,
-                siteId: siteResources.siteId,
-                orgId: siteResources.orgId,
-                niceId: siteResources.niceId,
-                name: siteResources.name,
-                mode: siteResources.mode,
-                protocol: siteResources.protocol,
-                proxyPort: siteResources.proxyPort,
-                destinationPort: siteResources.destinationPort,
-                destination: siteResources.destination,
-                enabled: siteResources.enabled,
-                alias: siteResources.alias,
-                aliasAddress: siteResources.aliasAddress,
-                tcpPortRangeString: siteResources.tcpPortRangeString,
-                udpPortRangeString: siteResources.udpPortRangeString,
-                disableIcmp: siteResources.disableIcmp,
-                siteName: sites.name,
-                siteNiceId: sites.niceId,
-                siteAddress: sites.address
-            })
-            .from(siteResources)
-            .innerJoin(sites, eq(siteResources.siteId, sites.siteId))
-            .where(eq(siteResources.orgId, orgId))
-            .limit(limit)
-            .offset(offset);
+        const conditions = [and(eq(siteResources.orgId, orgId))];
+        if (query) {
+            conditions.push(
+                or(
+                    like(
+                        sql`LOWER(${siteResources.name})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${siteResources.niceId})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${siteResources.destination})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${siteResources.alias})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${siteResources.aliasAddress})`,
+                        "%" + query.toLowerCase() + "%"
+                    ),
+                    like(
+                        sql`LOWER(${sites.name})`,
+                        "%" + query.toLowerCase() + "%"
+                    )
+                )
+            );
+        }

-        return response(res, {
-            data: { siteResources: siteResourcesList },
+        if (mode) {
+            conditions.push(eq(siteResources.mode, mode));
+        }
+
+        const baseQuery = querySiteResourcesBase().where(and(...conditions));
+
+        const countQuery = db.$count(
+            querySiteResourcesBase().where(and(...conditions))
+        );
+
+        const [siteResourcesList, totalCount] = await Promise.all([
+            baseQuery
+                .limit(pageSize)
+                .offset(pageSize * (page - 1))
+                .orderBy(asc(siteResources.siteResourceId)),
+            countQuery
+        ]);
+
+        return response<ListAllSiteResourcesByOrgResponse>(res, {
+            data: {
+                siteResources: siteResourcesList,
+                pagination: {
+                    total: totalCount,
+                    pageSize,
+                    page
+                }
+            },
            success: true,
            error: false,
            message: "Site resources retrieved successfully",
--- a/server/routers/siteResource/updateSiteResource.ts
+++ b/server/routers/siteResource/updateSiteResource.ts
@@ -41,6 +41,7 @@ const updateSiteResourceSchema = z
    .strictObject({
        name: z.string().min(1).max(255).optional(),
        siteId: z.int(),
+        // niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
        // mode: z.enum(["host", "cidr", "port"]).optional(),
        mode: z.enum(["host", "cidr"]).optional(),
        // protocol: z.enum(["tcp", "udp"]).nullish(),
--- a/server/routers/target/handleHealthcheckStatusMessage.ts
+++ b/server/routers/target/handleHealthcheckStatusMessage.ts
@@ -105,7 +105,10 @@ export const handleHealthcheckStatusMessage: MessageHandler = async (
            await db
                .update(targetHealthCheck)
                .set({
-                    hcHealth: healthStatus.status
+                    hcHealth: healthStatus.status as
+                        | "unknown"
+                        | "healthy"
+                        | "unhealthy"
                })
                .where(eq(targetHealthCheck.targetId, targetIdNum))
                .execute();
--- a/server/routers/user/acceptInvite.ts
+++ b/server/routers/user/acceptInvite.ts
@@ -1,8 +1,8 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, UserOrg } from "@server/db";
+import { db, orgs, UserOrg } from "@server/db";
 import { roles, userInvites, userOrgs, users } from "@server/db";
-import { eq } from "drizzle-orm";
+import { eq, and, inArray, ne } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -14,6 +14,7 @@ import { usageService } from "@server/lib/billing/usageService";
 import { FeatureId } from "@server/lib/billing";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { build } from "@server/build";
+import { assignUserToOrg } from "@server/lib/userOrg";

 const acceptInviteBodySchema = z.strictObject({
    token: z.string(),
@@ -125,8 +126,22 @@ export async function acceptInvite(
            }
        }

+        const [org] = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, existingInvite.orgId))
+            .limit(1);
+
+        if (!org) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Organization does not exist. Please contact an admin."
+                )
+            );
+        }
+
        let roleId: number;
-        let totalUsers: UserOrg[] | undefined;
        // get the role to make sure it exists
        const existingRole = await db
            .select()
@@ -146,12 +161,15 @@ export async function acceptInvite(
        }

        await db.transaction(async (trx) => {
-            // add the user to the org
-            await trx.insert(userOrgs).values({
-                userId: existingUser[0].userId,
-                orgId: existingInvite.orgId,
-                roleId: existingInvite.roleId
-            });
+            await assignUserToOrg(
+                org,
+                {
+                    userId: existingUser[0].userId,
+                    orgId: existingInvite.orgId,
+                    roleId: existingInvite.roleId
+                },
+                trx
+            );

            // delete the invite
            await trx
@@ -160,25 +178,11 @@ export async function acceptInvite(

            await calculateUserClientsForOrgs(existingUser[0].userId, trx);

-            // Get the total number of users in the org now
-            totalUsers = await trx
-                .select()
-                .from(userOrgs)
-                .where(eq(userOrgs.orgId, existingInvite.orgId));
-
            logger.debug(
-                `User ${existingUser[0].userId} accepted invite to org ${existingInvite.orgId}. Total users in org: ${totalUsers.length}`
+                `User ${existingUser[0].userId} accepted invite to org ${existingInvite.orgId}`
            );
        });

-        if (totalUsers) {
-            await usageService.updateCount(
-                existingInvite.orgId,
-                FeatureId.USERS,
-                totalUsers.length
-            );
-        }
-
        return response<AcceptInviteResponse>(res, {
            data: { accepted: true, orgId: existingInvite.orgId },
            success: true,
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -6,8 +6,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { db, UserOrg } from "@server/db";
-import { and, eq } from "drizzle-orm";
+import { db, orgs, UserOrg } from "@server/db";
+import { and, eq, inArray, ne } from "drizzle-orm";
 import { idp, idpOidcConfig, roles, userOrgs, users } from "@server/db";
 import { generateId } from "@server/auth/sessions/app";
 import { usageService } from "@server/lib/billing/usageService";
@@ -16,6 +16,7 @@ import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
 import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { assignUserToOrg } from "@server/lib/userOrg";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
@@ -151,6 +152,21 @@ export async function createOrgUser(
                );
            }

+            const [org] = await db
+                .select()
+                .from(orgs)
+                .where(eq(orgs.orgId, orgId))
+                .limit(1);
+
+            if (!org) {
+                return next(
+                    createHttpError(
+                        HttpCode.NOT_FOUND,
+                        "Organization not found"
+                    )
+                );
+            }
+
            const [idpRes] = await db
                .select()
                .from(idp)
@@ -172,8 +188,6 @@ export async function createOrgUser(
                );
            }

-            let orgUsers: UserOrg[] | undefined;
-
            await db.transaction(async (trx) => {
                const [existingUser] = await trx
                    .select()
@@ -207,15 +221,12 @@ export async function createOrgUser(
                        );
                    }

-                    await trx
-                        .insert(userOrgs)
-                        .values({
-                            orgId,
-                            userId: existingUser.userId,
-                            roleId: role.roleId,
-                            autoProvisioned: false
-                        })
-                        .returning();
+                    await assignUserToOrg(org, {
+                        orgId,
+                        userId: existingUser.userId,
+                        roleId: role.roleId,
+                        autoProvisioned: false
+                    }, trx);
                } else {
                    userId = generateId(15);

