release: 1.8.1

fix: migration clears allowed users groups
chore: update issue template (#870 )
2026-03-28 10:16:37 +00:00 · 2025-08-24 15:12:14 +02:00 · 2025-08-24 15:05:45 +02:00 · 2025-08-24 14:35:39 +02:00 · 2025-08-24 14:34:44 +02:00 · 2025-08-24 14:34:29 +02:00
296 changed files with 19195 additions and 10258 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,4 @@
-node_modules
+**/node_modules
 # Output
 .output
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1 @@
 *       @pocket-id/maintainers
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -1,7 +1,7 @@
 name: "🐛 Bug Report"
 description: "Report something that is not working as expected"
 title: "🐛 Bug Report: "
-labels: [bug]
+type: 'Bug'
 body:
  - type: markdown
    attributes:
@@ -36,13 +36,29 @@ body:
      value: |
        ### Additional Information
  - type: textarea
-    id: extra-information
+    id: version
    validations:
      required: true
    attributes:
-      label: "Version and Environment"
+      label: "Pocket ID Version"
-      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      description: "Please specify the version of Pocket ID."
      placeholder: "e.g., v0.24.1"
  - type: textarea
    id: database
    validations:
      required: true
    attributes:
      label: "Database"
      description: "Please specify the database in use: SQLite or Postgres (including version)."
      placeholder: "e.g., SQLite or Postgres 17"
  - type: textarea
    id: environment
    validations:
      required: true
    attributes:
      label: "OS and Environment"
      description: "Please include the OS, whether you're using containers (Docker, Podman, etc) along with any environment-specific configurations, such your reverse proxy, that might be relevant."
      placeholder: "e.g., Docker on Ubuntu 24.04, served using Traefik"
  - type: textarea
    id: log-files
    validations:
--- a/.github/ISSUE_TEMPLATE/feature.yml
+++ b/.github/ISSUE_TEMPLATE/feature.yml
@@ -1,7 +1,7 @@
 name: 🚀 Feature
 description: "Submit a proposal for a new feature"
 title: "🚀 Feature: "
-labels: [feature]
+type: 'Feature'
 body:
  - type: textarea
    id: feature-description
--- a/.github/ISSUE_TEMPLATE/language-request.yml
+++ b/.github/ISSUE_TEMPLATE/language-request.yml
@@ -1,7 +1,7 @@
 name: "🌐 Language request"
 description: "You want to contribute to a language that isn't on Crowdin yet?"
 title: "🌐 Language Request: <language name in english>"
-labels: [language-request]
+type: 'Language Request'
 body:
  - type: input
    id: language-name-native
--- a/.github/workflows/backend-linter.yml
+++ b/.github/workflows/backend-linter.yml
@@ -32,9 +32,9 @@ jobs:
          go-version-file: backend/go.mod
      - name: Run Golangci-lint
-        uses: golangci/golangci-lint-action@dec74fa03096ff515422f71d18d41307cacde373 # v7.0.0
+        uses: golangci/golangci-lint-action@v8.0.0
        with:
-          version: v2.0.2
+          version: v2.4.0
          args: --build-tags=exclude_frontend
          working-directory: backend
          only-new-issues: ${{ github.event_name == 'pull_request' }}
--- a/.github/workflows/build-next.yml
+++ b/.github/workflows/build-next.yml
@@ -5,6 +5,10 @@ on:
    branches:
      - main
 concurrency:
  group: build-next-image
  cancel-in-progress: true
 jobs:
  build-next:
    runs-on: ubuntu-latest
@@ -17,17 +21,22 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
-          cache: "npm"
+          cache: 'pnpm'
-          cache-dependency-path: frontend/package-lock.json
+          cache-dependency-path: pnpm-lock.yaml
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "backend/go.mod"
+          go-version-file: 'backend/go.mod'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
@@ -50,15 +59,14 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Install frontend dependencies
-        working-directory: frontend
+        run: pnpm install --frozen-lockfile
        run: npm ci
      - name: Build frontend
        working-directory: frontend
-        run: npm run build
+        run: pnpm run build
      - name: Build binaries
-        run: sh scripts/development/build-binaries.sh
+        run: sh scripts/development/build-binaries.sh --docker-only
      - name: Build and push container image
        id: build-push-image
@@ -69,10 +77,24 @@ jobs:
          push: true
          tags: ${{ env.DOCKER_IMAGE_NAME }}:next
          file: Dockerfile-prebuilt
-
+      - name: Build and push container image (distroless)
        uses: docker/build-push-action@v6
        id: container-build-push-distroless
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ env.DOCKER_IMAGE_NAME }}:next-distroless
          file: Dockerfile-distroless
      - name: Container image attestation
        uses: actions/attest-build-provenance@v2
        with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
          subject-digest: ${{ steps.build-push-image.outputs.digest }}
          push-to-registry: true
      - name: Container image attestation (distroless)
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
          subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
          push-to-registry: true
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -3,15 +3,15 @@ on:
  push:
    branches: [main]
    paths-ignore:
-      - "docs/**"
+      - 'docs/**'
-      - "**.md"
+      - '**.md'
-      - ".github/**"
+      - '.github/**'
  pull_request:
    branches: [main]
    paths-ignore:
-      - "docs/**"
+      - 'docs/**'
-      - "**.md"
+      - '**.md'
-      - ".github/**"
+      - '.github/**'
 jobs:
  build:
@@ -54,18 +54,22 @@ jobs:
    needs: build
    steps:
      - uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10
      - uses: actions/setup-node@v4
        with:
          node-version: 22
-          cache: "npm"
+          cache: 'pnpm'
-          cache-dependency-path: frontend/package-lock.json
+          cache-dependency-path: pnpm-lock.yaml
      - name: Cache Playwright Browsers
        uses: actions/cache@v3
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
+          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-playwright-
@@ -96,13 +100,12 @@ jobs:
        run: docker load < /tmp/lldap-image.tar
      - name: Install test dependencies
-        working-directory: ./tests
+        run: pnpm --filter pocket-id-tests install --frozen-lockfile
        run: npm ci
      - name: Install Playwright Browsers
        working-directory: ./tests
        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: npx playwright install --with-deps chromium
+        run: pnpm dlx playwright install --with-deps chromium
      - name: Run Docker Container with Sqlite DB and LDAP
        working-directory: ./tests/setup
@@ -111,8 +114,8 @@ jobs:
          docker compose logs -f pocket-id &> /tmp/backend.log &
      - name: Run Playwright tests
-        working-directory: ./tests
+        working-directory: tests
-        run: npx playwright test
+        run: pnpm exec playwright test
      - name: Upload Test Report
        uses: actions/upload-artifact@v4
@@ -141,18 +144,22 @@ jobs:
    needs: build
    steps:
      - uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10
      - uses: actions/setup-node@v4
        with:
          node-version: 22
-          cache: "npm"
+          cache: 'pnpm'
-          cache-dependency-path: frontend/package-lock.json
+          cache-dependency-path: pnpm-lock.yaml
      - name: Cache Playwright Browsers
        uses: actions/cache@v3
        id: playwright-cache
        with:
          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
+          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-playwright-
@@ -200,13 +207,12 @@ jobs:
        run: docker load -i /tmp/docker-image.tar
      - name: Install test dependencies
-        working-directory: ./tests
+        run: pnpm --filter pocket-id-tests install
        run: npm ci
      - name: Install Playwright Browsers
        working-directory: ./tests
        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: npx playwright install --with-deps chromium
+        run: pnpm dlx playwright install --with-deps chromium
      - name: Run Docker Container with Postgres DB and LDAP
        working-directory: ./tests/setup
@@ -216,7 +222,7 @@ jobs:
      - name: Run Playwright tests
        working-directory: ./tests
-        run: npx playwright test
+        run: pnpm exec playwright test
      - name: Upload Test Report
        uses: actions/upload-artifact@v4
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,7 +3,7 @@ name: Release
 on:
  push:
    tags:
-      - "v*.*.*"
+      - 'v*.*.*'
 jobs:
  build:
@@ -16,27 +16,29 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
-          cache: "npm"
+          cache: 'pnpm'
-          cache-dependency-path: frontend/package-lock.json
+          cache-dependency-path: pnpm-lock.yaml
      - uses: actions/setup-go@v5
        with:
-          go-version-file: "backend/go.mod"
+          go-version-file: 'backend/go.mod'
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Set DOCKER_IMAGE_NAME
        run: |
          # Lowercase REPO_OWNER which is required for containers
          REPO_OWNER=${{ github.repository_owner }}
          DOCKER_IMAGE_NAME="ghcr.io/${REPO_OWNER,,}/pocket-id"
          echo "DOCKER_IMAGE_NAME=${DOCKER_IMAGE_NAME}" >>${GITHUB_ENV}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
@@ -53,17 +55,24 @@ jobs:
            type=semver,pattern={{version}},prefix=v
            type=semver,pattern={{major}}.{{minor}},prefix=v
            type=semver,pattern={{major}},prefix=v
-
+      - name: Docker metadata (distroless)
        id: meta-distroless
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.DOCKER_IMAGE_NAME }}
          flavor: |
            suffix=-distroless,onlatest=true
          tags: |
            type=semver,pattern={{version}},prefix=v
            type=semver,pattern={{major}}.{{minor}},prefix=v
            type=semver,pattern={{major}},prefix=v
      - name: Install frontend dependencies
-        working-directory: frontend
+        run: pnpm --filter pocket-id-frontend install --frozen-lockfile
        run: npm ci
      - name: Build frontend
-        working-directory: frontend
+        run: pnpm --filter pocket-id-frontend build
        run: npm run build
      - name: Build binaries
        run: sh scripts/development/build-binaries.sh
      - name: Build and push container image
        uses: docker/build-push-action@v6
        id: container-build-push
@@ -74,19 +83,32 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          file: Dockerfile-prebuilt
-
+      - name: Build and push container image (distroless)
        uses: docker/build-push-action@v6
        id: container-build-push-distroless
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta-distroless.outputs.tags }}
          labels: ${{ steps.meta-distroless.outputs.labels }}
          file: Dockerfile-distroless
      - name: Binary attestation
        uses: actions/attest-build-provenance@v2
        with:
-          subject-path: "backend/.bin/pocket-id-**"
+          subject-path: 'backend/.bin/pocket-id-**'
      - name: Container image attestation
        uses: actions/attest-build-provenance@v2
        with:
-          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
          subject-digest: ${{ steps.container-build-push.outputs.digest }}
          push-to-registry: true
-
+      - name: Container image attestation (distroless)
        uses: actions/attest-build-provenance@v2
        with:
          subject-name: '${{ env.DOCKER_IMAGE_NAME }}'
          subject-digest: ${{ steps.container-build-push-distroless.outputs.digest }}
          push-to-registry: true
      - name: Upload binaries to release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -101,6 +123,6 @@ jobs:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Mark release as published
        run: gh release edit ${{ github.ref_name }} --draft=false
--- a/.github/workflows/svelte-check.yml
+++ b/.github/workflows/svelte-check.yml
@@ -4,21 +4,21 @@ on:
  push:
    branches: [main]
    paths:
-      - "frontend/src/**"
+      - 'frontend/src/**'
-      - ".github/svelte-check-matcher.json"
+      - '.github/svelte-check-matcher.json'
-      - "frontend/package.json"
+      - 'frontend/package.json'
-      - "frontend/package-lock.json"
+      - 'frontend/package-lock.json'
-      - "frontend/tsconfig.json"
+      - 'frontend/tsconfig.json'
-      - "frontend/svelte.config.js"
+      - 'frontend/svelte.config.js'
  pull_request:
    branches: [main]
    paths:
-      - "frontend/src/**"
+      - 'frontend/src/**'
-      - ".github/svelte-check-matcher.json"
+      - '.github/svelte-check-matcher.json'
-      - "frontend/package.json"
+      - 'frontend/package.json'
-      - "frontend/package-lock.json"
+      - 'frontend/package-lock.json'
-      - "frontend/tsconfig.json"
+      - 'frontend/tsconfig.json'
-      - "frontend/svelte.config.js"
+      - 'frontend/svelte.config.js'
  workflow_dispatch:
 jobs:
@@ -36,24 +36,28 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
        with:
          version: 10
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 22
-          cache: "npm"
+          cache: 'pnpm'
-          cache-dependency-path: frontend/package-lock.json
+          cache-dependency-path: pnpm-lock.yaml
      - name: Install dependencies
-        working-directory: frontend
+        run: pnpm --filter pocket-id-frontend install --frozen-lockfile
        run: npm ci
      - name: Build Pocket ID Frontend
        working-directory: frontend
-        run: npm run build
+        run: pnpm --filter pocket-id-frontend build
      - name: Add svelte-check problem matcher
        run: echo "::add-matcher::.github/svelte-check-matcher.json"
      - name: Run svelte-check
        working-directory: frontend
-        run: npm run check
+        run: pnpm --filter pocket-id-frontend check
--- a/.version
+++ b/.version
@@ -1 +1 @@
-1.3.1
+1.8.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,147 @@
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.8.0...v) (2025-08-24)
 ### Bug Fixes
 * migration clears allowed users groups ([5971bfb](https://github.com/pocket-id/pocket-id/commit/5971bfbfa66ecfebf2b1c08d34fcbd8c18cdc046))
 * wrong column type for reauthentication tokens in Postgres ([#869](https://github.com/pocket-id/pocket-id/issues/869)) ([1283314](https://github.com/pocket-id/pocket-id/commit/1283314f776a0ba43be7d796e7e2243e31f860de))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.7.0...v) (2025-08-23)
 ### Features
 * add option to OIDC client to require re-authentication ([#747](https://github.com/pocket-id/pocket-id/issues/747)) ([0cb039d](https://github.com/pocket-id/pocket-id/commit/0cb039d35d49206011064e622f3bfd3d8f88720f))
 * allow custom client IDs ([#864](https://github.com/pocket-id/pocket-id/issues/864)) ([a5efb95](https://github.com/pocket-id/pocket-id/commit/a5efb9506582884c70b9b1fd737ebdd44b101b47))
 * display all accessible oidc clients in the dashboard ([#832](https://github.com/pocket-id/pocket-id/issues/832)) ([3188e92](https://github.com/pocket-id/pocket-id/commit/3188e92257afcaf7a16dd418e4c40626d7e1d034))
 * login code font change ([#851](https://github.com/pocket-id/pocket-id/issues/851)) ([d28bfac](https://github.com/pocket-id/pocket-id/commit/d28bfac81fc24ee79e4896538a616f0a89ab30a5))
 * **signup:** add default user groups and claims for new users ([#812](https://github.com/pocket-id/pocket-id/issues/812)) ([182d809](https://github.com/pocket-id/pocket-id/commit/182d8090286f9953171c6c410283be679889aca7))
 ### Bug Fixes
 * authorization can't be revoked ([0aab3f3](https://github.com/pocket-id/pocket-id/commit/0aab3f3c7ad8c1b14939de3ded60c9f201eab8fc))
 * delete webauthn session after login to prevent replay attacks ([fe003b9](https://github.com/pocket-id/pocket-id/commit/fe003b927ce7772692439992860c804de89ce424))
 * **deps:** bump rollup from 4.45.3 to 4.46.3 ([#845](https://github.com/pocket-id/pocket-id/issues/845)) ([b5e6371](https://github.com/pocket-id/pocket-id/commit/b5e6371eaaf3d9e85d8b05c457487c4425fa8381))
 * enable foreign key check for sqlite ([#863](https://github.com/pocket-id/pocket-id/issues/863)) ([625f235](https://github.com/pocket-id/pocket-id/commit/625f23574001ebd7074b8d98d448a2811847be16))
 * ferated identities can't be cleared ([24e2742](https://github.com/pocket-id/pocket-id/commit/24e274200fe4002d01c58cc3fa74094b598d7599))
 * for one-time access tokens and signup tokens, pass TTLs instead of absolute expiration date ([#855](https://github.com/pocket-id/pocket-id/issues/855)) ([7ab0fd3](https://github.com/pocket-id/pocket-id/commit/7ab0fd30286e6b67b5ce586484d82a20c42b471d))
 * ignore client secret if client is public ([#836](https://github.com/pocket-id/pocket-id/issues/836)) ([7b1f6b8](https://github.com/pocket-id/pocket-id/commit/7b1f6b88572bac1f3e838a9e904917fbd5fbdf61))
 * move audit log call before TX is committed ([#854](https://github.com/pocket-id/pocket-id/issues/854)) ([9339e88](https://github.com/pocket-id/pocket-id/commit/9339e88a5a26ff77a5e40149cbb1a5b339b7ec6a))
 * non admin users can't revoke oidc client but see edit link ([0e44f24](https://github.com/pocket-id/pocket-id/commit/0e44f245afcdf8179bf619613ca9ef4bffa176ca))
 * oidc client advanced options color ([fc0c99a](https://github.com/pocket-id/pocket-id/commit/fc0c99a232b0efb1a5b5d2c551102418b1080293))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.6.4...v) (2025-08-10)
 ### Features
 * add robots.txt to block indexing ([#806](https://github.com/pocket-id/pocket-id/issues/806)) ([06e1656](https://github.com/pocket-id/pocket-id/commit/06e1656923eb2f4531be497716f9147c09d60b65))
 * add support for `code_challenge_methods_supported` ([#794](https://github.com/pocket-id/pocket-id/issues/794)) ([d479817](https://github.com/pocket-id/pocket-id/commit/d479817b6a7ca4807b5de500b3ba713d436b0770))
 * Support OTel and JSON for logs (via log/slog) ([#760](https://github.com/pocket-id/pocket-id/issues/760)) ([78266e3](https://github.com/pocket-id/pocket-id/commit/78266e3e4cab2b23249c3baf20f4387d00eebd9e))
 * support reading secret env vars from _FILE ([#799](https://github.com/pocket-id/pocket-id/issues/799)) ([0a3b1c6](https://github.com/pocket-id/pocket-id/commit/0a3b1c653050f2237d30ec437c5de88baa704a25))
 * user application dashboard ([#727](https://github.com/pocket-id/pocket-id/issues/727)) ([484c2f6](https://github.com/pocket-id/pocket-id/commit/484c2f6ef20efc1fade1a41e2aeace54c7bb4f1b))
 ### Bug Fixes
 * admins can not delete or disable their own account ([f0c144c](https://github.com/pocket-id/pocket-id/commit/f0c144c51c635bc348222a00d3bc88bc4e0711ef))
 * authorization animation not working ([9ac5d51](https://github.com/pocket-id/pocket-id/commit/9ac5d5118710cad59c8c4ce7cef7ab09be3de664))
 * custom claims input suggestions instantly close after opening ([4d59e72](https://github.com/pocket-id/pocket-id/commit/4d59e7286666480e20c728787a95e82513509240))
 * delete WebAuthn registration session after use ([#783](https://github.com/pocket-id/pocket-id/issues/783)) ([c8478d7](https://github.com/pocket-id/pocket-id/commit/c8478d75bed7295625cd3cf62ef46fcd95902410))
 * set input type 'email' for email-based login ([#776](https://github.com/pocket-id/pocket-id/issues/776)) ([d541c9a](https://github.com/pocket-id/pocket-id/commit/d541c9ab4af8d7283891a80f886dd5d4ebc52f53))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.6.3...v) (2025-07-21)
 ### Bug Fixes
 * migration fails on postgres ([#762](https://github.com/pocket-id/pocket-id/issues/762)) ([35d5f88](https://github.com/pocket-id/pocket-id/commit/35d5f887ce7c88933d7e4c2f0acd2aeedd18c214))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.6.2...v) (2025-07-21)
 ### Bug Fixes
 * allow passkey names up to 50 characters ([b03e91b](https://github.com/pocket-id/pocket-id/commit/b03e91b6530c2393ad20ac49aa2cb2b4962651b2))
 * ensure user inputs are normalized ([#724](https://github.com/pocket-id/pocket-id/issues/724)) ([7b4ccd1](https://github.com/pocket-id/pocket-id/commit/7b4ccd1f306f4882c52fe30133fcda114ef0d18b))
 * show rename and delete buttons for passkeys without hovering over the row ([2952b15](https://github.com/pocket-id/pocket-id/commit/2952b1575542ecd0062fe740e2d6a3caad05190d))
 * use object-contain for images on oidc-client list ([d3bc179](https://github.com/pocket-id/pocket-id/commit/d3bc1797b65ec8bc9201c55d06f3612093f3a873))
 * use user-agent for identifying known device signins ([ef1d599](https://github.com/pocket-id/pocket-id/commit/ef1d5996624fc534190f80a26f2c48bbad206f49))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.6.1...v) (2025-07-09)
 ### Bug Fixes
 * ensure confirmation dialog shows on top of other components ([f103a54](https://github.com/pocket-id/pocket-id/commit/f103a547904070c5b192e519c8b5a8fed9d80e96))
 * login failures on Postgres when IP is null ([#737](https://github.com/pocket-id/pocket-id/issues/737)) ([e1de593](https://github.com/pocket-id/pocket-id/commit/e1de593dcd30b7b04da3b003455134992b702595))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.5.0...v) (2025-07-06)
 ### Features
 * add "key-rotate" command ([#709](https://github.com/pocket-id/pocket-id/issues/709)) ([8c8fc23](https://github.com/pocket-id/pocket-id/commit/8c8fc2304d8f33c1fea54b1138b109f282e78b8b))
 * add support for OAuth 2.0 Authorization Server Issuer Identification ([bf04256](https://github.com/pocket-id/pocket-id/commit/bf042563e997d57bb087705a5789fd72ffbed467))
 * distroless container additional variant + healthcheck command ([#716](https://github.com/pocket-id/pocket-id/issues/716)) ([1a41b05](https://github.com/pocket-id/pocket-id/commit/1a41b05f60d487fff78703bec1d4e832f96fd071))
 * encrypt private keys saved on disk and in database ([#682](https://github.com/pocket-id/pocket-id/issues/682)) ([5550729](https://github.com/pocket-id/pocket-id/commit/5550729120ac9f5e9361c7f9cf25b9075a33a94a))
 * enhance language selection message and add translation contribution link ([be52660](https://github.com/pocket-id/pocket-id/commit/be526602273c1689cb4057ca96d4214e7f817d1d))
 ### Bug Fixes
 * actually fix linter issues ([#720](https://github.com/pocket-id/pocket-id/issues/720)) ([7fe83f8](https://github.com/pocket-id/pocket-id/commit/7fe83f8087f033f957bb6e0eee5e0c159417e1cd))
 * add missing error check in initial user setup ([fceb6fa](https://github.com/pocket-id/pocket-id/commit/fceb6fa7b4701a3645c4c2353bcd108b15d69ded))
 * allow profile picture update even if "allow own account edit" enabled ([9872608](https://github.com/pocket-id/pocket-id/commit/9872608d61a486f7b775f314d9392e0620bcd891))
 * app config forms not updating with latest values ([#696](https://github.com/pocket-id/pocket-id/issues/696)) ([92c57ad](https://github.com/pocket-id/pocket-id/commit/92c57ada1a11f76963e36ca0a81bca8f52dbc84e))
 * auth fails when client IP is empty on Postgres ([#695](https://github.com/pocket-id/pocket-id/issues/695)) ([031181a](https://github.com/pocket-id/pocket-id/commit/031181ad2ae8fae94cc5793dd1c614e79476a766))
 * custom claims input suggestions flickering ([49f1ab2](https://github.com/pocket-id/pocket-id/commit/49f1ab2f75df97d551fff5acbadcd55df74af617))
 * keep sidebar in settings sticky ([e46f60a](https://github.com/pocket-id/pocket-id/commit/e46f60ac8d6944bcea54d0708af1950d98f66c3c))
 * linter issues ([#719](https://github.com/pocket-id/pocket-id/issues/719)) ([43f0114](https://github.com/pocket-id/pocket-id/commit/43f0114c579f7b5b32b372e09f46bcb2a9d7796e))
 * show friendly name in user group selection ([5c9e504](https://github.com/pocket-id/pocket-id/commit/5c9e504291b3bffe947bcbe907701806e301d1fe))
 * support non UTF-8 LDAP IDs ([#714](https://github.com/pocket-id/pocket-id/issues/714)) ([8131579](https://github.com/pocket-id/pocket-id/commit/81315790a8aa601a2565a1b54807df1e68f06dc5))
 * token introspection authentication not handled correctly ([#704](https://github.com/pocket-id/pocket-id/issues/704)) ([aefb308](https://github.com/pocket-id/pocket-id/commit/aefb30853677baf7ed29ac8b539e1aadf56e14a4))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.4.1...v) (2025-06-27)
 ### Features
 * improve initial admin creation workflow ([287314f](https://github.com/pocket-id/pocket-id/commit/287314f01644e42ddb2ce1b1115bd14f2f0c1768))
 * redact sensitive app config variables if set with env variable ([ba61cdb](https://github.com/pocket-id/pocket-id/commit/ba61cdba4eb3d5659f3ae6b6c21249985c0aa630))
 * self-service user signup ([#672](https://github.com/pocket-id/pocket-id/issues/672)) ([dcd1ae9](https://github.com/pocket-id/pocket-id/commit/dcd1ae96e048115be34b0cce275054e990462ebf))
 ### Bug Fixes
 * double double full stops for certain error messages ([d070b9a](https://github.com/pocket-id/pocket-id/commit/d070b9a778d7d1a51f2fa62d003f2331a96d6c91))
 * error page flickering after sign out ([1a77bd9](https://github.com/pocket-id/pocket-id/commit/1a77bd9914ea01e445ff3d6e116c9ed3bcfbf153))
 * improve accent color picker disabled state ([d976bf5](https://github.com/pocket-id/pocket-id/commit/d976bf5965eda10e3ecb71821c23e93e5d712a02))
 * less noisy logging for certain GET requests ([#681](https://github.com/pocket-id/pocket-id/issues/681)) ([043f82a](https://github.com/pocket-id/pocket-id/commit/043f82ad794eb64a5550d8b80703114a055701d9))
 * margin of user sign up description ([052ac00](https://github.com/pocket-id/pocket-id/commit/052ac008c3a8c910d1ce79ee99b2b2f75e4090f4))
 * remove duplicate request logging ([#678](https://github.com/pocket-id/pocket-id/issues/678)) ([988c425](https://github.com/pocket-id/pocket-id/commit/988c425150556b32cff1d341a21fcc9c69d9aaf8))
 * users can't be updated by admin if self account editing is disabled ([29cb551](https://github.com/pocket-id/pocket-id/commit/29cb5513a03d1a9571969c8a42deec9b2bdee037))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.4.0...v) (2025-06-22)
 ### Bug Fixes
 * app not starting if UI config is disabled and Postgres is used ([7d36bda](https://github.com/pocket-id/pocket-id/commit/7d36bda769e25497dec6b76206a4f7e151b0bd72))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.3.1...v) (2025-06-19)
 ### Features
 * allow setting unix socket mode ([#661](https://github.com/pocket-id/pocket-id/issues/661)) ([7677a3d](https://github.com/pocket-id/pocket-id/commit/7677a3de2c923c11a58bc8c4d1b2121d403a1504))
 * auto-focus on the login buttons ([#647](https://github.com/pocket-id/pocket-id/issues/647)) ([d679530](https://github.com/pocket-id/pocket-id/commit/d6795300b158b85dd9feadd561b6ecd891f5db0d))
 * configurable local ipv6 ranges for audit log ([#657](https://github.com/pocket-id/pocket-id/issues/657)) ([d548523](https://github.com/pocket-id/pocket-id/commit/d5485238b8fd4cc566af00eae2b17d69a119f991))
 * location filter for global audit log ([#662](https://github.com/pocket-id/pocket-id/issues/662)) ([ac5a121](https://github.com/pocket-id/pocket-id/commit/ac5a121f664b8127d0faf30c0f93432f30e7f33a))
 * ui accent colors ([#643](https://github.com/pocket-id/pocket-id/issues/643)) ([883877a](https://github.com/pocket-id/pocket-id/commit/883877adec6fc3e65bd5a705499449959b894fb5))
 * use icon instead of text on application image update hover state ([215531d](https://github.com/pocket-id/pocket-id/commit/215531d65c6683609b0b4a5505fdb72696fdb93e))
 ### Bug Fixes
 * allow images with uppercase file extension ([1bcb50e](https://github.com/pocket-id/pocket-id/commit/1bcb50edc335886dd722a4c69960c48cc3cd1687))
 * center oidc client images if they are smaller than the box ([946c534](https://github.com/pocket-id/pocket-id/commit/946c534b0877a074a6b658060f9af27e4061397c))
 * explicitly cache images to prevent unexpected behavior ([2e5d268](https://github.com/pocket-id/pocket-id/commit/2e5d2687982186c12e530492292d49895cb6043a))
 * reduce duration of animations on login and signin page ([#648](https://github.com/pocket-id/pocket-id/issues/648)) ([d770448](https://github.com/pocket-id/pocket-id/commit/d77044882d5a41da22df1c0099c1eb1f20bcbc5b))
 * use inline style for dynamic background image URL instead of Tailwind class ([bef77ac](https://github.com/pocket-id/pocket-id/commit/bef77ac8dca2b98b6732677aaafbc28f79d00487))
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.3.0...v) (2025-06-09)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -28,7 +28,7 @@ Before you submit the pull request for review please ensure that
  - **refactor** - code change that neither fixes a bug nor adds a feature
 - Your pull request has a detailed description
- You run `npm run format` to format the code
+- You run `pnpm format` to format the code
 ## Development Environment
@@ -52,7 +52,7 @@ If you use [Dev Containers](https://code.visualstudio.com/docs/remote/containers
 If you don't use Dev Containers, you need to install the following tools manually:
 - [Node.js](https://nodejs.org/en/download/) >= 22
- [Go](https://golang.org/doc/install) >= 1.24
+- [Go](https://golang.org/doc/install) >= 1.25
 - [Git](https://git-scm.com/downloads)
 ### 2. Setup
@@ -69,10 +69,10 @@ The backend is built with [Gin](https://gin-gonic.com) and written in Go. To set
 The frontend is built with [SvelteKit](https://kit.svelte.dev) and written in TypeScript. To set it up, follow these steps:
-1. Open the `frontend` folder
+1. Open the `pocket-id` project folder
-2. Copy the `.env.development-example` file to `.env` and edit the variables as needed
+2. Copy the `frontend/.env.development-example` file to `frontend/.env` and edit the variables as needed
-3. Install the dependencies with `npm install`
+3. Install the dependencies with `pnpm install`
-4. Start the frontend with `npm run dev`
+4. Start the frontend with `pnpm dev`
 You're all set! The application is now listening on `localhost:3000`. The backend gets proxied trough the frontend in development mode.
@@ -84,11 +84,13 @@ If you are contributing to a new feature please ensure that you add tests for it
 The tests can be run like this:
-1. Visit the setup folder by running `cd tests/setup`
+1. Install the dependencies from the root of the project `pnpm install`
-2. Start the test environment by running `docker compose up -d --build`
+2. Visit the setup folder by running `cd tests/setup`
-3. Go back to the test folder by running `cd ..`
+3. Start the test environment by running `docker compose up -d --build`
-4. Run the tests with `npx playwright test`
+
 4. Go back to the test folder by running `cd ..`
 5. Run the tests with `pnpm dlx playwright test` or from the root project folder `pnpm test`
 If you make any changes to the application, you have to rebuild the test environment by running `docker compose up -d --build` again.