@@ -233,33 +244,16 @@ export async function createOrgUser(
                        })
                        .returning();

-                    await trx
-                        .insert(userOrgs)
-                        .values({
+                        await assignUserToOrg(org, {
                            orgId,
                            userId: newUser.userId,
                            roleId: role.roleId,
                            autoProvisioned: false
-                        })
-                        .returning();
+                        }, trx);
                }

-                // List all of the users in the org
-                orgUsers = await trx
-                    .select()
-                    .from(userOrgs)
-                    .where(eq(userOrgs.orgId, orgId));
-
                await calculateUserClientsForOrgs(userId, trx);
            });
-
-            if (orgUsers) {
-                await usageService.updateCount(
-                    orgId,
-                    FeatureId.USERS,
-                    orgUsers.length
-                );
-            }
        } else {
            return next(
                createHttpError(HttpCode.BAD_REQUEST, "User type is required")
--- a/server/routers/user/removeUserOrg.ts
+++ b/server/routers/user/removeUserOrg.ts
@@ -1,8 +1,16 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, resources, sites, UserOrg } from "@server/db";
+import {
+    db,
+    orgs,
+    resources,
+    siteResources,
+    sites,
+    UserOrg,
+    userSiteResources
+} from "@server/db";
 import { userOrgs, userResources, users, userSites } from "@server/db";
-import { and, count, eq, exists } from "drizzle-orm";
+import { and, count, eq, exists, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -14,6 +22,7 @@ import { FeatureId } from "@server/lib/billing";
 import { build } from "@server/build";
 import { UserType } from "@server/types/UserTypes";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
+import { removeUserFromOrg } from "@server/lib/userOrg";

 const removeUserSchema = z.strictObject({
    userId: z.string(),
@@ -50,16 +59,16 @@ export async function removeUserOrg(
        const { userId, orgId } = parsedParams.data;

        // get the user first
-        const user = await db
+        const [user] = await db
            .select()
            .from(userOrgs)
            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)));

-        if (!user || user.length === 0) {
+        if (!user) {
            return next(createHttpError(HttpCode.NOT_FOUND, "User not found"));
        }

-        if (user[0].isOwner) {
+        if (user.isOwner) {
            return next(
                createHttpError(
                    HttpCode.BAD_REQUEST,
@@ -68,56 +77,20 @@ export async function removeUserOrg(
            );
        }

-        let userCount: UserOrg[] | undefined;
+        const [org] = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId))
+            .limit(1);
+
+        if (!org) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Organization not found")
+            );
+        }

        await db.transaction(async (trx) => {
-            await trx
-                .delete(userOrgs)
-                .where(
-                    and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
-                );
-
-            await db.delete(userResources).where(
-                and(
-                    eq(userResources.userId, userId),
-                    exists(
-                        db
-                            .select()
-                            .from(resources)
-                            .where(
-                                and(
-                                    eq(
-                                        resources.resourceId,
-                                        userResources.resourceId
-                                    ),
-                                    eq(resources.orgId, orgId)
-                                )
-                            )
-                    )
-                )
-            );
-
-            await db.delete(userSites).where(
-                and(
-                    eq(userSites.userId, userId),
-                    exists(
-                        db
-                            .select()
-                            .from(sites)
-                            .where(
-                                and(
-                                    eq(sites.siteId, userSites.siteId),
-                                    eq(sites.orgId, orgId)
-                                )
-                            )
-                    )
-                )
-            );
-
-            userCount = await trx
-                .select()
-                .from(userOrgs)
-                .where(eq(userOrgs.orgId, orgId));
+            await removeUserFromOrg(org, userId, trx);

            // if (build === "saas") {
            //     const [rootUser] = await trx
@@ -139,14 +112,6 @@ export async function removeUserOrg(
            await calculateUserClientsForOrgs(userId, trx);
        });

-        if (userCount) {
-            await usageService.updateCount(
-                orgId,
-                FeatureId.USERS,
-                userCount.length
-            );
-        }
-
        return response(res, {
            data: null,
            success: true,
--- a/server/routers/ws/checkRoundTripMessage.ts
+++ b/server/routers/ws/checkRoundTripMessage.ts
@@ -0,0 +1,85 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { db, roundTripMessageTracker } from "@server/db";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { eq } from "drizzle-orm";
+import { OpenAPITags, registry } from "@server/openApi";
+
+const checkRoundTripMessageParamsSchema = z
+    .object({
+        messageId: z
+            .string()
+            .transform(Number)
+            .pipe(z.number().int().positive())
+    })
+    .strict();
+
+// registry.registerPath({
+//     method: "get",
+//     path: "/ws/round-trip-message/{messageId}",
+//     description:
+//         "Check if a round trip message has been completed by checking the roundTripMessageTracker table",
+//     tags: [OpenAPITags.WebSocket],
+//     request: {
+//         params: checkRoundTripMessageParamsSchema
+//     },
+//     responses: {}
+// });
+
+export async function checkRoundTripMessage(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = checkRoundTripMessageParamsSchema.safeParse(
+            req.params
+        );
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const { messageId } = parsedParams.data;
+
+        // Get the round trip message from the tracker
+        const [message] = await db
+            .select()
+            .from(roundTripMessageTracker)
+            .where(eq(roundTripMessageTracker.messageId, messageId))
+            .limit(1);
+
+        if (!message) {
+            return next(
+                createHttpError(HttpCode.NOT_FOUND, "Message not found")
+            );
+        }
+
+        return response(res, {
+            data: {
+                messageId: message.messageId,
+                complete: message.complete,
+                sentAt: message.sentAt,
+                receivedAt: message.receivedAt,
+                error: message.error,
+            },
+            success: true,
+            error: false,
+            message: "Round trip message status retrieved successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}
--- a/server/routers/ws/handleRoundTripMessage.ts
+++ b/server/routers/ws/handleRoundTripMessage.ts
@@ -0,0 +1,49 @@
+import { db, roundTripMessageTracker } from "@server/db";
+import { MessageHandler } from "@server/routers/ws";
+import { eq } from "drizzle-orm";
+import logger from "@server/logger";
+
+interface RoundTripCompleteMessage {
+    messageId: number;
+    complete: boolean;
+    error?: string;
+}
+
+export const handleRoundTripMessage: MessageHandler = async (
+    context
+) => {
+    const { message, client: c } = context;
+
+    logger.info("Handling round trip message");
+
+    const data = message.data as RoundTripCompleteMessage;
+
+    try {
+        const { messageId, complete, error } = data;
+
+        if (!messageId) {
+            logger.error("Round trip message missing messageId");
+            return;
+        }
+
+        // Update the roundTripMessageTracker with completion status
+        await db
+            .update(roundTripMessageTracker)
+            .set({
+                complete: complete,
+                receivedAt: Math.floor(Date.now() / 1000),
+                error: error || null
+            })
+            .where(eq(roundTripMessageTracker.messageId, messageId));
+
+        logger.info(`Round trip message ${messageId} marked as complete: ${complete}`);
+
+        if (error) {
+            logger.warn(`Round trip message ${messageId} completed with error: ${error}`);
+        }
+    } catch (error) {
+        logger.error("Error processing round trip message:", error);
+    }
+
+    return;
+};
--- a/server/routers/ws/index.ts
+++ b/server/routers/ws/index.ts
@@ -1,2 +1,3 @@
 export * from "./ws";
 export * from "./types";
+export * from "./checkRoundTripMessage";
--- a/server/routers/ws/messageHandlers.ts
+++ b/server/routers/ws/messageHandlers.ts
@@ -18,6 +18,7 @@ import {
    handleOlmDisconnecingMessage
 } from "../olm";
 import { handleHealthcheckStatusMessage } from "../target";
+import { handleRoundTripMessage } from "./handleRoundTripMessage";
 import { MessageHandler } from "./types";