--- a/24
+++ b/24
@@ -5,21 +5,27 @@ ARG BUILD_TAGS=""
 # Stage 1: Build Frontend
 FROM node:22-alpine AS frontend-builder
 RUN corepack enable
 WORKDIR /build
-COPY ./frontend/package*.json ./
+
-RUN npm ci
+COPY pnpm-workspace.yaml pnpm-lock.yaml ./
-COPY ./frontend ./
+COPY frontend/package.json ./frontend/
-RUN BUILD_OUTPUT_PATH=dist npm run build
+RUN pnpm --filter pocket-id-frontend install --frozen-lockfile
 COPY ./frontend ./frontend/
 RUN BUILD_OUTPUT_PATH=dist pnpm --filter pocket-id-frontend run build
 # Stage 2: Build Backend
-FROM golang:1.24-alpine AS backend-builder
+FROM golang:1.25-alpine AS backend-builder
 ARG BUILD_TAGS
 WORKDIR /build
 COPY ./backend/go.mod ./backend/go.sum ./
 RUN go mod download
 COPY ./backend ./
-COPY --from=frontend-builder /build/dist ./frontend/dist
+COPY --from=frontend-builder /build/frontend/dist ./frontend/dist
 COPY .version .version
 WORKDIR /build/cmd
@@ -30,7 +36,7 @@ RUN VERSION=$(cat /build/.version) \
    -tags "${BUILD_TAGS}" \
    -ldflags="-X github.com/pocket-id/pocket-id/backend/internal/common.Version=${VERSION} -buildid=${VERSION}" \
    -trimpath \
-    -o /build/pocket-id-backend \
+    -o /build/pocket-id \
    .
 # Stage 3: Production Image
@@ -39,7 +45,7 @@ WORKDIR /app
 RUN apk add --no-cache curl su-exec
-COPY --from=backend-builder /build/pocket-id-backend /app/pocket-id
+COPY --from=backend-builder /build/pocket-id /app/pocket-id
 COPY ./scripts/docker /app/docker
 RUN chmod +x /app/pocket-id && \
@@ -48,5 +54,7 @@ RUN chmod +x /app/pocket-id && \
 EXPOSE 1411
 ENV APP_ENV=production
 HEALTHCHECK --interval=90s --timeout=5s --start-period=10s --retries=3 CMD [ "/app/pocket-id", "healthcheck" ]
 ENTRYPOINT ["sh", "/app/docker/entrypoint.sh"]
 CMD ["/app/pocket-id"]
--- a/18
+++ b/18
@@ -0,0 +1,18 @@
 # This Dockerfile embeds a pre-built binary for the given Linux architecture
 # Binaries must be built using "./scripts/development/build-binaries.sh --docker-only"
 FROM gcr.io/distroless/static-debian12:nonroot
 # TARGETARCH can be "amd64" or "arm64"
 ARG TARGETARCH
 WORKDIR /app
 COPY ./backend/.bin/pocket-id-linux-${TARGETARCH} /app/pocket-id
 EXPOSE 1411
 ENV APP_ENV=production
 HEALTHCHECK --interval=90s --timeout=5s --start-period=10s --retries=3 CMD [ "/app/pocket-id", "healthcheck" ]
 CMD ["/app/pocket-id"]
--- a/4
+++ b/4
@@ -1,5 +1,5 @@
 # This Dockerfile embeds a pre-built binary for the given Linux architecture
-# Binaries must be built using ./scripts/development/build-binaries.sh first
+# Binaries must be built using "./scripts/development/build-binaries.sh --docker-only"
 FROM alpine
@@ -16,5 +16,7 @@ COPY ./scripts/docker /app/docker
 EXPOSE 1411
 ENV APP_ENV=production
 HEALTHCHECK --interval=90s --timeout=5s --start-period=10s --retries=3 CMD [ "/app/pocket-id", "healthcheck" ]
 ENTRYPOINT ["/app/docker/entrypoint.sh"]
 CMD ["/app/pocket-id"]
--- a/backend/.air.toml
+++ b/backend/.air.toml
@@ -0,0 +1,12 @@
 root = "."
 tmp_dir = ".bin"
 [build]
  bin = "./.bin/pocket-id"
  cmd = "CGO_ENABLED=0 go build -o ./.bin/pocket-id ./cmd"
  exclude_dir = ["resources", ".bin", "data"]
  exclude_regex = [".*_test\\.go"]
  stop_on_error = true
 [misc]
  clean_on_exit = true
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -1,15 +1,9 @@
 package main
 import (
 	"flag"
 	"fmt"
 	"log"
 	_ "time/tzdata"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 	"github.com/pocket-id/pocket-id/backend/internal/cmds"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 // @title Pocket ID API
@@ -17,27 +11,5 @@ import (
 // @description.markdown
 func main() {
-	// Get the command
+	cmds.Execute()
 	// By default, this starts the server
 	var cmd string
 	flag.Parse()
 	args := flag.Args()
 	if len(args) > 0 {
 		cmd = args[0]
 	}
 	var err error
 	switch cmd {
 	case "version":
 		fmt.Println("pocket-id " + common.Version)
 	case "one-time-access-token":
 		err = cmds.OneTimeAccessToken(args)
 	default:
 		// Start the server
 		err = bootstrap.Bootstrap()
 	}
 	if err != nil {
 		log.Fatal(err.Error())
 	}
 }
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,95 +1,106 @@
 module github.com/pocket-id/pocket-id/backend
-go 1.24.0
+go 1.25
 require (
 	github.com/caarlos0/env/v11 v11.3.1
-	github.com/cenkalti/backoff/v5 v5.0.2
+	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec
 	github.com/disintegration/imaging v1.6.2
 	github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21
 	github.com/emersion/go-smtp v0.21.3
-	github.com/fxamacker/cbor/v2 v2.7.0
+	github.com/fxamacker/cbor/v2 v2.9.0
-	github.com/gin-gonic/gin v1.10.0
+	github.com/gin-gonic/gin v1.10.1
 	github.com/glebarez/go-sqlite v1.22.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-co-op/gocron/v2 v2.15.0
+	github.com/go-co-op/gocron/v2 v2.16.3
 	github.com/go-ldap/ldap/v3 v3.4.10
-	github.com/go-playground/validator/v10 v10.25.0
+	github.com/go-playground/validator/v10 v10.27.0
 	github.com/go-webauthn/webauthn v0.11.2
-	github.com/golang-migrate/migrate/v4 v4.18.2
+	github.com/golang-migrate/migrate/v4 v4.18.3
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-uuid v1.0.3
 	github.com/jinzhu/copier v0.4.0
 	github.com/joho/godotenv v1.5.1
-	github.com/lestrrat-go/httprc/v3 v3.0.0-beta2
+	github.com/lestrrat-go/httprc/v3 v3.0.0
-	github.com/lestrrat-go/jwx/v3 v3.0.1
+	github.com/lestrrat-go/jwx/v3 v3.0.10
 	github.com/lmittmann/tint v1.1.2
 	github.com/mattn/go-isatty v0.0.20
 	github.com/mileusna/useragent v1.3.5
-	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2
+	github.com/orandin/slog-gorm v1.4.0
 	github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.8
 	github.com/samber/slog-gin v1.15.1
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	go.opentelemetry.io/contrib/bridges/otelslog v0.12.0
 	go.opentelemetry.io/contrib/exporters/autoexport v0.59.0
 	go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/otel v1.37.0
-	go.opentelemetry.io/otel/metric v1.35.0
+	go.opentelemetry.io/otel/log v0.13.0
 	go.opentelemetry.io/otel/metric v1.37.0
 	go.opentelemetry.io/otel/sdk v1.35.0
 	go.opentelemetry.io/otel/sdk/log v0.10.0
 	go.opentelemetry.io/otel/sdk/metric v1.35.0
-	go.opentelemetry.io/otel/trace v1.35.0
+	go.opentelemetry.io/otel/trace v1.37.0
-	golang.org/x/crypto v0.37.0
+	golang.org/x/crypto v0.41.0
-	golang.org/x/image v0.24.0
+	golang.org/x/image v0.30.0
-	golang.org/x/time v0.9.0
+	golang.org/x/text v0.28.0
-	gorm.io/driver/postgres v1.5.11
+	golang.org/x/time v0.12.0
-	gorm.io/gorm v1.25.12
+	gorm.io/driver/postgres v1.6.0
 	gorm.io/gorm v1.30.1
 )
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bytedance/sonic v1.12.10 // indirect
+	github.com/bytedance/sonic v1.14.0 // indirect
-	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/bytedance/sonic/loader v0.3.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cloudwego/base64x v0.1.5 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/disintegration/gift v1.1.2 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
-	github.com/gin-contrib/sse v1.0.0 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/glebarez/go-sqlite v1.21.2 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
-	github.com/go-webauthn/x v0.1.16 // indirect
+	github.com/go-webauthn/x v0.1.23 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.3 // indirect
-	github.com/google/go-tpm v0.9.3 // indirect
+	github.com/google/go-tpm v0.9.5 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.7.2 // indirect
+	github.com/jackc/pgx/v5 v5.7.5 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/lestrrat-go/blackmagic v1.0.3 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lestrrat-go/option/v2 v2.0.0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-sqlite3 v1.14.24 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
@@ -98,8 +109,10 @@ require (
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.12 // indirect
+	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 // indirect
@@ -114,23 +127,20 @@ require (
 	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.10.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 // indirect
 	go.opentelemetry.io/otel/log v0.10.0 // indirect
 	go.opentelemetry.io/otel/sdk/log v0.10.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/arch v0.14.0 // indirect
+	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect
+	golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect
-	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
-	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/text v0.24.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
 	google.golang.org/grpc v1.71.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.65.6 // indirect
+	modernc.org/libc v1.66.7 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.10.0 // indirect
+	modernc.org/memory v1.11.0 // indirect
-	modernc.org/sqlite v1.37.0 // indirect
+	modernc.org/sqlite v1.38.2 // indirect
 )
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -8,29 +8,28 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bytedance/sonic v1.12.10 h1:uVCQr6oS5669E9ZVW0HyksTLfNS7Q/9hV6IVS4nEMsI=
+github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
-github.com/bytedance/sonic v1.12.10/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
+github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
-github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
-github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
+github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
 github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cloudwego/base64x v0.1.5 h1:XPciSp1xaq2VCSt6lF0phncD4koWyULpl5bUxbfCyP4=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
-github.com/cloudwego/base64x v0.1.5/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
-github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
-github.com/dhui/dktest v0.4.4 h1:+I4s6JRE1yGuqflzwqG+aIaMdgXIorCf5P98JnaAWa8=
+github.com/dhui/dktest v0.4.5 h1:uUfYBIVREmj/Rw6MvgmqNAYzTiKOHJak+enB5Di73MM=
-github.com/dhui/dktest v0.4.4/go.mod h1:4+22R4lgsdAXrDyaH4Nqx2JEz2hLp49MqQmm9HLCQhM=
+github.com/dhui/dktest v0.4.5/go.mod h1:tmcyeHDKagvlDrz7gDKq4UAJOLIfVZYkfD5OnHDwcCo=
 github.com/disintegration/gift v1.1.2 h1:9ZyHJr+kPamiH10FX3Pynt1AxFUob812bU9Wt4GMzhs=
 github.com/disintegration/gift v1.1.2/go.mod h1:Jh2i7f7Q2BM7Ezno3PhfezbR1xpUg9dUg3/RlKGr4HI=
 github.com/disintegration/imageorient v0.0.0-20180920195336-8147d86e83ec h1:YrB6aVr9touOt75I9O1SiancmR2GMg45U9UYf0gtgWg=
@@ -53,27 +52,27 @@ github.com/emersion/go-smtp v0.21.3 h1:7uVwagE8iPYE48WhNsng3RRpCUpFvNl39JGNSIyGV
 github.com/emersion/go-smtp v0.21.3/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gabriel-vasile/mimetype v1.4.9 h1:5k+WDwEsD9eTLL8Tz3L0VnmVh9QxGjRmjBvAG7U/oYY=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gabriel-vasile/mimetype v1.4.9/go.mod h1:WnSQhFKJuBlRyLiKohA/2DtIlPFAbguNaG7QCHcyGok=
-github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
-github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-gonic/gin v1.10.0 h1:nTuyha1TYqgedzytsKYqna+DfLos46nTv2ygFy86HFU=
+github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
-github.com/gin-gonic/gin v1.10.0/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
+github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
-github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9gAXWo=
+github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
-github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k=
+github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-co-op/gocron/v2 v2.15.0 h1:Kpvo71VSihE+RImmpA+3ta5CcMhoRzMGw4dJawrj4zo=
+github.com/go-co-op/gocron/v2 v2.16.3 h1:kYqukZqBa8RC2+AFAHnunmKcs9GRTjwBo8WRF3I6cbI=
-github.com/go-co-op/gocron/v2 v2.15.0/go.mod h1:ZF70ZwEqz0OO4RBXE1sNxnANy/zvwLcattWEFsqpKig=
+github.com/go-co-op/gocron/v2 v2.16.3/go.mod h1:aTf7/+5Jo2E+cyAqq625UQ6DzpkV96b22VHIUAt6l3c=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -82,27 +81,27 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.25.0 h1:5Dh7cjvzR7BRZadnsVOzPhWsrwUr0nmsZJxEAnFLNO8=
+github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
-github.com/go-playground/validator/v10 v10.25.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
+github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
 github.com/go-webauthn/webauthn v0.11.2 h1:Fgx0/wlmkClTKlnOsdOQ+K5HcHDsDcYIvtYmfhEOSUc=
 github.com/go-webauthn/webauthn v0.11.2/go.mod h1:aOtudaF94pM71g3jRwTYYwQTG1KyTILTcZqN1srkmD0=
-github.com/go-webauthn/x v0.1.16 h1:EaVXZntpyHviN9ykjdRBQIw9B0Ed3LO5FW7mDiMQEa8=
+github.com/go-webauthn/x v0.1.23 h1:9lEO0s+g8iTyz5Vszlg/rXTGrx3CjcD0RZQ1GPZCaxI=
-github.com/go-webauthn/x v0.1.16/go.mod h1:jhYjfwe/AVYaUs2mUXArj7vvZj+SpooQPyyQGNab+Us=
+github.com/go-webauthn/x v0.1.23/go.mod h1:AJd3hI7NfEp/4fI6T4CHD753u91l510lglU7/NMN6+E=
 github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
 github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-migrate/migrate/v4 v4.18.2 h1:2VSCMz7x7mjyTXx3m2zPokOY82LTRgxK1yQYKo6wWQ8=
+github.com/golang-migrate/migrate/v4 v4.18.3 h1:EYGkoOsvgHHfm5U/naS1RP/6PL/Xv3S4B/swMiAmDLs=
-github.com/golang-migrate/migrate/v4 v4.18.2/go.mod h1:2CM6tJvn2kqPXwnXO/d3rAQYiyoIm180VsO8PRX6Rpk=
+github.com/golang-migrate/migrate/v4 v4.18.3/go.mod h1:99BKpIi6ruaaXRM1A77eqZ+FWPQ3cfRa+ZVy5bmWMaY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-tpm v0.9.3 h1:+yx0/anQuGzi+ssRqeD6WpXjW2L/V0dItUayO0i9sRc=
+github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
-github.com/google/go-tpm v0.9.3/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
@@ -120,12 +119,14 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.5 h1:JHGfMnQY+IEtGM63d+NGMjoRpysB2JBwDr5fsngwmJs=
-github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/pgx/v5 v5.7.5/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@@ -140,6 +141,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8=
 github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
@@ -152,10 +155,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
-github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -164,18 +165,22 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/lestrrat-go/blackmagic v1.0.3 h1:94HXkVLxkZO9vJI/w2u1T0DAoprShFd13xtnSINtDWs=
+github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
-github.com/lestrrat-go/blackmagic v1.0.3/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
+github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc/v3 v3.0.0-beta2 h1:SDxjGoH7qj0nBXVrcrxX8eD94wEnjR+EEuqqmeqQYlY=
+github.com/lestrrat-go/httprc/v3 v3.0.0 h1:nZUx/zFg5uc2rhlu1L1DidGr5Sj02JbXvGSpnY4LMrc=
-github.com/lestrrat-go/httprc/v3 v3.0.0-beta2/go.mod h1:Nwo81sMxE0DcvTB+rJyynNhv/DUu2yZErV7sscw9pHE=
+github.com/lestrrat-go/httprc/v3 v3.0.0/go.mod h1:k2U1QIiyVqAKtkffbg+cUmsyiPGQsb9aAfNQiNFuQ9Q=
-github.com/lestrrat-go/jwx/v3 v3.0.1 h1:fH3T748FCMbXoF9UXXNS9i0q6PpYyJZK/rKSbkt2guY=
+github.com/lestrrat-go/jwx/v3 v3.0.10 h1:XuoCBhZBncRIjMQ32HdEc76rH0xK/Qv2wq5TBouYJDw=
-github.com/lestrrat-go/jwx/v3 v3.0.1/go.mod h1:XP2WqxMOSzHSyf3pfibCcfsLqbomxakAnNqiuaH8nwo=
+github.com/lestrrat-go/jwx/v3 v3.0.10/go.mod h1:kNMedLgTpHvPJkK5EMVa1JFz+UVyY2dMmZKu3qjl/Pk=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
 github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lmittmann/tint v1.1.2 h1:2CQzrL6rslrsyjqLDwD11bZ5OpLBPU+g3G/r5LSfS8w=
 github.com/lmittmann/tint v1.1.2/go.mod h1:HIS3gSy7qNwGCj+5oRjAutErFBl4BzdQP6cJZ0NfMwE=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
@@ -203,10 +208,12 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2 h1:jG+FaCBv3h6GD5F+oenTfe3+0NmX8sCKjni5k3A5Dek=
+github.com/orandin/slog-gorm v1.4.0 h1:FgA8hJufF9/jeNSYoEXmHPPBwET2gwlF3B85JdpsTUU=
-github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.2/go.mod h1:rHaQJ5SjfCdL4sqCKa3FhklRcaXga2/qyvmQuA+ZJ6M=
+github.com/orandin/slog-gorm v1.4.0/go.mod h1:MoZ51+b7xE9lwGNPYEhxcUtRNrYzjdcKvA8QXQQGEPA=
-github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.8 h1:aM1/rO6p+XV+l+seD7UCtFZgsOefDTrFVLvPoZWjXZs=
-github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/oschwald/maxminddb-golang/v2 v2.0.0-beta.8/go.mod h1:Jts8ztuE0PkUwY7VCJyp6B68ujQfr6G9P5Dn3Yx9u6w=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -225,12 +232,18 @@ github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/samber/slog-gin v1.15.1 h1:jsnfr+S5HQPlz9pFPA3tOmKW7wN/znyZiE6hncucrTM=
 github.com/samber/slog-gin v1.15.1/go.mod h1:mPAEinK/g2jPLauuWO11m3Q0Ca7aG4k9XjXjXY8IhMQ=
 github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
 github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
 github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -238,18 +251,21 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
+github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
-github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ=
 github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/bridges/otelslog v0.12.0 h1:lFM7SZo8Ce01RzRfnUFQZEYeWRf/MtOA3A5MobOqk2g=
 go.opentelemetry.io/contrib/bridges/otelslog v0.12.0/go.mod h1:Dw05mhFtrKAYu72Tkb3YBYeQpRUJ4quDgo2DQw3No5A=
 go.opentelemetry.io/contrib/bridges/prometheus v0.59.0 h1:HY2hJ7yn3KuEBBBsKxvF3ViSmzLwsgeNvD+0utRMgzc=
 go.opentelemetry.io/contrib/bridges/prometheus v0.59.0/go.mod h1:H4H7vs8766kwFnOZVEGMJFVF+phpBSmTckvvNRdJeDI=
 go.opentelemetry.io/contrib/exporters/autoexport v0.59.0 h1:dKhAFwh7SSoOw+gwMtSv+XLkUGTFAwAGMT3X3XSE4FA=
@@ -258,8 +274,8 @@ go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.