 export const messageHandlers: Record<string, MessageHandler> = {
@@ -35,7 +36,8 @@ export const messageHandlers: Record<string, MessageHandler> = {
    "newt/socket/containers": handleDockerContainersMessage,
    "newt/ping/request": handleNewtPingRequestMessage,
    "newt/blueprint/apply": handleApplyBlueprintMessage,
-    "newt/healthcheck/status": handleHealthcheckStatusMessage
+    "newt/healthcheck/status": handleHealthcheckStatusMessage,
+    "ws/round-trip/complete": handleRoundTripMessage
 };

 startOlmOfflineChecker(); // this is to handle the offline check for olms
--- a/server/types/Pagination.ts
+++ b/server/types/Pagination.ts
@@ -0,0 +1,5 @@
+export type Pagination = { total: number; pageSize: number; page: number };
+
+export type PaginatedResponse<T> = T & {
+    pagination: Pagination;
+};
--- a/src/app/[orgId]/settings/(private)/billing/layout.tsx
+++ b/src/app/[orgId]/settings/(private)/billing/layout.tsx
@@ -6,6 +6,7 @@ import { redirect } from "next/navigation";
 import { getTranslations } from "next-intl/server";
 import { getCachedOrgUser } from "@app/lib/api/getCachedOrgUser";
 import { getCachedOrg } from "@app/lib/api/getCachedOrg";
+import { build } from "@server/build";

 type BillingSettingsProps = {
    children: React.ReactNode;
@@ -17,6 +18,9 @@ export default async function BillingSettingsPage({
    params
 }: BillingSettingsProps) {
    const { orgId } = await params;
+    if (build !== "saas") {
+        redirect(`/${orgId}/settings`);
+    }

    const user = await verifySession();

@@ -40,6 +44,10 @@ export default async function BillingSettingsPage({
        redirect(`/${orgId}`);
    }

+    if (!(org?.org?.isBillingOrg && orgUser?.isOwner)) {
+        redirect(`/${orgId}`);
+    }
+
    const t = await getTranslations();

    return (
--- a/src/app/[orgId]/settings/(private)/billing/page.tsx
+++ b/src/app/[orgId]/settings/(private)/billing/page.tsx
@@ -61,7 +61,7 @@ import {
 import { FeatureId } from "@server/lib/billing/features";

 // Plan tier definitions matching the mockup
-type PlanId = "starter" | "home" | "team" | "business" | "enterprise";
+type PlanId = "basic" | "home" | "team" | "business" | "enterprise";

 type PlanOption = {
    id: PlanId;
@@ -73,8 +73,8 @@ type PlanOption = {

 const planOptions: PlanOption[] = [
    {
-        id: "starter",
-        name: "Starter",
+        id: "basic",
+        name: "Basic",
        price: "Free",
        tierType: null
    },
@@ -109,38 +109,43 @@ const planOptions: PlanOption[] = [

 // Tier limits mapping derived from limit sets
 const tierLimits: Record<
-    Tier | "starter",
-    { users: number; sites: number; domains: number; remoteNodes: number }
+    Tier | "basic",
+    { users: number; sites: number; domains: number; remoteNodes: number; organizations: number }
 > = {
-    starter: {
+    basic: {
        users: freeLimitSet[FeatureId.USERS]?.value ?? 0,
        sites: freeLimitSet[FeatureId.SITES]?.value ?? 0,
        domains: freeLimitSet[FeatureId.DOMAINS]?.value ?? 0,
-        remoteNodes: freeLimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0
+        remoteNodes: freeLimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0,
+        organizations: freeLimitSet[FeatureId.ORGINIZATIONS]?.value ?? 0
    },
    tier1: {
        users: tier1LimitSet[FeatureId.USERS]?.value ?? 0,
        sites: tier1LimitSet[FeatureId.SITES]?.value ?? 0,
        domains: tier1LimitSet[FeatureId.DOMAINS]?.value ?? 0,
-        remoteNodes: tier1LimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0
+        remoteNodes: tier1LimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0,
+        organizations: tier1LimitSet[FeatureId.ORGINIZATIONS]?.value ?? 0
    },
    tier2: {
        users: tier2LimitSet[FeatureId.USERS]?.value ?? 0,
        sites: tier2LimitSet[FeatureId.SITES]?.value ?? 0,
        domains: tier2LimitSet[FeatureId.DOMAINS]?.value ?? 0,
-        remoteNodes: tier2LimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0
+        remoteNodes: tier2LimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0,
+        organizations: tier2LimitSet[FeatureId.ORGINIZATIONS]?.value ?? 0
    },
    tier3: {
        users: tier3LimitSet[FeatureId.USERS]?.value ?? 0,
        sites: tier3LimitSet[FeatureId.SITES]?.value ?? 0,
        domains: tier3LimitSet[FeatureId.DOMAINS]?.value ?? 0,
-        remoteNodes: tier3LimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0
+        remoteNodes: tier3LimitSet[FeatureId.REMOTE_EXIT_NODES]?.value ?? 0,
+        organizations: tier3LimitSet[FeatureId.ORGINIZATIONS]?.value ?? 0
    },
    enterprise: {
        users: 0, // Custom for enterprise
        sites: 0, // Custom for enterprise
        domains: 0, // Custom for enterprise
-        remoteNodes: 0 // Custom for enterprise
+        remoteNodes: 0, // Custom for enterprise
+        organizations: 0 // Custom for enterprise
    }
 };

@@ -179,11 +184,12 @@ export default function BillingPage() {
    const SITES = "sites";
    const DOMAINS = "domains";
    const REMOTE_EXIT_NODES = "remoteExitNodes";
+    const ORGINIZATIONS = "organizations";

    // Confirmation dialog state
    const [showConfirmDialog, setShowConfirmDialog] = useState(false);
    const [pendingTier, setPendingTier] = useState<{
-        tier: Tier | "starter";
+        tier: Tier | "basic";
        action: "upgrade" | "downgrade";
        planName: string;
        price: string;
@@ -402,8 +408,8 @@ export default function BillingPage() {
            pendingTier.action === "upgrade" ||
            pendingTier.action === "downgrade"
        ) {
-            // If downgrading to starter (free tier), go to Stripe portal
-            if (pendingTier.tier === "starter") {
+            // If downgrading to basic (free tier), go to Stripe portal
+            if (pendingTier.tier === "basic") {
                handleModifySubscription();
            } else if (hasSubscription) {
                handleChangeTier(pendingTier.tier);
@@ -417,7 +423,7 @@ export default function BillingPage() {
    };

    const showTierConfirmation = (
-        tier: Tier | "starter",
+        tier: Tier | "basic",
        action: "upgrade" | "downgrade",
        planName: string,
        price: string
@@ -432,9 +438,9 @@ export default function BillingPage() {