 go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.60.0/go.mod h1:ZvRTVaYYGypytG0zRp2A60lpj//cMq3ZnxYdZaljVBM=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0 h1:5dTKu4I5Dn4P2hxyW3l3jTaZx9ACgg0ECos1eAVrheY=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.10.0/go.mod h1:P5HcUI8obLrCCmM3sbVBohZFH34iszk/+CPWuakZWL8=
 go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.10.0 h1:q/heq5Zh8xV1+7GoMGJpTxM2Lhq5+bFxB29tshuRuw0=
@@ -282,26 +298,26 @@ go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0 h1:PB3Zrjs1sG1GBX
 go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.35.0/go.mod h1:U2R3XyVPzn0WX7wOIypPuptulsMcPDPs/oiSVOMVnHY=
 go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0 h1:T0Ec2E+3YZf5bgTNQVet8iTDW7oIk03tXHq+wkwIDnE=
 go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.35.0/go.mod h1:30v2gqH+vYGJsesLWFov8u47EpYTcIQcBjKpI6pJThg=
-go.opentelemetry.io/otel/log v0.10.0 h1:1CXmspaRITvFcjA4kyVszuG4HjA61fPDxMb7q3BuyF0=
+go.opentelemetry.io/otel/log v0.13.0 h1:yoxRoIZcohB6Xf0lNv9QIyCzQvrtGZklVbdCoyb7dls=
-go.opentelemetry.io/otel/log v0.10.0/go.mod h1:PbVdm9bXKku/gL0oFfUF4wwsQsOPlpo4VEqjvxih+FM=
+go.opentelemetry.io/otel/log v0.13.0/go.mod h1:INKfG4k1O9CL25BaM1qLe0zIedOpvlS5Z7XgSbmN83E=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
 go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
 go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
 go.opentelemetry.io/otel/sdk/log v0.10.0 h1:lR4teQGWfeDVGoute6l0Ou+RpFqQ9vaPdrNJlST0bvw=
 go.opentelemetry.io/otel/sdk/log v0.10.0/go.mod h1:A+V1UTWREhWAittaQEG4bYm4gAZa6xnvVu+xKrIRkzo=
 go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
 go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-golang.org/x/arch v0.14.0 h1:z9JUEZWr8x4rR0OU6c4/4t6E6jOZ8/QBS2bBYBm4tx4=
+golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
-golang.org/x/arch v0.14.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
+golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
@@ -309,20 +325,20 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI=
+golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 h1:SbTAbRFnd5kjQXbczszQ0hdk3ctwYf3qBNH9jIsGclE=
-golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ=
+golang.org/x/exp v0.0.0-20250813145105-42675adae3e6/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
+golang.org/x/image v0.30.0 h1:jD5RhkmVAnjqaCUXfbGBrn3lpxbknfN9w2UhHHU+5B4=
-golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
+golang.org/x/image v0.30.0/go.mod h1:SAEUTxCCMWSrJcCy/4HwavEsfZZJlYxeHLc6tTiAe/c=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -334,8 +350,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -343,8 +359,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -357,8 +373,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -377,18 +393,18 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
@@ -396,8 +412,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
 google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
 google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.7 h1:IgrO7UwFQGJdRNXH/sQux4R1Dj1WAKcLElzeeRaXV2A=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.7/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -405,32 +421,33 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
+gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
-gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
+gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
-gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
+gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
-gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
+gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
-modernc.org/cc/v4 v4.26.1 h1:+X5NtzVBn0KgsBCBe+xkDC7twLb/jNVj9FPgiwSQO3s=
+modernc.org/cc/v4 v4.26.3 h1:yEN8dzrkRFnn4PUUKXLYIqVf2PJYAEjMTFjO3BDGc3I=
-modernc.org/cc/v4 v4.26.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/cc/v4 v4.26.3/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
 modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=
 modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE=
-modernc.org/fileutil v1.3.1 h1:8vq5fe7jdtEvoCf3Zf9Nm0Q05sH6kGx0Op2CPx1wTC8=
+modernc.org/fileutil v1.3.15 h1:rJAXTP6ilMW/1+kzDiqmBlHLWszheUFXIyGQIAvjJpY=
-modernc.org/fileutil v1.3.1/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/fileutil v1.3.15/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/libc v1.65.6 h1:OhJUhmuJ6MVZdqL5qmnd0/my46DKGFhSX4WOR7ijfyE=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
-modernc.org/libc v1.65.6/go.mod h1:MOiGAM9lrMBT9L8xT1nO41qYl5eg9gCp9/kWhz5L7WA=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
 modernc.org/libc v1.66.7 h1:rjhZ8OSCybKWxS1CJr0hikpEi6Vg+944Ouyrd+bQsoY=
 modernc.org/libc v1.66.7/go.mod h1:ln6tbWX0NH+mzApEoDRvilBvAWFt1HX7AUA4VDdVDPM=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
-modernc.org/memory v1.10.0 h1:fzumd51yQ1DxcOxSO+S6X7+QTuVU+n8/Aj7swYjFfC4=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
-modernc.org/memory v1.10.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
 modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.37.0 h1:s1TMe7T3Q3ovQiK2Ouz4Jwh7dw4ZDqbebSDTlSJdfjI=
+modernc.org/sqlite v1.38.2 h1:Aclu7+tgjgcQVShZqim41Bbw9Cho0y/7WzYptXqkEek=
-modernc.org/sqlite v1.37.0/go.mod h1:5YiWv+YviqGMuGw4V+PNplcyaJ5v+vQd7TQOgkACoJM=
+modernc.org/sqlite v1.38.2/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
--- a/backend/internal/bootstrap/application_images_bootstrap.go
+++ b/backend/internal/bootstrap/application_images_bootstrap.go
@@ -1,7 +1,7 @@
 package bootstrap
 import (
-	"log"
+	"fmt"
 	"os"
 	"path"
 	"strings"
@@ -12,17 +12,17 @@ import (
 )
 // initApplicationImages copies the images from the images directory to the application-images directory
-func initApplicationImages() {
+func initApplicationImages() error {
 	dirPath := common.EnvConfig.UploadPath + "/application-images"
 	sourceFiles, err := resources.FS.ReadDir("images")
 	if err != nil && !os.IsNotExist(err) {
-		log.Fatalf("Error reading directory: %v", err)
+		return fmt.Errorf("failed to read directory: %w", err)
 	}
 	destinationFiles, err := os.ReadDir(dirPath)
 	if err != nil && !os.IsNotExist(err) {
-		log.Fatalf("Error reading directory: %v", err)
+		return fmt.Errorf("failed to read directory: %w", err)
 	}
 	// Copy images from the images directory to the application-images directory if they don't already exist
@@ -35,9 +35,11 @@ func initApplicationImages() {
 		err := utils.CopyEmbeddedFileToDisk(srcFilePath, destFilePath)
 		if err != nil {
-			log.Fatalf("Error copying file: %v", err)
+			return fmt.Errorf("failed to copy file: %w", err)
 		}
 	}
 	return nil
 }
 func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -3,7 +3,7 @@ package bootstrap
 import (
 	"context"
 	"fmt"
-	"log"
+	"log/slog"
 	"time"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
@@ -11,23 +11,26 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/signals"
 )
-func Bootstrap() error {
+func Bootstrap(ctx context.Context) error {
-	// Get a context that is canceled when the application is stopping
+	// Initialize the observability stack, including the logger, distributed tracing, and metrics
-	ctx := signals.SignalContext(context.Background())
+	shutdownFns, httpClient, err := initObservability(ctx, common.EnvConfig.MetricsEnabled, common.EnvConfig.TracingEnabled)
 	initApplicationImages()
 	// Initialize the tracer and metrics exporter
 	shutdownFns, httpClient, err := initOtel(ctx, common.EnvConfig.MetricsEnabled, common.EnvConfig.TracingEnabled)
 	if err != nil {
 		return fmt.Errorf("failed to initialize OpenTelemetry: %w", err)
 	}
 	slog.InfoContext(ctx, "Pocket ID is starting")
 	err = initApplicationImages()
 	if err != nil {
 		return fmt.Errorf("failed to initialize application images: %w", err)
 	}
 	// Connect to the database
-	db := NewDatabase()
+	db, err := NewDatabase()
 	if err != nil {
 		return fmt.Errorf("failed to initialize database: %w", err)
 	}
 	// Create all services
 	svc, err := initServices(ctx, db, httpClient)
@@ -59,13 +62,14 @@ func Bootstrap() error {
 	// Invoke all shutdown functions
 	// We give these a timeout of 5s
 	// Note: we use a background context because the run context has been canceled already
 	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer shutdownCancel()
 	err = utils.
 		NewServiceRunner(shutdownFns...).
-		Run(shutdownCtx)
+		Run(shutdownCtx) //nolint:contextcheck
 	if err != nil {
-		log.Printf("Error shutting down services: %v", err)
+		slog.Error("Error shutting down services", slog.Any("error", err))
 	}
 	return nil
--- a/backend/internal/bootstrap/db_bootstrap.go
+++ b/backend/internal/bootstrap/db_bootstrap.go
@@ -3,9 +3,8 @@ package bootstrap
 import (
 	"errors"
 	"fmt"
-	"log"
+	"log/slog"
 	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -15,22 +14,24 @@ import (
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	slogGorm "github.com/orandin/slog-gorm"
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
-	"gorm.io/gorm/logger"
+	gormLogger "gorm.io/gorm/logger"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	sqliteutil "github.com/pocket-id/pocket-id/backend/internal/utils/sqlite"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
-func NewDatabase() (db *gorm.DB) {
+func NewDatabase() (db *gorm.DB, err error) {
-	db, err := connectDatabase()
+	db, err = connectDatabase()
 	if err != nil {
-		log.Fatalf("failed to connect to database: %v", err)
+		return nil, fmt.Errorf("failed to connect to database: %w", err)
 	}
 	sqlDb, err := db.DB()
 	if err != nil {
-		log.Fatalf("failed to get sql.DB: %v", err)
+		return nil, fmt.Errorf("failed to get sql.DB: %w", err)
 	}
 	// Choose the correct driver for the database provider
@@ -42,18 +43,18 @@ func NewDatabase() (db *gorm.DB) {
 		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
 	default:
 		// Should never happen at this point
-		log.Fatalf("unsupported database provider: %s", common.EnvConfig.DbProvider)
+		return nil, fmt.Errorf("unsupported database provider: %s", common.EnvConfig.DbProvider)
 	}
 	if err != nil {
-		log.Fatalf("failed to create migration driver: %v", err)
+		return nil, fmt.Errorf("failed to create migration driver: %w", err)
 	}
 	// Run migrations
 	if err := migrateDatabase(driver); err != nil {
-		log.Fatalf("failed to run migrations: %v", err)
+		return nil, fmt.Errorf("failed to run migrations: %w", err)
 	}
-	return db
+	return db, nil
 }
 func migrateDatabase(driver database.Driver) error {
@@ -85,9 +86,7 @@ func connectDatabase() (db *gorm.DB, err error) {
 		if common.EnvConfig.DbConnectionString == "" {
 			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for SQLite database")
 		}
-		if !strings.HasPrefix(common.EnvConfig.DbConnectionString, "file:") {
+		sqliteutil.RegisterSqliteFunctions()
 			return nil, errors.New("invalid value for env var 'DB_CONNECTION_STRING': does not begin with 'file:'")
 		}
 		connString, err := parseSqliteConnectionString(common.EnvConfig.DbConnectionString)
 		if err != nil {
 			return nil, err
@@ -105,38 +104,59 @@ func connectDatabase() (db *gorm.DB, err error) {
 	for i := 1; i <= 3; i++ {
 		db, err = gorm.Open(dialector, &gorm.Config{
 			TranslateError: true,
-			Logger:         getLogger(),
+			Logger:         getGormLogger(),
 		})
 		if err == nil {
 			slog.Info("Connected to database", slog.String("provider", string(common.EnvConfig.DbProvider)))
 			return db, nil
 		}
-		log.Printf("Attempt %d: Failed to initialize database. Retrying...", i)
+		slog.Warn("Failed to connect to database, will retry in 3s", slog.Int("attempt", i), slog.String("provider", string(common.EnvConfig.DbProvider)), slog.Any("error", err))
 		time.Sleep(3 * time.Second)
 	}
 	slog.Error("Failed to connect to database after 3 attempts", slog.String("provider", string(common.EnvConfig.DbProvider)), slog.Any("error", err))
 	return nil, err
 }
 func parseSqliteConnectionString(connString string) (string, error) {
 	if !strings.HasPrefix(connString, "file:") {
 		connString = "file:" + connString
 	}
 	// Check if we're using an in-memory database
 	isMemoryDB := isSqliteInMemory(connString)
 	// Parse the connection string
 	connStringUrl, err := url.Parse(connString)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse SQLite connection string: %w", err)
 	}
 	// Convert options for the old SQLite driver to the new one
 	convertSqlitePragmaArgs(connStringUrl)
 	// Add the default and required params
 	err = addSqliteDefaultParameters(connStringUrl, isMemoryDB)
 	if err != nil {
 		return "", fmt.Errorf("invalid SQLite connection string: %w", err)
 	}
 	return connStringUrl.String(), nil
 }
 // The official C implementation of SQLite allows some additional properties in the connection string
 // that are not supported in the in the modernc.org/sqlite driver, and which must be passed as PRAGMA args instead.