    // Get current plan ID from tier
    const getCurrentPlanId = (): PlanId => {
-        if (!hasSubscription || !currentTier) return "starter";
+        if (!hasSubscription || !currentTier) return "basic";
        const plan = planOptions.find((p) => p.tierType === currentTier);
-        return plan?.id || "starter";
+        return plan?.id || "basic";
    };

    const currentPlanId = getCurrentPlanId();
@@ -451,8 +457,8 @@ export default function BillingPage() {
        }

        if (plan.id === currentPlanId) {
-            // If it's the starter plan (starter with no subscription), show as current but disabled
-            if (plan.id === "starter" && !hasSubscription) {
+            // If it's the basic plan (basic with no subscription), show as current but disabled
+            if (plan.id === "basic" && !hasSubscription) {
                return {
                    label: "Current Plan",
                    action: () => {},
@@ -484,10 +490,10 @@ export default function BillingPage() {
                            plan.name,
                            plan.price + (" " + plan.priceDetail || "")
                        );
-                    } else if (plan.id === "starter") {
-                        // Show confirmation for downgrading to starter (free tier)
+                    } else if (plan.id === "basic") {
+                        // Show confirmation for downgrading to basic (free tier)
                        showTierConfirmation(
-                            "starter",
+                            "basic",
                            "downgrade",
                            plan.name,
                            plan.price
@@ -566,7 +572,7 @@ export default function BillingPage() {
    };

    // Check if downgrading to a tier would violate current usage limits
-    const checkLimitViolations = (targetTier: Tier | "starter"): Array<{
+    const checkLimitViolations = (targetTier: Tier | "basic"): Array<{
        feature: string;
        currentUsage: number;
        newLimit: number;
@@ -619,6 +625,16 @@ export default function BillingPage() {
            });
        }

+        // Check organizations
+        const organizationsUsage = getUsageValue(ORGINIZATIONS);
+        if (limits.organizations > 0 && organizationsUsage > limits.organizations) {
+            violations.push({
+                feature: "Organizations",
+                currentUsage: organizationsUsage,
+                newLimit: limits.organizations
+            });
+        }
+
        return violations;
    };

@@ -855,6 +871,41 @@ export default function BillingPage() {
                                        )}
                                    </InfoSectionContent>
                                </InfoSection>
+                                <InfoSection>
+                                    <InfoSectionTitle className="flex items-center gap-1 text-xs">
+                                        {t("billingOrganizations") ||
+                                            "Organizations"}
+                                    </InfoSectionTitle>
+                                    <InfoSectionContent className="text-sm">
+                                        {isOverLimit(ORGINIZATIONS) ? (
+                                            <Tooltip>
+                                                <TooltipTrigger className="flex items-center gap-1">
+                                                    <AlertTriangle className="h-3 w-3 text-orange-400" />
+                                                    <span className={cn(
+                                                        "text-orange-600 dark:text-orange-400 font-medium"
+                                                    )}>
+                                                        {getLimitValue(ORGINIZATIONS) ??
+                                                            t("billingUnlimited") ??
+                                                            "∞"}{" "}
+                                                        {getLimitValue(ORGINIZATIONS) !==
+                                                            null && "organizations"}
+                                                    </span>
+                                                </TooltipTrigger>
+                                                <TooltipContent>
+                                                    <p>{t("billingUsageExceedsLimit", { current: getUsageValue(ORGINIZATIONS), limit: getLimitValue(ORGINIZATIONS) ?? 0 }) || `Current usage (${getUsageValue(ORGINIZATIONS)}) exceeds limit (${getLimitValue(ORGINIZATIONS)})`}</p>
+                                                </TooltipContent>
+                                            </Tooltip>
+                                        ) : (
+                                            <>
+                                                {getLimitValue(ORGINIZATIONS) ??
+                                                    t("billingUnlimited") ??
+                                                    "∞"}{" "}
+                                                {getLimitValue(ORGINIZATIONS) !==
+                                                    null && "organizations"}
+                                            </>
+                                        )}
+                                    </InfoSectionContent>
+                                </InfoSection>
                                <InfoSection>
                                    <InfoSectionTitle className="flex items-center gap-1 text-xs">
                                        {t("billingRemoteNodes") ||
--- a/src/app/[orgId]/settings/(private)/license/layout.tsx
+++ b/src/app/[orgId]/settings/(private)/license/layout.tsx
@@ -4,6 +4,8 @@ import { redirect } from "next/navigation";
 import { cache } from "react";
 import { getTranslations } from "next-intl/server";
 import { build } from "@server/build";
+import { getCachedOrgUser } from "@app/lib/api/getCachedOrgUser";
+import { getCachedOrg } from "@app/lib/api/getCachedOrg";

 type LicensesSettingsProps = {
    children: React.ReactNode;
@@ -27,6 +29,26 @@ export default async function LicensesSetingsLayoutProps({
        redirect(`/`);
    }

+    let orgUser = null;
+    try {
+        const res = await getCachedOrgUser(orgId, user.userId);
+        orgUser = res.data.data;
+    } catch {
+        redirect(`/${orgId}`);
+    }
+
+    let org = null;
+    try {
+        const res = await getCachedOrg(orgId);
+        org = res.data.data;
+    } catch {
+        redirect(`/${orgId}`);
+    }
+
+    if (!org?.org?.isBillingOrg || !orgUser?.isOwner) {
+        redirect(`/${orgId}`);
+    }
+
    const t = await getTranslations();

    return (
--- a/src/app/[orgId]/settings/clients/machine/page.tsx
+++ b/src/app/[orgId]/settings/clients/machine/page.tsx
@@ -7,10 +7,11 @@ import { authCookieHeader } from "@app/lib/api/cookies";
 import { ListClientsResponse } from "@server/routers/client";
 import { AxiosResponse } from "axios";
 import { getTranslations } from "next-intl/server";
+import type { Pagination } from "@server/types/Pagination";

 type ClientsPageProps = {
    params: Promise<{ orgId: string }>;
-    searchParams: Promise<{ view?: string }>;
+    searchParams: Promise<Record<string, string>>;
 };

 export const dynamic = "force-dynamic";
@@ -19,17 +20,25 @@ export default async function ClientsPage(props: ClientsPageProps) {
    const t = await getTranslations();

    const params = await props.params;
+    const searchParams = new URLSearchParams(await props.searchParams);

    let machineClients: ListClientsResponse["clients"] = [];
+    let pagination: Pagination = {
+        page: 1,
+        total: 0,
+        pageSize: 20
+    };

    try {
        const machineRes = await internal.get<
            AxiosResponse<ListClientsResponse>
        >(
-            `/org/${params.orgId}/clients?filter=machine`,
+            `/org/${params.orgId}/clients?${searchParams.toString()}`,
            await authCookieHeader()
        );
-        machineClients = machineRes.data.data.clients;
+        const responseData = machineRes.data.data;
+        machineClients = responseData.clients;
+        pagination = responseData.pagination;
    } catch (e) {}

    function formatSize(mb: number): string {
@@ -80,6 +89,11 @@ export default async function ClientsPage(props: ClientsPageProps) {
            <MachineClientsTable
                machineClients={machineClientRows}
                orgId={params.orgId}
+                rowCount={pagination.total}
+                pagination={{
+                    pageIndex: pagination.page - 1,
+                    pageSize: pagination.pageSize
+                }}
            />
        </>
    );
--- a/src/app/[orgId]/settings/clients/user/[niceId]/general/page.tsx
+++ b/src/app/[orgId]/settings/clients/user/[niceId]/general/page.tsx
@@ -602,7 +602,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .biometricsEnabled
+                                                                  .biometricsEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -622,7 +623,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .diskEncrypted
+                                                                  .diskEncrypted ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -642,7 +644,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .firewallEnabled
+                                                                  .firewallEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -663,7 +666,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .autoUpdatesEnabled
+                                                                  .autoUpdatesEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -683,7 +687,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .tpmAvailable
+                                                                  .tpmAvailable ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -707,7 +712,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .windowsAntivirusEnabled
+                                                                  .windowsAntivirusEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -727,7 +733,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .macosSipEnabled
+                                                                  .macosSipEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -751,7 +758,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .macosGatekeeperEnabled
+                                                                  .macosGatekeeperEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -775,7 +783,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .macosFirewallStealthMode
+                                                                  .macosFirewallStealthMode ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -796,7 +805,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .linuxAppArmorEnabled
+                                                                  .linuxAppArmorEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
@@ -817,7 +827,8 @@ export default function GeneralPage() {
                                                    )
                                                        ? formatPostureValue(
                                                              client.posture
-                                                                  .linuxSELinuxEnabled
+                                                                  .linuxSELinuxEnabled ===
+                                                                  true
                                                          )
                                                        : "-"}
                                                </InfoSectionContent>
--- a/src/app/[orgId]/settings/clients/user/page.tsx
+++ b/src/app/[orgId]/settings/clients/user/page.tsx
@@ -1,14 +1,16 @@
-import { internal } from "@app/lib/api";
-import { authCookieHeader } from "@app/lib/api/cookies";
-import { AxiosResponse } from "axios";
 import SettingsSectionTitle from "@app/components/SettingsSectionTitle";
-import { ListClientsResponse } from "@server/routers/client";
-import { getTranslations } from "next-intl/server";
 import type { ClientRow } from "@app/components/UserDevicesTable";
 import UserDevicesTable from "@app/components/UserDevicesTable";
+import { internal } from "@app/lib/api";
+import { authCookieHeader } from "@app/lib/api/cookies";
+import { type ListUserDevicesResponse } from "@server/routers/client";
+import type { Pagination } from "@server/types/Pagination";
+import { AxiosResponse } from "axios";
+import { getTranslations } from "next-intl/server";

 type ClientsPageProps = {
    params: Promise<{ orgId: string }>;
+    searchParams: Promise<Record<string, string>>;
 };

 export const dynamic = "force-dynamic";
@@ -17,15 +19,26 @@ export default async function ClientsPage(props: ClientsPageProps) {
    const t = await getTranslations();

    const params = await props.params;
+    const searchParams = new URLSearchParams(await props.searchParams);

-    let userClients: ListClientsResponse["clients"] = [];
+    let userClients: ListUserDevicesResponse["devices"] = [];
+
+    let pagination: Pagination = {
+        page: 1,
+        total: 0,
+        pageSize: 20
+    };

    try {
-        const userRes = await internal.get<AxiosResponse<ListClientsResponse>>(
-            `/org/${params.orgId}/clients?filter=user`,
+        const userRes = await internal.get<
+            AxiosResponse<ListUserDevicesResponse>
+        >(
+            `/org/${params.orgId}/user-devices?${searchParams.toString()}`,
            await authCookieHeader()
        );
-        userClients = userRes.data.data.clients;
+        const responseData = userRes.data.data;
+        userClients = responseData.devices;
+        pagination = responseData.pagination;
    } catch (e) {}

    function formatSize(mb: number): string {
@@ -39,31 +52,29 @@ export default async function ClientsPage(props: ClientsPageProps) {
    }

    const mapClientToRow = (
-        client: ListClientsResponse["clients"][0]
+        client: ListUserDevicesResponse["devices"][number]
    ): ClientRow => {
        // Build fingerprint object if any fingerprint data exists
        const hasFingerprintData =
-            (client as any).fingerprintPlatform ||
-            (client as any).fingerprintOsVersion ||
-            (client as any).fingerprintKernelVersion ||
-            (client as any).fingerprintArch ||
-            (client as any).fingerprintSerialNumber ||
-            (client as any).fingerprintUsername ||
-            (client as any).fingerprintHostname ||
-            (client as any).deviceModel;
+            client.fingerprintPlatform ||
+            client.fingerprintOsVersion ||
+            client.fingerprintKernelVersion ||
+            client.fingerprintArch ||
+            client.fingerprintSerialNumber ||
+            client.fingerprintUsername ||
+            client.fingerprintHostname ||
+            client.deviceModel;

        const fingerprint = hasFingerprintData
            ? {
-                  platform: (client as any).fingerprintPlatform || null,
-                  osVersion: (client as any).fingerprintOsVersion || null,
-                  kernelVersion:
-                      (client as any).fingerprintKernelVersion || null,
-                  arch: (client as any).fingerprintArch || null,
-                  deviceModel: (client as any).deviceModel || null,
-                  serialNumber:
-                      (client as any).fingerprintSerialNumber || null,
-                  username: (client as any).fingerprintUsername || null,
-                  hostname: (client as any).fingerprintHostname || null
+                  platform: client.fingerprintPlatform,
+                  osVersion: client.fingerprintOsVersion,
+                  kernelVersion: client.fingerprintKernelVersion,
+                  arch: client.fingerprintArch,
+                  deviceModel: client.deviceModel,
+                  serialNumber: client.fingerprintSerialNumber,
+                  username: client.fingerprintUsername,
+                  hostname: client.fingerprintHostname
              }
            : null;

@@ -71,19 +82,19 @@ export default async function ClientsPage(props: ClientsPageProps) {
            name: client.name,
            id: client.clientId,
            subnet: client.subnet.split("/")[0],
-            mbIn: formatSize(client.megabytesIn || 0),
-            mbOut: formatSize(client.megabytesOut || 0),
+            mbIn: formatSize(client.megabytesIn ?? 0),
+            mbOut: formatSize(client.megabytesOut ?? 0),
            orgId: params.orgId,
            online: client.online,
            olmVersion: client.olmVersion || undefined,
-            olmUpdateAvailable: client.olmUpdateAvailable || false,
+            olmUpdateAvailable: Boolean(client.olmUpdateAvailable),
            userId: client.userId,
            username: client.username,
            userEmail: client.userEmail,
            niceId: client.niceId,
            agent: client.agent,
-            archived: client.archived || false,
-            blocked: client.blocked || false,
+            archived: Boolean(client.archived),
+            blocked: Boolean(client.blocked),
            approvalState: client.approvalState,
            fingerprint
        };
@@ -101,6 +112,11 @@ export default async function ClientsPage(props: ClientsPageProps) {
            <UserDevicesTable
                userClients={userClientRows}
                orgId={params.orgId}
+                rowCount={pagination.total}
+                pagination={{
+                    pageIndex: pagination.page - 1,
+                    pageSize: pagination.pageSize
+                }}
            />
        </>
    );
--- a/src/app/[orgId]/settings/general/page.tsx
+++ b/src/app/[orgId]/settings/general/page.tsx
@@ -3,11 +3,7 @@ import ConfirmDeleteDialog from "@app/components/ConfirmDeleteDialog";
 import { Button } from "@app/components/ui/button";
 import { useOrgContext } from "@app/hooks/useOrgContext";
 import { toast } from "@app/hooks/useToast";
-import {
-    useState,
-    useTransition,
-    useActionState
-} from "react";
+import { useState, useTransition, useActionState } from "react";
 import {
    Form,
    FormControl,
@@ -54,7 +50,7 @@ export default function GeneralPage() {
    return (
        <SettingsContainer>
            <GeneralSectionForm org={org.org} />
-            {build !== "saas" && <DeleteForm org={org.org} />}
+            {!org.org.isBillingOrg && <DeleteForm org={org.org} />}
        </SettingsContainer>
    );
 }
--- a/src/app/[orgId]/settings/layout.tsx
+++ b/src/app/[orgId]/settings/layout.tsx
@@ -77,12 +77,16 @@ export default async function SettingsLayout(props: SettingsLayoutProps) {
        }
    } catch (e) {}