 // To ensure that people can use similar args as in the C driver, which was also used by Pocket ID
 // previously (via github.com/mattn/go-sqlite3), we are converting some options.
-func parseSqliteConnectionString(connString string) (string, error) {
+// Note this function updates connStringUrl.
-	if !strings.HasPrefix(connString, "file:") {
+func convertSqlitePragmaArgs(connStringUrl *url.URL) {
 		connString = "file:" + connString
 	}
 	connStringUrl, err := url.Parse(connString)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse SQLite connection string: %w", err)
 	}
 	// Reference: https://github.com/mattn/go-sqlite3?tab=readme-ov-file#connection-string
 	// This only includes a subset of options, excluding those that are not relevant to us
 	qs := make(url.Values, len(connStringUrl.Query()))
 	for k, v := range connStringUrl.Query() {
-		switch k {
+		switch strings.ToLower(k) {
 		case "_auto_vacuum", "_vacuum":
 			qs.Add("_pragma", "auto_vacuum("+v[0]+")")
 		case "_busy_timeout", "_timeout":
@@ -157,29 +177,144 @@ func parseSqliteConnectionString(connString string) (string, error) {
 		}
 	}
 	// Update the connStringUrl object
 	connStringUrl.RawQuery = qs.Encode()
 	return connStringUrl.String(), nil
 }
-func getLogger() logger.Interface {
+// Adds the default (and some required) parameters to the SQLite connection string.
-	isProduction := common.EnvConfig.AppEnv == "production"
+// Note this function updates connStringUrl.
 func addSqliteDefaultParameters(connStringUrl *url.URL, isMemoryDB bool) error {
 	// This function include code adapted from https://github.com/dapr/components-contrib/blob/v1.14.6/
 	// Copyright (C) 2023 The Dapr Authors
 	// License: Apache2
 	const defaultBusyTimeout = 2500 * time.Millisecond
-	var logLevel logger.LogLevel
+	// Get the "query string" from the connection string if present
-	if isProduction {
+	qs := connStringUrl.Query()
-		logLevel = logger.Error
+	if len(qs) == 0 {
-	} else {
+		qs = make(url.Values, 2)
 		logLevel = logger.Info
 	}
-	return logger.New(
+	// If the database is in-memory, we must ensure that cache=shared is set
-		log.New(os.Stdout, "\r\n", log.LstdFlags),
+	if isMemoryDB {
-		logger.Config{
+		qs["cache"] = []string{"shared"}
-			SlowThreshold:             200 * time.Millisecond,
+	}
-			LogLevel:                  logLevel,
+
-			IgnoreRecordNotFoundError: isProduction,
+	// Check if the database is read-only or immutable
-			ParameterizedQueries:      isProduction,
+	isReadOnly := false
-			Colorful:                  !isProduction,
+	if len(qs["mode"]) > 0 {
-		},
+		// Keep the first value only
-	)
+		qs["mode"] = []string{
 			strings.ToLower(qs["mode"][0]),
 		}
 		if qs["mode"][0] == "ro" {
 			isReadOnly = true
 		}
 	}
 	if len(qs["immutable"]) > 0 {
 		// Keep the first value only
 		qs["immutable"] = []string{
 			strings.ToLower(qs["immutable"][0]),
 		}
 		if qs["immutable"][0] == "1" {
 			isReadOnly = true
 		}
 	}
 	// We do not want to override a _txlock if set, but we'll show a warning if it's not "immediate"
 	if len(qs["_txlock"]) > 0 {
 		// Keep the first value only
 		qs["_txlock"] = []string{
 			strings.ToLower(qs["_txlock"][0]),
 		}
 		if qs["_txlock"][0] != "immediate" {
 			slog.Warn("SQLite connection is being created with a _txlock different from the recommended value 'immediate'")
 		}
 	} else {
 		qs["_txlock"] = []string{"immediate"}
 	}
 	// Add pragma values
 	var hasBusyTimeout, hasJournalMode bool
 	if len(qs["_pragma"]) == 0 {
 		qs["_pragma"] = make([]string, 0, 3)
 	} else {
 		for _, p := range qs["_pragma"] {
 			p = strings.ToLower(p)
 			switch {
 			case strings.HasPrefix(p, "busy_timeout"):
 				hasBusyTimeout = true
 			case strings.HasPrefix(p, "journal_mode"):
 				hasJournalMode = true
 			case strings.HasPrefix(p, "foreign_keys"):
 				return errors.New("found forbidden option '_pragma=foreign_keys' in the connection string")
 			}
 		}
 	}
 	if !hasBusyTimeout {
 		qs["_pragma"] = append(qs["_pragma"], fmt.Sprintf("busy_timeout(%d)", defaultBusyTimeout.Milliseconds()))
 	}
 	if !hasJournalMode {
 		switch {
 		case isMemoryDB:
 			// For in-memory databases, set the journal to MEMORY, the only allowed option besides OFF (which would make transactions ineffective)
 			qs["_pragma"] = append(qs["_pragma"], "journal_mode(MEMORY)")
 		case isReadOnly:
 			// Set the journaling mode to "DELETE" (the default) if the database is read-only
 			qs["_pragma"] = append(qs["_pragma"], "journal_mode(DELETE)")
 		default:
 			// Enable WAL
 			qs["_pragma"] = append(qs["_pragma"], "journal_mode(WAL)")
 		}
 	}
 	// Forcefully enable foreign keys
 	qs["_pragma"] = append(qs["_pragma"], "foreign_keys(1)")
 	// Update the connStringUrl object
 	connStringUrl.RawQuery = qs.Encode()
 	return nil
 }
 // isSqliteInMemory returns true if the connection string is for an in-memory database.
 func isSqliteInMemory(connString string) bool {
 	lc := strings.ToLower(connString)
 	// First way to define an in-memory database is to use ":memory:" or "file::memory:" as connection string
 	if strings.HasPrefix(lc, ":memory:") || strings.HasPrefix(lc, "file::memory:") {
 		return true
 	}
 	// Another way is to pass "mode=memory" in the "query string"
 	idx := strings.IndexRune(lc, '?')
 	if idx < 0 {
 		return false
 	}
 	qs, _ := url.ParseQuery(lc[(idx + 1):])
 	return len(qs["mode"]) > 0 && qs["mode"][0] == "memory"
 }
 func getGormLogger() gormLogger.Interface {
 	loggerOpts := make([]slogGorm.Option, 0, 5)
 	loggerOpts = append(loggerOpts,
 		slogGorm.WithSlowThreshold(200*time.Millisecond),
 		slogGorm.WithErrorField("error"),
 	)
 	if common.EnvConfig.AppEnv == "production" {
 		loggerOpts = append(loggerOpts,
 			slogGorm.SetLogLevel(slogGorm.DefaultLogType, slog.LevelWarn),
 			slogGorm.WithIgnoreTrace(),
 		)
 	} else {
 		loggerOpts = append(loggerOpts,
 			slogGorm.SetLogLevel(slogGorm.DefaultLogType, slog.LevelDebug),
 			slogGorm.WithRecordNotFoundError(),
 			slogGorm.WithTraceAll(),
 		)
 	}
 	return slogGorm.New(loggerOpts...)
 }
--- a/backend/internal/bootstrap/db_bootstrap_test.go
+++ b/backend/internal/bootstrap/db_bootstrap_test.go
@@ -8,23 +8,93 @@ import (
 	"github.com/stretchr/testify/require"
 )
-func TestParseSqliteConnectionString(t *testing.T) {
+func TestIsSqliteInMemory(t *testing.T) {
 	tests := []struct {
-		name          string
+		name     string
-		input         string
+		connStr  string
-		expected      string
+		expected bool
-		expectedError bool
+	}{
 		{
 			name:     "memory database with :memory:",
 			connStr:  ":memory:",
 			expected: true,
 		},
 		{
 			name:     "memory database with file::memory:",
 			connStr:  "file::memory:",
 			expected: true,
 		},
 		{
 			name:     "memory database with :MEMORY: (uppercase)",
 			connStr:  ":MEMORY:",
 			expected: true,
 		},
 		{
 			name:     "memory database with FILE::MEMORY: (uppercase)",
 			connStr:  "FILE::MEMORY:",
 			expected: true,
 		},
 		{
 			name:     "memory database with mixed case",
 			connStr:  ":Memory:",
 			expected: true,
 		},
 		{
 			name:     "has mode=memory",
 			connStr:  "file:data?mode=memory",
 			expected: true,
 		},
 		{
 			name:     "file database",
 			connStr:  "data.db",
 			expected: false,
 		},
 		{
 			name:     "file database with path",
 			connStr:  "/path/to/data.db",
 			expected: false,
 		},
 		{
 			name:     "file database with file: prefix",
 			connStr:  "file:data.db",
 			expected: false,
 		},
 		{
 			name:     "empty string",
 			connStr:  "",
 			expected: false,
 		},
 		{
 			name:     "string containing memory but not at start",
 			connStr:  "data:memory:.db",
 			expected: false,
 		},
 		{
 			name:     "has mode=ro",
 			connStr:  "file:data?mode=ro",
 			expected: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := isSqliteInMemory(tt.connStr)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
 func TestConvertSqlitePragmaArgs(t *testing.T) {
 	tests := []struct {
 		name     string
 		input    string
 		expected string
 	}{
 		{
 			name:     "basic file path",
 			input:    "file:test.db",
 			expected: "file:test.db",
 		},
 		{
 			name:     "adds file: prefix if missing",
 			input:    "test.db",
 			expected: "file:test.db",
 		},
 		{
 			name:     "converts _busy_timeout to pragma",
 			input:    "file:test.db?_busy_timeout=5000",
@@ -100,46 +170,161 @@ func TestParseSqliteConnectionString(t *testing.T) {
 			input:    "file:test.db?_fk=1&mode=rw&_timeout=5000",
 			expected: "file:test.db?_pragma=foreign_keys%281%29&_pragma=busy_timeout%285000%29&mode=rw",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			resultURL, _ := url.Parse(tt.input)
 			convertSqlitePragmaArgs(resultURL)
 			// Parse both URLs to compare components independently
 			expectedURL, err := url.Parse(tt.expected)
 			require.NoError(t, err)
 			// Compare scheme and path components
 			compareQueryStrings(t, expectedURL, resultURL)
 		})
 	}
 }
 func TestAddSqliteDefaultParameters(t *testing.T) {
 	tests := []struct {
 		name        string
 		input       string
 		isMemoryDB  bool
 		expected    string
 		expectError bool
 	}{
 		{
-			name:          "invalid URL format",
+			name:       "basic file database",
-			input:         "file:invalid#$%^&*@test.db",
+			input:      "file:test.db",
-			expectedError: true,
+			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate",
 		},
 		{
 			name:       "in-memory database",
 			input:      "file::memory:",
 			isMemoryDB: true,
 			expected:   "file::memory:?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28MEMORY%29&_txlock=immediate&cache=shared",
 		},
 		{
 			name:       "read-only database with mode=ro",
 			input:      "file:test.db?mode=ro",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&mode=ro",
 		},
 		{
 			name:       "immutable database",
 			input:      "file:test.db?immutable=1",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&immutable=1",
 		},
 		{
 			name:       "database with existing _txlock",
 			input:      "file:test.db?_txlock=deferred",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=deferred",
 		},
 		{
 			name:       "database with existing busy_timeout pragma",
 			input:      "file:test.db?_pragma=busy_timeout%285000%29",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%285000%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate",
 		},
 		{
 			name:       "database with existing journal_mode pragma",
 			input:      "file:test.db?_pragma=journal_mode%28DELETE%29",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate",
 		},
 		{
 			name:        "database with forbidden foreign_keys pragma",
 			input:       "file:test.db?_pragma=foreign_keys%280%29",
 			isMemoryDB:  false,
 			expectError: true,
 		},
 		{
 			name:       "database with multiple existing pragmas",
 			input:      "file:test.db?_pragma=busy_timeout%283000%29&_pragma=journal_mode%28TRUNCATE%29&_pragma=synchronous%28NORMAL%29",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%283000%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28TRUNCATE%29&_pragma=synchronous%28NORMAL%29&_txlock=immediate",
 		},
 		{
 			name:       "in-memory database with cache already set",
 			input:      "file::memory:?cache=private",
 			isMemoryDB: true,
 			expected:   "file::memory:?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28MEMORY%29&_txlock=immediate&cache=shared",
 		},
 		{
 			name:       "database with mode=rw (not read-only)",
 			input:      "file:test.db?mode=rw",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate&mode=rw",
 		},
 		{
 			name:       "database with immutable=0 (not immutable)",
 			input:      "file:test.db?immutable=0",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_txlock=immediate&immutable=0",
 		},
 		{
 			name:       "database with mixed case mode=RO",
 			input:      "file:test.db?mode=RO",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&mode=ro",
 		},
 		{
 			name:       "database with mixed case immutable=1",
 			input:      "file:test.db?immutable=1",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28DELETE%29&_txlock=immediate&immutable=1",
 		},
 		{
 			name:       "complex database configuration",
 			input:      "file:test.db?cache=shared&mode=rwc&_txlock=immediate&_pragma=synchronous%28FULL%29",
 			isMemoryDB: false,
 			expected:   "file:test.db?_pragma=busy_timeout%282500%29&_pragma=foreign_keys%281%29&_pragma=journal_mode%28WAL%29&_pragma=synchronous%28FULL%29&_txlock=immediate&cache=shared&mode=rwc",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result, err := parseSqliteConnectionString(tt.input)
+			resultURL, err := url.Parse(tt.input)
 			require.NoError(t, err)
-			if tt.expectedError {
+			err = addSqliteDefaultParameters(resultURL, tt.isMemoryDB)
 			if tt.expectError {
 				require.Error(t, err)
 				return
 			}
 			require.NoError(t, err)
 			// Parse both URLs to compare components independently
 			expectedURL, err := url.Parse(tt.expected)
 			require.NoError(t, err)
-			resultURL, err := url.Parse(result)
+			compareQueryStrings(t, expectedURL, resultURL)
 			require.NoError(t, err)