+    const primaryOrg = orgs.find((o) => o.orgId === params.orgId)?.isPrimaryOrg;
+
    return (
        <UserProvider user={user}>
            <Layout
                orgId={params.orgId}
                orgs={orgs}
-                navItems={orgNavSections(env)}
+                navItems={orgNavSections(env, {
+                    isPrimaryOrg: primaryOrg
+                })}
            >
                {children}
            </Layout>
--- a/src/app/[orgId]/settings/resources/client/page.tsx
+++ b/src/app/[orgId]/settings/resources/client/page.tsx
@@ -14,7 +14,7 @@ import { redirect } from "next/navigation";

 export interface ClientResourcesPageProps {
    params: Promise<{ orgId: string }>;
-    searchParams: Promise<{ view?: string }>;
+    searchParams: Promise<Record<string, string>>;
 }

 export default async function ClientResourcesPage(
@@ -22,22 +22,24 @@ export default async function ClientResourcesPage(
 ) {
    const params = await props.params;
    const t = await getTranslations();
-
-    let resources: ListResourcesResponse["resources"] = [];
-    try {
-        const res = await internal.get<AxiosResponse<ListResourcesResponse>>(
-            `/org/${params.orgId}/resources`,
-            await authCookieHeader()
-        );
-        resources = res.data.data.resources;
-    } catch (e) {}
+    const searchParams = new URLSearchParams(await props.searchParams);

    let siteResources: ListAllSiteResourcesByOrgResponse["siteResources"] = [];
+    let pagination: ListResourcesResponse["pagination"] = {
+        total: 0,
+        page: 1,
+        pageSize: 20
+    };
    try {
        const res = await internal.get<
            AxiosResponse<ListAllSiteResourcesByOrgResponse>
-        >(`/org/${params.orgId}/site-resources`, await authCookieHeader());
-        siteResources = res.data.data.siteResources;
+        >(
+            `/org/${params.orgId}/site-resources?${searchParams.toString()}`,
+            await authCookieHeader()
+        );
+        const responseData = res.data.data;
+        siteResources = responseData.siteResources;
+        pagination = responseData.pagination;
    } catch (e) {}

    let org = null;
@@ -89,9 +91,10 @@ export default async function ClientResourcesPage(
                <ClientResourcesTable
                    internalResources={internalResourceRows}
                    orgId={params.orgId}
-                    defaultSort={{
-                        id: "name",
-                        desc: false
+                    rowCount={pagination.total}
+                    pagination={{
+                        pageIndex: pagination.page - 1,
+                        pageSize: pagination.pageSize
                    }}
                />
            </OrgProvider>
--- a/src/app/[orgId]/settings/resources/proxy/page.tsx
+++ b/src/app/[orgId]/settings/resources/proxy/page.tsx
@@ -16,7 +16,7 @@ import { cache } from "react";

 export interface ProxyResourcesPageProps {
    params: Promise<{ orgId: string }>;
-    searchParams: Promise<{ view?: string }>;
+    searchParams: Promise<Record<string, string>>;
 }

 export default async function ProxyResourcesPage(
@@ -24,14 +24,22 @@ export default async function ProxyResourcesPage(
 ) {
    const params = await props.params;
    const t = await getTranslations();
+    const searchParams = new URLSearchParams(await props.searchParams);

    let resources: ListResourcesResponse["resources"] = [];
+    let pagination: ListResourcesResponse["pagination"] = {
+        total: 0,
+        page: 1,
+        pageSize: 20
+    };
    try {
        const res = await internal.get<AxiosResponse<ListResourcesResponse>>(
-            `/org/${params.orgId}/resources`,
+            `/org/${params.orgId}/resources?${searchParams.toString()}`,
            await authCookieHeader()
        );
-        resources = res.data.data.resources;
+        const responseData = res.data.data;
+        resources = responseData.resources;
+        pagination = responseData.pagination;
    } catch (e) {}

    let siteResources: ListAllSiteResourcesByOrgResponse["siteResources"] = [];
@@ -104,9 +112,10 @@ export default async function ProxyResourcesPage(
                <ProxyResourcesTable
                    resources={resourceRows}
                    orgId={params.orgId}
-                    defaultSort={{
-                        id: "name",
-                        desc: false
+                    rowCount={pagination.total}
+                    pagination={{
+                        pageIndex: pagination.page - 1,
+                        pageSize: pagination.pageSize
                    }}
                />
            </OrgProvider>
--- a/src/app/[orgId]/settings/sites/create/page.tsx
+++ b/src/app/[orgId]/settings/sites/create/page.tsx
@@ -63,7 +63,6 @@ import { QRCodeCanvas } from "qrcode.react";
 import { useTranslations } from "next-intl";
 import { build } from "@server/build";
 import { NewtSiteInstallCommands } from "@app/components/newt-install-commands";
-import { id } from "date-fns/locale";

 type SiteType = "newt" | "wireguard" | "local";

--- a/src/app/[orgId]/settings/sites/page.tsx
+++ b/src/app/[orgId]/settings/sites/page.tsx
@@ -9,19 +9,30 @@ import { getTranslations } from "next-intl/server";

 type SitesPageProps = {
    params: Promise<{ orgId: string }>;
+    searchParams: Promise<Record<string, string>>;
 };

 export const dynamic = "force-dynamic";

 export default async function SitesPage(props: SitesPageProps) {
    const params = await props.params;
+
+    const searchParams = new URLSearchParams(await props.searchParams);
+
    let sites: ListSitesResponse["sites"] = [];
+    let pagination: ListSitesResponse["pagination"] = {
+        total: 0,
+        page: 1,
+        pageSize: 20
+    };
    try {
        const res = await internal.get<AxiosResponse<ListSitesResponse>>(
-            `/org/${params.orgId}/sites`,
+            `/org/${params.orgId}/sites?${searchParams.toString()}`,
            await authCookieHeader()
        );
-        sites = res.data.data.sites;
+        const responseData = res.data.data;
+        sites = responseData.sites;
+        pagination = responseData.pagination;
    } catch (e) {}

    const t = await getTranslations();
@@ -60,8 +71,6 @@ export default async function SitesPage(props: SitesPageProps) {

    return (
        <>
-            {/* <SitesSplashCard /> */}
-
            <SettingsSectionTitle
                title={t("siteManageSites")}
                description={t("siteDescription")}
@@ -69,7 +78,15 @@ export default async function SitesPage(props: SitesPageProps) {

            <SitesBanner />

-            <SitesTable sites={siteRows} orgId={params.orgId} />
+            <SitesTable
+                sites={siteRows}
+                orgId={params.orgId}
+                rowCount={pagination.total}
+                pagination={{
+                    pageIndex: pagination.page - 1,
+                    pageSize: pagination.pageSize
+                }}
+            />
        </>
    );
 }
--- a/src/app/auth/delete-account/DeleteAccountClient.tsx
+++ b/src/app/auth/delete-account/DeleteAccountClient.tsx
@@ -0,0 +1,74 @@
+"use client";
+
+import { useState } from "react";
+import { useRouter } from "next/navigation";
+import { useTranslations } from "next-intl";
+import { Button } from "@app/components/ui/button";
+import DeleteAccountConfirmDialog from "@app/components/DeleteAccountConfirmDialog";
+import UserProfileCard from "@app/components/UserProfileCard";
+import { ArrowLeft } from "lucide-react";
+import { createApiClient } from "@app/lib/api";
+import { useEnvContext } from "@app/hooks/useEnvContext";
+import { toast } from "@app/hooks/useToast";
+import { formatAxiosError } from "@app/lib/api";
+
+type DeleteAccountClientProps = {
+    displayName: string;
+};
+
+export default function DeleteAccountClient({
+    displayName
+}: DeleteAccountClientProps) {
+    const router = useRouter();
+    const t = useTranslations();
+    const { env } = useEnvContext();
+    const api = createApiClient({ env });
+    const [isDialogOpen, setIsDialogOpen] = useState(false);
+
+    function handleUseDifferentAccount() {
+        api.post("/auth/logout")
+            .catch((e) => {
+                console.error(t("logoutError"), e);
+                toast({
+                    title: t("logoutError"),
+                    description: formatAxiosError(e, t("logoutError"))
+                });
+            })
+            .then(() => {
+                router.push(
+                    "/auth/login?internal_redirect=/auth/delete-account"
+                );
+                router.refresh();
+            });
+    }
+
+    return (
+        <div className="space-y-6">
+            <UserProfileCard
+                identifier={displayName}
+                description={t("signingAs")}
+                onUseDifferentAccount={handleUseDifferentAccount}
+                useDifferentAccountText={t("deviceLoginUseDifferentAccount")}
+            />
+            <p className="text-sm text-muted-foreground">
+                {t("deleteAccountDescription")}
+            </p>
+            <div className="flex items-center gap-2">
+                <Button variant="outline" onClick={() => router.back()}>
+                    <ArrowLeft className="mr-2 h-4 w-4" />
+                    {t("back")}
+                </Button>
+                <Button
+                    variant="destructive"
+                    onClick={() => setIsDialogOpen(true)}
+                >
+                    {t("deleteAccountButton")}
+                </Button>
+            </div>
+            <DeleteAccountConfirmDialog
+                open={isDialogOpen}
+                setOpen={setIsDialogOpen}
+            />
+        </div>
+    );
+}
--- a/src/app/auth/delete-account/page.tsx
+++ b/src/app/auth/delete-account/page.tsx
@@ -0,0 +1,28 @@
+import { verifySession } from "@app/lib/auth/verifySession";
+import { redirect } from "next/navigation";
+import { build } from "@server/build";
+import { cache } from "react";
+import DeleteAccountClient from "./DeleteAccountClient";
+import { getTranslations } from "next-intl/server";
+import { getUserDisplayName } from "@app/lib/getUserDisplayName";
+
+export const dynamic = "force-dynamic";
+
+export default async function DeleteAccountPage() {
+    const getUser = cache(verifySession);
+    const user = await getUser({ skipCheckVerifyEmail: true });
+
+    if (!user) {
+        redirect("/auth/login");
+    }
+
+    const t = await getTranslations();
+    const displayName = getUserDisplayName({ user });
+
+    return (
+        <div className="space-y-4">
+            <h1 className="text-xl font-semibold">{t("deleteAccount")}</h1>
+            <DeleteAccountClient displayName={displayName} />
+        </div>
+    );
+}
--- a/src/app/auth/signup/page.tsx
+++ b/src/app/auth/signup/page.tsx
@@ -15,6 +15,7 @@ export default async function Page(props: {
        redirect: string | undefined;
        email: string | undefined;
        fromSmartLogin: string | undefined;
+        skipVerificationEmail: string | undefined;
    }>;
 }) {
    const searchParams = await props.searchParams;
@@ -75,6 +76,10 @@ export default async function Page(props: {
                inviteId={inviteId}
                emailParam={searchParams.email}
                fromSmartLogin={searchParams.fromSmartLogin === "true"}
+                skipVerificationEmail={
+                    searchParams.skipVerificationEmail === "true" ||
+                    searchParams.skipVerificationEmail === "1"
+                }
            />

            <p className="text-center text-muted-foreground mt-4">
--- a/src/app/navigation.tsx
+++ b/src/app/navigation.tsx
@@ -31,6 +31,10 @@ export type SidebarNavSection = {
    items: SidebarNavItem[];
 };

+export type OrgNavSectionsOptions = {
+    isPrimaryOrg?: boolean;
+};
+
 // Merged from 'user-management-and-resources' branch
 export const orgLangingNavItems: SidebarNavItem[] = [
    {
@@ -40,7 +44,10 @@ export const orgLangingNavItems: SidebarNavItem[] = [
    }
 ];

-export const orgNavSections = (env?: Env): SidebarNavSection[] => [
+export const orgNavSections = (
+    env?: Env,
+    options?: OrgNavSectionsOptions
+): SidebarNavSection[] => [
    {
        heading: "sidebarGeneral",
        items: [
@@ -214,28 +221,28 @@ export const orgNavSections = (env?: Env): SidebarNavSection[] => [
                title: "sidebarSettings",
                href: "/{orgId}/settings/general",
                icon: <Settings className="size-4 flex-none" />
-            },
-
-            ...(build == "saas"
-                ? [
+            }
+        ]
+    },
+    ...(build == "saas" && options?.isPrimaryOrg
+        ? [
+              {
+                  heading: "sidebarBillingAndLicenses",
+                  items: [
                      {
                          title: "sidebarBilling",
                          href: "/{orgId}/settings/billing",
                          icon: <CreditCard className="size-4 flex-none" />
-                      }
-                  ]
-                : []),
-            ...(build == "saas"
-                ? [
+                      },
                      {
                          title: "sidebarEnterpriseLicenses",
                          href: "/{orgId}/settings/license",
                          icon: <TicketCheck className="size-4 flex-none" />
                      }
                  ]
-                : [])
-        ]
-    }
+              }
+          ]
+        : [])
 ];