 			// Compare scheme and path components
 			assert.Equal(t, expectedURL.Scheme, resultURL.Scheme)
 			assert.Equal(t, expectedURL.Path, resultURL.Path)
 			// Compare query parameters regardless of order
 			expectedQuery := expectedURL.Query()
 			resultQuery := resultURL.Query()
 			assert.Len(t, expectedQuery, len(resultQuery))
 			for key, expectedValues := range expectedQuery {
 				resultValues, ok := resultQuery[key]
 				_ = assert.True(t, ok) &&
 					assert.ElementsMatch(t, expectedValues, resultValues)
 			}
 		})
 	}
 }
 func compareQueryStrings(t *testing.T, expectedURL *url.URL, resultURL *url.URL) {
 	t.Helper()
 	// Compare scheme and path components
 	assert.Equal(t, expectedURL.Scheme, resultURL.Scheme)
 	assert.Equal(t, expectedURL.Path, resultURL.Path)
 	// Compare query parameters regardless of order
 	expectedQuery := expectedURL.Query()
 	resultQuery := resultURL.Query()
 	assert.Len(t, expectedQuery, len(resultQuery))
 	for key, expectedValues := range expectedQuery {
 		resultValues, ok := resultQuery[key]
 		_ = assert.True(t, ok) &&
 			assert.ElementsMatch(t, expectedValues, resultValues)
 	}
 }
--- a/backend/internal/bootstrap/e2etest_router_bootstrap.go
+++ b/backend/internal/bootstrap/e2etest_router_bootstrap.go
@@ -3,7 +3,8 @@
 package bootstrap
 import (
-	"log"
+	"log/slog"
 	"os"
 	"github.com/gin-gonic/gin"
 	"gorm.io/gorm"
@@ -18,7 +19,8 @@ func init() {
 		func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
 			testService, err := service.NewTestService(db, svc.appConfigService, svc.jwtService, svc.ldapService)
 			if err != nil {
-				log.Fatalf("failed to initialize test service: %v", err)
+				slog.Error("Failed to initialize test service", slog.Any("error", err))
 				os.Exit(1)
 				return
 			}
--- a/backend/internal/bootstrap/observability_boostrap.go
+++ b/backend/internal/bootstrap/observability_boostrap.go
@@ -0,0 +1,210 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"os"
 	"time"
 	"github.com/lmittmann/tint"
 	"github.com/mattn/go-isatty"
 	"go.opentelemetry.io/contrib/bridges/otelslog"
 	"go.opentelemetry.io/contrib/exporters/autoexport"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.opentelemetry.io/otel"
 	globallog "go.opentelemetry.io/otel/log/global"
 	metricnoop "go.opentelemetry.io/otel/metric/noop"
 	"go.opentelemetry.io/otel/propagation"
 	sdklog "go.opentelemetry.io/otel/sdk/log"
 	"go.opentelemetry.io/otel/sdk/metric"
 	"go.opentelemetry.io/otel/sdk/resource"
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 	semconv "go.opentelemetry.io/otel/semconv/v1.30.0"
 	tracenoop "go.opentelemetry.io/otel/trace/noop"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 func defaultResource() (*resource.Resource, error) {
 	return resource.Merge(
 		resource.Default(),
 		resource.NewSchemaless(
 			semconv.ServiceName(common.Name),
 			semconv.ServiceVersion(common.Version),
 		),
 	)
 }
 func initObservability(ctx context.Context, metrics, traces bool) (shutdownFns []utils.Service, httpClient *http.Client, err error) {
 	resource, err := defaultResource()
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create OpenTelemetry resource: %w", err)
 	}
 	shutdownFns = make([]utils.Service, 0, 2)
 	httpClient = &http.Client{}
 	defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 	if !ok {
 		// Indicates a development-time error
 		panic("Default transport is not of type *http.Transport")
 	}
 	httpClient.Transport = defaultTransport.Clone()
 	// Logging
 	err = initOtelLogging(ctx, resource)
 	if err != nil {
 		return nil, nil, err
 	}
 	// Tracing
 	tracingShutdownFn, err := initOtelTracing(ctx, traces, resource, httpClient)
 	if err != nil {
 		return nil, nil, err
 	} else if tracingShutdownFn != nil {
 		shutdownFns = append(shutdownFns, tracingShutdownFn)
 	}
 	// Metrics
 	metricsShutdownFn, err := initOtelMetrics(ctx, metrics, resource)
 	if err != nil {
 		return nil, nil, err
 	} else if metricsShutdownFn != nil {
 		shutdownFns = append(shutdownFns, metricsShutdownFn)
 	}
 	return shutdownFns, httpClient, nil
 }
 func initOtelLogging(ctx context.Context, resource *resource.Resource) error {
 	// If the env var OTEL_LOGS_EXPORTER is empty, we set it to "none", for autoexport to work
 	if os.Getenv("OTEL_LOGS_EXPORTER") == "" {
 		os.Setenv("OTEL_LOGS_EXPORTER", "none")
 	}
 	exp, err := autoexport.NewLogExporter(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to initialize OpenTelemetry log exporter: %w", err)
 	}
 	level := slog.LevelDebug
 	if common.EnvConfig.AppEnv == "production" {
 		level = slog.LevelInfo
 	}
 	// Create the handler
 	var handler slog.Handler
 	switch {
 	case common.EnvConfig.LogJSON:
 		// Log as JSON if configured
 		handler = slog.NewJSONHandler(os.Stdout, &slog.HandlerOptions{
 			Level: level,
 		})
 	case isatty.IsTerminal(os.Stdout.Fd()):
 		// Enable colors if we have a TTY
 		handler = tint.NewHandler(os.Stdout, &tint.Options{
 			TimeFormat: time.StampMilli,
 			Level:      level,
 		})
 	default:
 		handler = slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
 			Level: level,
 		})
 	}
 	// Create the logger provider
 	provider := sdklog.NewLoggerProvider(
 		sdklog.WithProcessor(
 			sdklog.NewBatchProcessor(exp),
 		),
 		sdklog.WithResource(resource),
 	)
 	// Set the logger provider globally
 	globallog.SetLoggerProvider(provider)
 	// Wrap the handler in a "fanout" one
 	handler = utils.LogFanoutHandler{
 		handler,
 		otelslog.NewHandler(common.Name, otelslog.WithLoggerProvider(provider)),
 	}
 	// Set the default slog to send logs to OTel and add the app name
 	log := slog.New(handler).
 		With(slog.String("app", common.Name)).
 		With(slog.String("version", common.Version))
 	slog.SetDefault(log)
 	return nil
 }
 func initOtelTracing(ctx context.Context, traces bool, resource *resource.Resource, httpClient *http.Client) (shutdownFn utils.Service, err error) {
 	if !traces {
 		otel.SetTracerProvider(tracenoop.NewTracerProvider())
 		return nil, nil
 	}
 	tr, err := autoexport.NewSpanExporter(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize OpenTelemetry span exporter: %w", err)
 	}
 	tp := sdktrace.NewTracerProvider(
 		sdktrace.WithResource(resource),
 		sdktrace.WithBatcher(tr),
 	)
 	otel.SetTracerProvider(tp)
 	otel.SetTextMapPropagator(
 		propagation.NewCompositeTextMapPropagator(
 			propagation.TraceContext{},
 			propagation.Baggage{},
 		),
 	)
 	shutdownFn = func(shutdownCtx context.Context) error { //nolint:contextcheck
 		tpCtx, tpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
 		defer tpCancel()
 		shutdownErr := tp.Shutdown(tpCtx)
 		if shutdownErr != nil {
 			return fmt.Errorf("failed to gracefully shut down traces exporter: %w", shutdownErr)
 		}
 		return nil
 	}
 	// Add tracing to the HTTP client
 	httpClient.Transport = otelhttp.NewTransport(httpClient.Transport)
 	return shutdownFn, nil
 }
 func initOtelMetrics(ctx context.Context, metrics bool, resource *resource.Resource) (shutdownFn utils.Service, err error) {
 	if !metrics {
 		otel.SetMeterProvider(metricnoop.NewMeterProvider())
 		return nil, nil
 	}
 	mr, err := autoexport.NewMetricReader(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize OpenTelemetry metric reader: %w", err)
 	}
 	mp := metric.NewMeterProvider(
 		metric.WithResource(resource),
 		metric.WithReader(mr),
 	)
 	otel.SetMeterProvider(mp)
 	shutdownFn = func(shutdownCtx context.Context) error { //nolint:contextcheck
 		mpCtx, mpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
 		defer mpCancel()
 		shutdownErr := mp.Shutdown(mpCtx)
 		if shutdownErr != nil {
 			return fmt.Errorf("failed to gracefully shut down metrics exporter: %w", shutdownErr)
 		}
 		return nil
 	}
 	return shutdownFn, nil
 }
--- a/backend/internal/bootstrap/otel_boostrap.go
+++ b/backend/internal/bootstrap/otel_boostrap.go
@@ -1,107 +0,0 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"go.opentelemetry.io/contrib/exporters/autoexport"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.opentelemetry.io/otel"
 	metricnoop "go.opentelemetry.io/otel/metric/noop"
 	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/sdk/metric"
 	"go.opentelemetry.io/otel/sdk/resource"
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 	semconv "go.opentelemetry.io/otel/semconv/v1.30.0"
 	tracenoop "go.opentelemetry.io/otel/trace/noop"
 )
 func defaultResource() (*resource.Resource, error) {
 	return resource.Merge(
 		resource.Default(),
 		resource.NewSchemaless(
 			semconv.ServiceName("pocket-id-backend"),
 			semconv.ServiceVersion(common.Version),
 		),
 	)
 }
 func initOtel(ctx context.Context, metrics, traces bool) (shutdownFns []utils.Service, httpClient *http.Client, err error) {
 	resource, err := defaultResource()
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create OpenTelemetry resource: %w", err)
 	}
 	shutdownFns = make([]utils.Service, 0, 2)
 	httpClient = &http.Client{}
 	defaultTransport, ok := http.DefaultTransport.(*http.Transport)
 	if !ok {
 		// Indicates a development-time error
 		panic("Default transport is not of type *http.Transport")
 	}
 	httpClient.Transport = defaultTransport.Clone()
 	if traces {
 		tr, err := autoexport.NewSpanExporter(ctx)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to initialize OpenTelemetry span exporter: %w", err)
 		}
 		tp := sdktrace.NewTracerProvider(
 			sdktrace.WithResource(resource),
 			sdktrace.WithBatcher(tr),
 		)
 		otel.SetTracerProvider(tp)
 		otel.SetTextMapPropagator(
 			propagation.NewCompositeTextMapPropagator(
 				propagation.TraceContext{},
 				propagation.Baggage{},
 			),
 		)
 		shutdownFns = append(shutdownFns, func(shutdownCtx context.Context) error { //nolint:contextcheck
 			tpCtx, tpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
 			defer tpCancel()
 			shutdownErr := tp.Shutdown(tpCtx)
 			if shutdownErr != nil {
 				return fmt.Errorf("failed to gracefully shut down traces exporter: %w", shutdownErr)
 			}
 			return nil
 		})
 		httpClient.Transport = otelhttp.NewTransport(httpClient.Transport)
 	} else {
 		otel.SetTracerProvider(tracenoop.NewTracerProvider())
 	}
 	if metrics {
 		mr, err := autoexport.NewMetricReader(ctx)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to initialize OpenTelemetry metric reader: %w", err)
 		}
 		mp := metric.NewMeterProvider(
 			metric.WithResource(resource),
 			metric.WithReader(mr),
 		)
 		otel.SetMeterProvider(mp)
 		shutdownFns = append(shutdownFns, func(shutdownCtx context.Context) error { //nolint:contextcheck
 			mpCtx, mpCancel := context.WithTimeout(shutdownCtx, 10*time.Second)
 			defer mpCancel()
 			shutdownErr := mp.Shutdown(mpCtx)
 			if shutdownErr != nil {
 				return fmt.Errorf("failed to gracefully shut down metrics exporter: %w", shutdownErr)
 			}
 			return nil
 		})
 	} else {
 		otel.SetMeterProvider(metricnoop.NewMeterProvider())
 	}
 	return shutdownFns, httpClient, nil
 }
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -4,18 +4,21 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"log"
+	"log/slog"
 	"net"
 	"net/http"
 	"os"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/frontend"
 	"github.com/gin-gonic/gin"
 	sloggin "github.com/samber/slog-gin"
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/frontend"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/controller"
 	"github.com/pocket-id/pocket-id/backend/internal/middleware"
@@ -29,7 +32,8 @@ var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *
 func initRouter(db *gorm.DB, svc *services) utils.Service {
 	runner, err := initRouterInternal(db, svc)
 	if err != nil {
-		log.Fatalf("failed to init router: %v", err)
+		slog.Error("Failed to init router", "error", err)
 		os.Exit(1)
 	}
 	return runner
 }
@@ -45,15 +49,37 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 		gin.SetMode(gin.TestMode)
 	}
-	r := gin.Default()
+	// do not log these URLs
-	r.Use(gin.Logger())
+	loggerSkipPathsPrefix := []string{
 		"GET /application-configuration/logo",
 		"GET /application-configuration/background-image",
 		"GET /application-configuration/favicon",
 		"GET /_app",
 		"GET /fonts",
 		"GET /healthz",
 		"HEAD /healthz",
 	}
 	r := gin.New()
 	r.Use(sloggin.NewWithConfig(slog.Default(), sloggin.Config{
 		Filters: []sloggin.Filter{
 			func(c *gin.Context) bool {
 				for _, prefix := range loggerSkipPathsPrefix {
 					if strings.HasPrefix(c.Request.Method+" "+c.Request.URL.String(), prefix) {
 						return false
 					}
 				}
 				return true
 			},
 		},
 	}))
 	if !common.EnvConfig.TrustProxy {
 		_ = r.SetTrustedProxies(nil)
 	}
 	if common.EnvConfig.TracingEnabled {
-		r.Use(otelgin.Middleware("pocket-id-backend"))
+		r.Use(otelgin.Middleware(common.Name))
 	}
 	rateLimitMiddleware := middleware.NewRateLimitMiddleware().Add(rate.Every(time.Second), 60)
@@ -64,7 +90,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	err := frontend.RegisterFrontend(r)
 	if errors.Is(err, frontend.ErrFrontendNotIncluded) {
-		log.Println("Frontend is not included in the build. Skipping frontend registration.")
+		slog.Warn("Frontend is not included in the build. Skipping frontend registration.")