 export const adminNavSections = (env?: Env): SidebarNavSection[] => [
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
miloschwartz	a2ed22bfcc	use add/remove helper functions in auto (de)provision	2026-02-17 17:50:41 -08:00
Owen	e370f8891a	Also update in the assign	2026-02-17 17:34:57 -08:00
miloschwartz	8a83e32c42	add send email verification opt out	2026-02-17 17:33:35 -08:00
Owen	831eb6325c	Centralize user functions	2026-02-17 17:31:41 -08:00
Owen	4d6240c987	Handle new usage tracking with multi org	2026-02-17 17:10:05 -08:00
miloschwartz	79cf7c84dc	support delete org and preserve path on switch	2026-02-17 16:45:15 -08:00
Owen	b71f582329	Use the billing org id when updating and checking usage	2026-02-17 15:09:42 -08:00
miloschwartz	b8c3cc751a	support creating multiple orgs in saas	2026-02-17 14:37:46 -08:00
Owen	d00262dc31	Send the right port and cert	2026-02-17 11:43:38 -08:00
Owen	3debc6c8d3	Add round trip tracking for any message	2026-02-16 20:29:55 -08:00
Owen	5092eb58fb	Ssh host should be the destination	2026-02-16 15:31:09 -08:00
Owen	f0b9240575	Accept resource as either niceId or alias	2026-02-16 15:29:23 -08:00
Owen	9cf59c409e	Initial sign endpoint working	2026-02-16 15:19:29 -08:00
Owen	bfd5aa30a7	Merge branch 'dev' of github.com:fosrl/pangolin into dev	2026-02-15 11:09:11 -08:00
Owen	9737170665	Merge branch 'Lokowitz-update-packages' into dev	2026-02-15 11:08:12 -08:00
Owen	922a040466	Merge branch 'update-packages' of github.com:Lokowitz/pangolin into Lokowitz-update-packages	2026-02-15 11:08:02 -08:00
miloschwartz	33f0782f3a	support delete account	2026-02-14 18:01:37 -08:00
Milo Schwartz	e6a5cef945	Merge pull request #2371 from Fredkiss3/refactor/paginated-tables feat: server side filtered, ordered & paginated tables	2026-02-14 11:43:01 -08:00
miloschwartz	4c8edb80b3	dont show table footer in client-side data-table	2026-02-14 11:40:59 -08:00
miloschwartz	d4668fae99	add openapi types	2026-02-14 11:25:00 -08:00
Fred KISSIE	ddfe55e3ae	♻️ add `niceId` to query filtering on most tables	2026-02-14 04:19:30 +01:00
Fred KISSIE	761a5f1d4c	♻️ use `like` & `LOWER(column)` for searching with query	2026-02-14 04:11:27 +01:00
Fred KISSIE	1fbcad8787	♻️ refactor	2026-02-14 04:06:11 +01:00
miloschwartz	aba586e605	change translation	2026-02-13 17:35:54 -08:00
Milo Schwartz	27b21b5ad4	Merge pull request #2359 from Fredkiss3/feat/logo-path-in-enterprise feat: Support file path in branding logo URL for enterprise	2026-02-13 17:16:33 -08:00
Milo Schwartz	b6e54dab17	Merge branch 'dev' into feat/logo-path-in-enterprise	2026-02-13 17:16:25 -08:00
miloschwartz	1f8e89772d	disable global idp routes if idp mode is org	2026-02-13 15:46:13 -08:00
Owen	be89e5ca55	Fix issue with auto provisioning being overriden	2026-02-13 14:56:56 -08:00
Lokowitz	5f3657fd56	update packages	2026-02-13 06:15:26 +00:00
Lokowitz	494162400e	Merge remote-tracking branch 'origin/dev' into update-packages	2026-02-13 06:12:24 +00:00
Fred KISSIE	ab65bb6a8a	Merge branch 'dev' into refactor/paginated-tables	2026-02-13 06:03:09 +01:00
miloschwartz	333625f199	rename starter in cloud to basic	2026-02-12 20:24:23 -08:00
Lokowitz	4e1e0cade1	upgrade package	2026-02-12 15:51:19 +00:00
Lokowitz	fda5904dac	Merge remote-tracking branch 'origin/dev' into update-packages	2026-02-12 15:47:29 +00:00
Fred KISSIE	6d1665004b	🏷️ fix type errors	2026-02-11 04:34:53 +01:00
Fred KISSIE	59b8119fbd	Merge branch 'dev' into refactor/paginated-tables	2026-02-11 04:12:40 +01:00
Fred KISSIE	45cd4df6e5	♻️ agent	2026-02-11 00:37:42 +01:00
Lokowitz	d5b6de70da	update package and update dockerfile	2026-02-10 11:49:53 +00:00
Fred KISSIE	d6ade102dc	✨ filter & paginate on machine clients table	2026-02-10 05:14:37 +01:00
Fred KISSIE	c94d246c24	♻️ list machine query	2026-02-10 04:00:45 +01:00
Fred KISSIE	5b779ba9fe	♻️ refactor	2026-02-10 03:21:12 +01:00
Fred KISSIE	3ba2cb19a9	✨ approval feed	2026-02-10 03:20:49 +01:00
Fred KISSIE	da514ef314	♻️ refactor	2026-02-10 00:45:34 +01:00
Fred KISSIE	7f73cde794	♻️ refetch approval count every 30s	2026-02-10 00:45:20 +01:00
Fred KISSIE	b0af0d9cd5	♻️ keep previous data	2026-02-10 00:31:21 +01:00
Lokowitz	8429197b07	fix .gitignore	2026-02-09 19:56:32 +00:00
Lokowitz	44f2081882	update packages	2026-02-09 17:08:59 +00:00
Lokowitz	63f7dd1d20	fix lint error	2026-02-07 08:48:58 +00:00
Lokowitz	57b8c69983	remove date-fns	2026-02-07 08:34:56 +00:00
Lokowitz	aad060810a	update package and move eslint to dev	2026-02-07 08:26:05 +00:00
Lokowitz	9222b00a6f	Merge remote-tracking branch 'origin/dev' into update-packages	2026-02-07 08:14:16 +00:00
Fred KISSIE	ff61b22e7e	♻️do not set default values	2026-02-07 05:37:52 +01:00
Fred KISSIE	577cb91343	✨ whole table filter	2026-02-07 05:37:01 +01:00
Fred KISSIE	1889386f64	🚧 wip: table filters	2026-02-07 04:51:37 +01:00
Fred KISSIE	5d7f082ebf	✨ sort user device table & refactor sort into common functino	2026-02-07 04:41:42 +01:00
Fred KISSIE	db6327c4ff	🔇 remove console.logs in API	2026-02-07 02:52:23 +01:00
Fred KISSIE	fd7f6b2b99	✨ filter user devices API finished	2026-02-07 02:51:32 +01:00
Fred KISSIE	49435398a8	🔥 cleanup imports	2026-02-07 02:50:59 +01:00
Fred KISSIE	9f2fd34e99	🚧 wip: user devices endpoint	2026-02-06 05:37:44 +01:00
Fred KISSIE	67b63d3084	♻️ make code cleanrer	2026-02-06 04:52:21 +01:00
Fred KISSIE	4a31a7b84b	🚨 fix lint error	2026-02-06 03:55:11 +01:00
Fred KISSIE	538b601b1e	Merge branch 'dev' into refactor/paginated-tables	2026-02-06 03:54:50 +01:00
Fred KISSIE	588f064c25	🚸 make resource enabled switch optimistic	2026-02-06 03:53:14 +01:00
Fred KISSIE	d521e79662	🏷️ fix types	2026-02-06 03:21:00 +01:00
Fred KISSIE	ccddb9244d	🏷️ add types on `mode` in sqlite	2026-02-06 03:14:03 +01:00
Fred KISSIE	0547396213	♻️ do not sort client resources	2026-02-06 02:44:23 +01:00
Fred KISSIE	6c85171091	✨serverside filter+paginate client resources table	2026-02-06 02:42:15 +01:00
Lokowitz	0f4d1d2a74	add preview server	2026-02-05 19:46:57 +00:00
Lokowitz	941d5c08e3	upgrade packages	2026-02-05 19:26:36 +00:00
Lokowitz	db9f74158b	Merge remote-tracking branch 'origin/dev' into update-packages	2026-02-05 19:24:12 +00:00
Fred KISSIE	609ffccd67	🏷️ fix typescript error	2026-02-05 05:35:59 +01:00
Fred KISSIE	748af1d8cb	♻️ cleanup code for searching & filtering	2026-02-05 05:21:25 +01:00
Fred KISSIE	d309ec249e	✨ filter resources by status	2026-02-05 03:15:18 +01:00
Fred KISSIE	67949b4968	🚧 wip: healthStatus	2026-02-04 04:10:08 +01:00
Fred KISSIE	1fc40b3017	✨ filter by auth state	2026-02-04 03:42:05 +01:00
Fred KISSIE	bb1a375484	✨ paginate, search & filter resources by enabled	2026-02-04 02:20:28 +01:00
Lokowitz	13c011895d	update packages and node	2026-02-02 19:17:40 +00:00
Lokowitz	bd8d0e3392	update packages	2026-02-02 18:48:35 +00:00
Fred KISSIE	cda6b67bef	✨ search, filter & paginate sites table	2026-01-31 03:02:39 +01:00
Fred KISSIE	066305b095	✨ toggle column sorting & pagination	2026-01-31 00:45:14 +01:00
Fred KISSIE	89695df012	🚧 wip: pagination and search work	2026-01-30 05:39:01 +01:00
Fred KISSIE	b04385a340	🚧 search on table	2026-01-29 05:48:41 +01:00
Fred KISSIE	d374ea6ea6	🚧wip	2026-01-29 05:07:41 +01:00
Fred KISSIE	01a2820390	🚧 POC: pagination in sites table	2026-01-29 05:07:27 +01:00
Fred KISSIE	c89c1a03da	🎨 use prettier for formatting typescript	2026-01-29 05:05:34 +01:00
Fred KISSIE	38ac4c5980	🚧 wip: paginated tables	2026-01-28 04:46:54 +01:00
Fred KISSIE	ed3ee64e4b	✨ support pathname in logo URL in branding page	2026-01-28 03:04:12 +01:00