 	} else if err != nil {
 		return nil, fmt.Errorf("failed to register frontend: %w", err)
 	}
@@ -114,14 +140,26 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 		addr = common.EnvConfig.UnixSocket
 	}
-	listener, err := net.Listen(network, addr)
+	listener, err := net.Listen(network, addr) //nolint:noctx
 	if err != nil {
 		return nil, fmt.Errorf("failed to create %s listener: %w", network, err)
 	}
 	// Set the socket mode if using a Unix socket
 	if network == "unix" && common.EnvConfig.UnixSocketMode != "" {
 		mode, err := strconv.ParseUint(common.EnvConfig.UnixSocketMode, 8, 32)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
 		}
 		if err := os.Chmod(addr, os.FileMode(mode)); err != nil {
 			return nil, fmt.Errorf("failed to set UNIX socket mode '%s': %w", common.EnvConfig.UnixSocketMode, err)
 		}
 	}
 	// Service runner function
 	runFn := func(ctx context.Context) error {
-		log.Printf("Server listening on %s", addr)
+		slog.Info("Server listening", slog.String("addr", addr))
 		// Start the server in a background goroutine
 		go func() {
@@ -130,7 +168,8 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 			// Next call blocks until the server is shut down
 			srvErr := srv.Serve(listener)
 			if srvErr != http.ErrServerClosed {
-				log.Fatalf("Error starting app server: %v", srvErr)
+				slog.Error("Error starting app server", "error", srvErr)
 				os.Exit(1)
 			}
 		}()
@@ -138,7 +177,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 		err = systemd.SdNotifyReady()
 		if err != nil {
 			// Log the error only
-			log.Printf("[WARN] Unable to notify systemd that the service is ready: %v", err)
+			slog.Warn("Unable to notify systemd that the service is ready", "error", err)
 		}
 		// Block until the context is canceled
@@ -151,7 +190,7 @@ func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 		shutdownCancel()
 		if shutdownErr != nil {
 			// Log the error only (could be context canceled)
-			log.Printf("[WARN] App server shutdown error: %v", shutdownErr)
+			slog.Warn("App server shutdown error", "error", shutdownErr)
 		}
 		return nil
--- a/backend/internal/bootstrap/services_bootstrap.go
+++ b/backend/internal/bootstrap/services_bootstrap.go
@@ -29,7 +29,10 @@ type services struct {
 func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client) (svc *services, err error) {
 	svc = &services{}
-	svc.appConfigService = service.NewAppConfigService(ctx, db)
+	svc.appConfigService, err = service.NewAppConfigService(ctx, db)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create app config service: %w", err)
 	}
 	svc.emailService, err = service.NewEmailService(db, svc.appConfigService)
 	if err != nil {
@@ -38,19 +41,26 @@ func initServices(ctx context.Context, db *gorm.DB, httpClient *http.Client) (sv
 	svc.geoLiteService = service.NewGeoLiteService(httpClient)
 	svc.auditLogService = service.NewAuditLogService(db, svc.appConfigService, svc.emailService, svc.geoLiteService)
-	svc.jwtService = service.NewJwtService(svc.appConfigService)
+	svc.jwtService, err = service.NewJwtService(db, svc.appConfigService)
-	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService)
+	if err != nil {
-	svc.customClaimService = service.NewCustomClaimService(db)
+		return nil, fmt.Errorf("failed to create JWT service: %w", err)
 	}
-	svc.oidcService, err = service.NewOidcService(ctx, db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService)
+	svc.customClaimService = service.NewCustomClaimService(db)
 	svc.webauthnService, err = service.NewWebAuthnService(db, svc.jwtService, svc.auditLogService, svc.appConfigService)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create WebAuthn service: %w", err)
 	}
 	svc.oidcService, err = service.NewOidcService(ctx, db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService, svc.webauthnService)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create OIDC service: %w", err)
 	}
 	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
 	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService, svc.customClaimService)
 	svc.ldapService = service.NewLdapService(db, httpClient, svc.appConfigService, svc.userService, svc.userGroupService)
 	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
 	svc.webauthnService = service.NewWebAuthnService(db, svc.jwtService, svc.auditLogService, svc.appConfigService)
 	return svc, nil
 }
--- a/backend/internal/cmds/healthcheck.go
+++ b/backend/internal/cmds/healthcheck.go
@@ -0,0 +1,83 @@
 package cmds
 import (
 	"context"
 	"log/slog"
 	"net/http"
 	"os"
 	"time"
 	"github.com/spf13/cobra"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 type healthcheckFlags struct {
 	Endpoint string
 	Verbose  bool
 }
 func init() {
 	var flags healthcheckFlags
 	healthcheckCmd := &cobra.Command{
 		Use:   "healthcheck",
 		Short: "Performs a healthcheck of a running Pocket ID instance",
 		Run: func(cmd *cobra.Command, args []string) {
 			start := time.Now()
 			ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 			defer cancel()
 			url := flags.Endpoint + "/healthz"
 			req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 			if err != nil {
 				slog.ErrorContext(ctx,
 					"Failed to create request object",
 					"error", err,
 					"url", url,
 					"ms", time.Since(start).Milliseconds(),
 				)
 				os.Exit(1)
 			}
 			res, err := http.DefaultClient.Do(req)
 			if err != nil {
 				slog.ErrorContext(ctx,
 					"Failed to perform request",
 					"error", err,
 					"url", url,
 					"ms", time.Since(start).Milliseconds(),
 				)
 				os.Exit(1)
 			}
 			defer res.Body.Close()
 			if res.StatusCode < 200 || res.StatusCode >= 300 {
 				if err != nil {
 					slog.ErrorContext(ctx,
 						"Healthcheck failed",
 						"status", res.StatusCode,
 						"url", url,
 						"ms", time.Since(start).Milliseconds(),
 					)
 					os.Exit(1)
 				}
 			}
 			if flags.Verbose {
 				slog.InfoContext(ctx,
 					"Healthcheck succeeded",
 					"status", res.StatusCode,
 					"url", url,
 					"ms", time.Since(start).Milliseconds(),
 				)
 			}
 		},
 	}
 	healthcheckCmd.Flags().StringVarP(&flags.Endpoint, "endpoint", "e", "http://localhost:"+common.EnvConfig.Port, "Endpoint for Pocket ID")
 	healthcheckCmd.Flags().BoolVarP(&flags.Verbose, "verbose", "v", false, "Enable verbose mode")
 	rootCmd.AddCommand(healthcheckCmd)
 }
--- a/backend/internal/cmds/key_rotate.go
+++ b/backend/internal/cmds/key_rotate.go
@@ -0,0 +1,113 @@
 package cmds
 import (
 	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"github.com/lestrrat-go/jwx/v3/jwa"
 	"github.com/spf13/cobra"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 )
 type keyRotateFlags struct {
 	Alg string
 	Crv string
 	Yes bool
 }
 func init() {
 	var flags keyRotateFlags
 	keyRotateCmd := &cobra.Command{
 		Use:   "key-rotate",
 		Short: "Generates a new token signing key and replaces the current one",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			db, err := bootstrap.NewDatabase()
 			if err != nil {
 				return err
 			}
 			return keyRotate(cmd.Context(), flags, db, &common.EnvConfig)
 		},
 	}
 	keyRotateCmd.Flags().StringVarP(&flags.Alg, "alg", "a", "RS256", "Key algorithm. Supported values: RS256, RS384, RS512, ES256, ES384, ES512, EdDSA")
 	keyRotateCmd.Flags().StringVarP(&flags.Crv, "crv", "c", "", "Curve name when using EdDSA keys. Supported values: Ed25519")
 	keyRotateCmd.Flags().BoolVarP(&flags.Yes, "yes", "y", false, "Do not prompt for confirmation")
 	rootCmd.AddCommand(keyRotateCmd)
 }
 func keyRotate(ctx context.Context, flags keyRotateFlags, db *gorm.DB, envConfig *common.EnvConfigSchema) error {
 	// Validate the flags
 	switch strings.ToUpper(flags.Alg) {
 	case jwa.RS256().String(), jwa.RS384().String(), jwa.RS512().String(),
 		jwa.ES256().String(), jwa.ES384().String(), jwa.ES512().String():
 		// All good, but uppercase it for consistency
 		flags.Alg = strings.ToUpper(flags.Alg)
 	case strings.ToUpper(jwa.EdDSA().String()):
 		// Ensure Crv is set and valid
 		switch strings.ToUpper(flags.Crv) {
 		case strings.ToUpper(jwa.Ed25519().String()):
 			// All good, but ensure consistency in casing
 			flags.Crv = jwa.Ed25519().String()
 		case "":
 			return errors.New("a curve name is required when algorithm is EdDSA")
 		default:
 			return errors.New("unsupported EdDSA curve; supported values: Ed25519")
 		}
 	case "":
 		return errors.New("key algorithm is required")
 	default:
 		return errors.New("unsupported key algorithm; supported values: RS256, RS384, RS512, ES256, ES384, ES512, EdDSA")
 	}
 	if !flags.Yes {
 		fmt.Println("WARNING: Rotating the private key will invalidate all existing tokens. Both pocket-id and all client applications will likely need to be restarted.")
 		ok, err := utils.PromptForConfirmation("Confirm")
 		if err != nil {
 			return err
 		}
 		if !ok {
 			fmt.Println("Aborted")
 			return nil
 		}
 	}
 	// Init the services we need
 	appConfigService, err := service.NewAppConfigService(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to create app config service: %w", err)
 	}
 	// Get the key provider
 	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, appConfigService.GetDbConfig().InstanceID.Value)
 	if err != nil {
 		return fmt.Errorf("failed to get key provider: %w", err)
 	}
 	// Generate a new key
 	key, err := jwkutils.GenerateKey(flags.Alg, flags.Crv)
 	if err != nil {
 		return fmt.Errorf("failed to generate key: %w", err)
 	}
 	// Save the key
 	err = keyProvider.SaveKey(key)
 	if err != nil {
 		return fmt.Errorf("failed to store new key: %w", err)
 	}
 	fmt.Println("Key rotated successfully")
 	fmt.Println("Note: if pocket-id is running, you will need to restart it for the new key to be loaded")
 	return nil
 }
--- a/backend/internal/cmds/key_rotate_test.go
+++ b/backend/internal/cmds/key_rotate_test.go
@@ -0,0 +1,216 @@
 package cmds
 import (
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 	testingutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 func TestKeyRotate(t *testing.T) {
 	tests := []struct {
 		name    string
 		flags   keyRotateFlags
 		wantErr bool
 		errMsg  string
 	}{
 		{
 			name: "valid RS256",
 			flags: keyRotateFlags{
 				Alg: "RS256",
 				Yes: true,
 			},
 			wantErr: false,
 		},
 		{
 			name: "valid EdDSA with Ed25519",
 			flags: keyRotateFlags{
 				Alg: "EdDSA",
 				Crv: "Ed25519",
 				Yes: true,
 			},
 			wantErr: false,
 		},
 		{
 			name: "invalid algorithm",
 			flags: keyRotateFlags{
 				Alg: "INVALID",
 				Yes: true,
 			},
 			wantErr: true,
 			errMsg:  "unsupported key algorithm",
 		},
 		{
 			name: "EdDSA without curve",
 			flags: keyRotateFlags{
 				Alg: "EdDSA",
 				Yes: true,
 			},
 			wantErr: true,
 			errMsg:  "a curve name is required when algorithm is EdDSA",
 		},
 		{
 			name: "empty algorithm",
 			flags: keyRotateFlags{
 				Alg: "",
 				Yes: true,
 			},
 			wantErr: true,
 			errMsg:  "key algorithm is required",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Run("file storage", func(t *testing.T) {
 				testKeyRotateWithFileStorage(t, tt.flags, tt.wantErr, tt.errMsg)
 			})
 			t.Run("database storage", func(t *testing.T) {
 				testKeyRotateWithDatabaseStorage(t, tt.flags, tt.wantErr, tt.errMsg)
 			})
 		})
 	}
 }
 func testKeyRotateWithFileStorage(t *testing.T, flags keyRotateFlags, wantErr bool, errMsg string) {
 	// Create temporary directory for keys
 	tempDir := t.TempDir()
 	keysPath := filepath.Join(tempDir, "keys")
 	err := os.MkdirAll(keysPath, 0755)
 	require.NoError(t, err)
 	// Set up file storage config
 	envConfig := &common.EnvConfigSchema{
 		KeysStorage: "file",
 		KeysPath:    keysPath,
 	}
 	// Create test database
 	db := testingutils.NewDatabaseForTest(t)
 	// Initialize app config service and create instance
 	appConfigService, err := service.NewAppConfigService(t.Context(), db)
 	require.NoError(t, err)
 	instanceID := appConfigService.GetDbConfig().InstanceID.Value
 	// Check if key exists before rotation
 	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, instanceID)
 	require.NoError(t, err)
 	// Run the key rotation
 	err = keyRotate(t.Context(), flags, db, envConfig)
 	if wantErr {
 		require.Error(t, err)
 		if errMsg != "" {
 			require.ErrorContains(t, err, errMsg)
 		}
 		return
 	}
 	require.NoError(t, err)
 	// Verify key was created
 	key, err := keyProvider.LoadKey()
 	require.NoError(t, err)
 	require.NotNil(t, key)
 	// Verify the algorithm matches what we requested
 	alg, _ := key.Algorithm()
 	assert.NotEmpty(t, alg)
 	if flags.Alg != "" {
 		expectedAlg := flags.Alg
 		if expectedAlg == "EdDSA" {
 			// EdDSA keys should have the EdDSA algorithm
 			assert.Equal(t, "EdDSA", alg.String())
 		} else {
 			assert.Equal(t, expectedAlg, alg.String())
 		}
 	}
 }
 func testKeyRotateWithDatabaseStorage(t *testing.T, flags keyRotateFlags, wantErr bool, errMsg string) {
 	// Set up database storage config
 	envConfig := &common.EnvConfigSchema{
 		KeysStorage:   "database",
 		EncryptionKey: []byte("test-encryption-key-characters-long"),
 	}
 	// Create test database
 	db := testingutils.NewDatabaseForTest(t)
 	// Initialize app config service and create instance
 	appConfigService, err := service.NewAppConfigService(t.Context(), db)
 	require.NoError(t, err)
 	instanceID := appConfigService.GetDbConfig().InstanceID.Value
 	// Get key provider
 	keyProvider, err := jwkutils.GetKeyProvider(db, envConfig, instanceID)
 	require.NoError(t, err)
 	// Run the key rotation
 	err = keyRotate(t.Context(), flags, db, envConfig)
 	if wantErr {
 		require.Error(t, err)
 		if errMsg != "" {
 			require.ErrorContains(t, err, errMsg)
 		}
 		return
 	}
 	require.NoError(t, err)
 	// Verify key was created
 	key, err := keyProvider.LoadKey()
 	require.NoError(t, err)
 	require.NotNil(t, key)
 	// Verify the algorithm matches what we requested
 	alg, _ := key.Algorithm()
 	assert.NotEmpty(t, alg)
 	if flags.Alg != "" {
 		expectedAlg := flags.Alg
 		if expectedAlg == "EdDSA" {
 			// EdDSA keys should have the EdDSA algorithm
 			assert.Equal(t, "EdDSA", alg.String())
 		} else {
 			assert.Equal(t, expectedAlg, alg.String())
 		}
 	}
 }
 func TestKeyRotateMultipleAlgorithms(t *testing.T) {
 	algorithms := []struct {
 		alg string
 		crv string
 	}{
 		{"RS256", ""},
 		{"RS384", ""},
 		// Skip RSA-4096 key generation test as it can take a long time
 		// {"RS512", ""},
 		{"ES256", ""},
 		{"ES384", ""},
 		{"ES512", ""},
 		{"EdDSA", "Ed25519"},
 	}
 	for _, algo := range algorithms {
 		t.Run(algo.alg, func(t *testing.T) {
 			// Test with database storage for all algorithms
 			testKeyRotateWithDatabaseStorage(t, keyRotateFlags{
 				Alg: algo.alg,
 				Crv: algo.crv,
 				Yes: true,
 			}, false, "")
 		})
 	}
 }
--- a/backend/internal/cmds/one_time_access_token.go
+++ b/backend/internal/cmds/one_time_access_token.go
@@ -6,77 +6,80 @@ import (
 	"fmt"
 	"time"
 	"github.com/spf13/cobra"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/signals"
 )
-// OneTimeAccessToken creates a one-time access token for the given user
+var oneTimeAccessTokenCmd = &cobra.Command{
-// Args must contain the username or email of the user
+	Use:   "one-time-access-token [username or email]",
-func OneTimeAccessToken(args []string) error {
+	Short: "Generates a one-time access token for the given user",
-	// Get a context that is canceled when the application is stopping
+	Args:  cobra.ExactArgs(1),
-	ctx := signals.SignalContext(context.Background())
+	RunE: func(cmd *cobra.Command, args []string) error {
 		// Get the username or email of the user
 		userArg := args[0]
-	// Get the username or email of the user
+		// Connect to the database
-	// Note length is 2 because the first argument is always the command (one-time-access-token)
+		db, err := bootstrap.NewDatabase()
-	if len(args) != 2 {
+		if err != nil {
-		return errors.New("missing username or email of user; usage: one-time-access-token <username or email>")
+			return err
 	}
 	userArg := args[1]
 	// Connect to the database
 	db := bootstrap.NewDatabase()
 	// Create the access token
 	var oneTimeAccessToken *model.OneTimeAccessToken
 	err := db.Transaction(func(tx *gorm.DB) error {
 		// Load the user to retrieve the user ID
 		var user model.User
 		queryCtx, queryCancel := context.WithTimeout(ctx, 10*time.Second)
 		defer queryCancel()
 		txErr := tx.
 			WithContext(queryCtx).
 			Where("username = ? OR email = ?", userArg, userArg).
 			First(&user).
 			Error
 		switch {
 		case errors.Is(txErr, gorm.ErrRecordNotFound):
 			return errors.New("user not found")
 		case txErr != nil:
 			return fmt.Errorf("failed to query for user: %w", txErr)
 		case user.ID == "":
 			return errors.New("invalid user loaded: ID is empty")
 		}
-		// Create a new access token that expires in 1 hour
+		// Create the access token
-		oneTimeAccessToken, txErr = service.NewOneTimeAccessToken(user.ID, time.Now().Add(time.Hour))
+		var oneTimeAccessToken *model.OneTimeAccessToken
-		if txErr != nil {
+		err = db.Transaction(func(tx *gorm.DB) error {
-			return fmt.Errorf("failed to generate access token: %w", txErr)
+			// Load the user to retrieve the user ID
 			var user model.User
 			queryCtx, queryCancel := context.WithTimeout(cmd.Context(), 10*time.Second)
 			defer queryCancel()
 			txErr := tx.
 				WithContext(queryCtx).
 				Where("username = ? OR email = ?", userArg, userArg).
 				First(&user).
 				Error
 			switch {
 			case errors.Is(txErr, gorm.ErrRecordNotFound):
 				return errors.New("user not found")
 			case txErr != nil:
 				return fmt.Errorf("failed to query for user: %w", txErr)
 			case user.ID == "":
 				return errors.New("invalid user loaded: ID is empty")
 			}
 			// Create a new access token that expires in 1 hour
 			oneTimeAccessToken, txErr = service.NewOneTimeAccessToken(user.ID, time.Hour)
 			if txErr != nil {
 				return fmt.Errorf("failed to generate access token: %w", txErr)
 			}
 			queryCtx, queryCancel = context.WithTimeout(cmd.Context(), 10*time.Second)
 			defer queryCancel()
 			txErr = tx.
 				WithContext(queryCtx).
 				Create(oneTimeAccessToken).
 				Error
 			if txErr != nil {
 				return fmt.Errorf("failed to save access token: %w", txErr)
 			}
 			return nil
 		})
 		if err != nil {
 			return err
 		}
-		queryCtx, queryCancel = context.WithTimeout(ctx, 10*time.Second)
+		// Print the result
-		defer queryCancel()
+		fmt.Printf(`A one-time access token valid for 1 hour has been created for "%s".`+"\n", userArg)
-		txErr = tx.
+		fmt.Printf("Use the following URL to sign in once: %s/lc/%s\n", common.EnvConfig.AppURL, oneTimeAccessToken.Token)
 			WithContext(queryCtx).
 			Create(oneTimeAccessToken).
 			Error
 		if txErr != nil {
 			return fmt.Errorf("failed to save access token: %w", txErr)
 		}
 		return nil
-	})
+	},
-	if err != nil {
+}
-		return err
+
-	}
+func init() {
-
+	rootCmd.AddCommand(oneTimeAccessTokenCmd)
 	// Print the result
 	fmt.Printf(`A one-time access token valid for 1 hour has been created for "%s".`+"\n", userArg)
 	fmt.Printf("Use the following URL to sign in once: %s/lc/%s\n", common.EnvConfig.AppURL, oneTimeAccessToken.Token)
 	return nil
 }
--- a/backend/internal/cmds/root.go
+++ b/backend/internal/cmds/root.go
@@ -0,0 +1,36 @@
 package cmds
 import (
 	"context"
 	"log/slog"
 	"os"
 	"github.com/spf13/cobra"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/signals"
 )
 var rootCmd = &cobra.Command{
 	Use:   "pocket-id",
 	Short: "A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.",
 	Long:  "By default, this command starts the pocket-id server.",
 	Run: func(cmd *cobra.Command, args []string) {
 		// Start the server
 		err := bootstrap.Bootstrap(cmd.Context())
 		if err != nil {
 			slog.Error("Failed to run pocket-id", "error", err)
 			os.Exit(1)
 		}
 	},
 }
 func Execute() {
 	// Get a context that is canceled when the application is stopping
 	ctx := signals.SignalContext(context.Background())
 	err := rootCmd.ExecuteContext(ctx)
 	if err != nil {
 		os.Exit(1)
 	}
 }
--- a/backend/internal/cmds/version.go
+++ b/backend/internal/cmds/version.go
@@ -0,0 +1,19 @@
 package cmds
 import (
 	"fmt"
 	"github.com/spf13/cobra"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 func init() {
 	rootCmd.AddCommand(&cobra.Command{
 		Use:   "version",
 		Short: "Print the version number",
 		Run: func(cmd *cobra.Command, args []string) {
 			fmt.Println("pocket-id " + common.Version)
 		},
 	})
 }
--- a/backend/internal/common/env_config.go
+++ b/backend/internal/common/env_config.go
@@ -1,8 +1,13 @@
 package common
 import (
-	"log"
+	"errors"
 	"fmt"
 	"log/slog"
 	"net/url"
 	"os"
 	"reflect"
 	"strings"
 	"github.com/caarlos0/env/v11"
 	_ "github.com/joho/godotenv/autoload"
@@ -18,75 +23,182 @@ const (
 )
 const (
-	DbProviderSqlite      DbProvider = "sqlite"
+	DbProviderSqlite        DbProvider = "sqlite"
-	DbProviderPostgres    DbProvider = "postgres"
+	DbProviderPostgres      DbProvider = "postgres"
-	MaxMindGeoLiteCityUrl string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
+	MaxMindGeoLiteCityUrl   string     = "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=%s&suffix=tar.gz"
 	defaultSqliteConnString string     = "data/pocket-id.db"
 )
 type EnvConfigSchema struct {
 	AppEnv             string     `env:"APP_ENV"`
 	AppURL             string     `env:"APP_URL"`
 	DbProvider         DbProvider `env:"DB_PROVIDER"`
-	DbConnectionString string     `env:"DB_CONNECTION_STRING"`
+	DbConnectionString string     `env:"DB_CONNECTION_STRING" options:"file"`
 	UploadPath         string     `env:"UPLOAD_PATH"`
 	KeysPath           string     `env:"KEYS_PATH"`
 	KeysStorage        string     `env:"KEYS_STORAGE"`
 	EncryptionKey      []byte     `env:"ENCRYPTION_KEY" options:"file"`
 	Port               string     `env:"PORT"`
 	Host               string     `env:"HOST"`
 	UnixSocket         string     `env:"UNIX_SOCKET"`
-	MaxMindLicenseKey  string     `env:"MAXMIND_LICENSE_KEY"`
+	UnixSocketMode     string     `env:"UNIX_SOCKET_MODE"`
 	MaxMindLicenseKey  string     `env:"MAXMIND_LICENSE_KEY" options:"file"`
 	GeoLiteDBPath      string     `env:"GEOLITE_DB_PATH"`
 	GeoLiteDBUrl       string     `env:"GEOLITE_DB_URL"`
 	LocalIPv6Ranges    string     `env:"LOCAL_IPV6_RANGES"`
 	UiConfigDisabled   bool       `env:"UI_CONFIG_DISABLED"`
 	MetricsEnabled     bool       `env:"METRICS_ENABLED"`
 	TracingEnabled     bool       `env:"TRACING_ENABLED"`
 	LogJSON            bool       `env:"LOG_JSON"`
 	TrustProxy         bool       `env:"TRUST_PROXY"`
 	AnalyticsDisabled  bool       `env:"ANALYTICS_DISABLED"`
 }
-var EnvConfig = &EnvConfigSchema{
+var EnvConfig = defaultConfig()
 	AppEnv:             "production",
 	DbProvider:         "sqlite",
 	DbConnectionString: "file:data/pocket-id.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate",
 	UploadPath:         "data/uploads",
 	KeysPath:           "data/keys",
 	AppURL:             "http://localhost:1411",
 	Port:               "1411",
 	Host:               "0.0.0.0",
 	UnixSocket:         "",
 	MaxMindLicenseKey:  "",
 	GeoLiteDBPath:      "data/GeoLite2-City.mmdb",
 	GeoLiteDBUrl:       MaxMindGeoLiteCityUrl,
 	UiConfigDisabled:   false,
 	MetricsEnabled:     false,
 	TracingEnabled:     false,
 	TrustProxy:         false,
 	AnalyticsDisabled:  false,
 }
 func init() {
-	if err := env.ParseWithOptions(EnvConfig, env.Options{}); err != nil {
+	err := parseEnvConfig()
-		log.Fatal(err)
+	if err != nil {
 		slog.Error("Configuration error", slog.Any("error", err))
 		os.Exit(1)
 	}
 }
 func defaultConfig() EnvConfigSchema {
 	return EnvConfigSchema{
 		AppEnv:             "production",
 		DbProvider:         "sqlite",
 		DbConnectionString: "",
 		UploadPath:         "data/uploads",
 		KeysPath:           "data/keys",
 		KeysStorage:        "", // "database" or "file"
 		EncryptionKey:      nil,
 		AppURL:             "http://localhost:1411",
 		Port:               "1411",
 		Host:               "0.0.0.0",
 		UnixSocket:         "",
 		UnixSocketMode:     "",
 		MaxMindLicenseKey:  "",
 		GeoLiteDBPath:      "data/GeoLite2-City.mmdb",
 		GeoLiteDBUrl:       MaxMindGeoLiteCityUrl,
 		LocalIPv6Ranges:    "",
 		UiConfigDisabled:   false,
 		MetricsEnabled:     false,
 		TracingEnabled:     false,
 		TrustProxy:         false,
 		AnalyticsDisabled:  false,
 	}
 }
 func parseEnvConfig() error {
 	parsers := map[reflect.Type]env.ParserFunc{
 		reflect.TypeOf([]byte{}): func(value string) (interface{}, error) {
 			return []byte(value), nil
 		},
 	}
 	err := env.ParseWithOptions(&EnvConfig, env.Options{
 		FuncMap: parsers,
 	})
 	if err != nil {
 		return fmt.Errorf("error parsing env config: %w", err)
 	}
 	err = resolveFileBasedEnvVariables(&EnvConfig)
 	if err != nil {
 		return err
 	}
 	// Validate the environment variables
 	switch EnvConfig.DbProvider {
 	case DbProviderSqlite:
 		if EnvConfig.DbConnectionString == "" {
-			log.Fatal("Missing required env var 'DB_CONNECTION_STRING' for SQLite database")
+			EnvConfig.DbConnectionString = defaultSqliteConnString
 		}
 	case DbProviderPostgres:
 		if EnvConfig.DbConnectionString == "" {
-			log.Fatal("Missing required env var 'DB_CONNECTION_STRING' for Postgres database")
+			return errors.New("missing required env var 'DB_CONNECTION_STRING' for Postgres database")
 		}
 	default:
-		log.Fatal("Invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
+		return errors.New("invalid DB_PROVIDER value. Must be 'sqlite' or 'postgres'")
 	}
 	parsedAppUrl, err := url.Parse(EnvConfig.AppURL)
 	if err != nil {
-		log.Fatal("APP_URL is not a valid URL")
+		return errors.New("APP_URL is not a valid URL")
 	}
 	if parsedAppUrl.Path != "" {
-		log.Fatal("APP_URL must not contain a path")
+		return errors.New("APP_URL must not contain a path")
 	}
 	switch EnvConfig.KeysStorage {
 	// KeysStorage defaults to "file" if empty
 	case "":
 		EnvConfig.KeysStorage = "file"
 	case "database":
 		if EnvConfig.EncryptionKey == nil {
 			return errors.New("ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
 		}
 	case "file":
 		// All good, these are valid values
 	default:
 		return fmt.Errorf("invalid value for KEYS_STORAGE: %s", EnvConfig.KeysStorage)
 	}
 	return nil
 }
 // resolveFileBasedEnvVariables uses reflection to automatically resolve file-based secrets
 func resolveFileBasedEnvVariables(config *EnvConfigSchema) error {
 	val := reflect.ValueOf(config).Elem()
 	typ := val.Type()
 	for i := 0; i < val.NumField(); i++ {
 		field := val.Field(i)
 		fieldType := typ.Field(i)
 		// Only process string and []byte fields
 		isString := field.Kind() == reflect.String
 		isByteSlice := field.Kind() == reflect.Slice && field.Type().Elem().Kind() == reflect.Uint8
 		if !isString && !isByteSlice {
 			continue
 		}
 		// Only process fields with the "options" tag set to "file"
 		optionsTag := fieldType.Tag.Get("options")
 		if optionsTag != "file" {
 			continue
 		}
 		// Only process fields with the "env" tag
 		envTag := fieldType.Tag.Get("env")
 		if envTag == "" {
 			continue
 		}
 		envVarName := envTag
 		if commaIndex := len(envTag); commaIndex > 0 {
 			envVarName = envTag[:commaIndex]
 		}
 		// If the file environment variable is not set, skip
 		envVarFileName := envVarName + "_FILE"
 		envVarFileValue := os.Getenv(envVarFileName)
 		if envVarFileValue == "" {
 			continue
 		}
 		fileContent, err := os.ReadFile(envVarFileValue)
 		if err != nil {
 			return fmt.Errorf("failed to read file for env var %s: %w", envVarFileName, err)
 		}
 		if isString {
 			field.SetString(strings.TrimSpace(string(fileContent)))
 		} else {
 			field.SetBytes(fileContent)
 		}
 	}
 	return nil
 }
--- a/backend/internal/common/env_config_test.go
+++ b/backend/internal/common/env_config_test.go
@@ -0,0 +1,305 @@
 package common
 import (
 	"os"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestParseEnvConfig(t *testing.T) {
 	// Store original config to restore later
 	originalConfig := EnvConfig
 	t.Cleanup(func() {
 		EnvConfig = originalConfig
 	})
 	t.Run("should parse valid SQLite config correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, DbProviderSqlite, EnvConfig.DbProvider)
 	})
 	t.Run("should parse valid Postgres config correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "postgres")
 		t.Setenv("DB_CONNECTION_STRING", "postgres://user:pass@localhost/db")
 		t.Setenv("APP_URL", "https://example.com")
 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, DbProviderPostgres, EnvConfig.DbProvider)
 	})
 	t.Run("should fail with invalid DB_PROVIDER", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "invalid")
 		t.Setenv("DB_CONNECTION_STRING", "test")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "invalid DB_PROVIDER value")
 	})
 	t.Run("should set default SQLite connection string when DB_CONNECTION_STRING is empty", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "") // Explicitly empty
 		t.Setenv("APP_URL", "http://localhost:3000")
 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, defaultSqliteConnString, EnvConfig.DbConnectionString)
 	})
 	t.Run("should fail when Postgres DB_CONNECTION_STRING is missing", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "postgres")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "missing required env var 'DB_CONNECTION_STRING' for Postgres")
 	})
 	t.Run("should fail with invalid APP_URL", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "€://not-a-valid-url")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "APP_URL is not a valid URL")
 	})
 	t.Run("should fail when APP_URL contains path", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000/path")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "APP_URL must not contain a path")
 	})
 	t.Run("should default KEYS_STORAGE to 'file' when empty", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, "file", EnvConfig.KeysStorage)
 	})
 	t.Run("should fail when KEYS_STORAGE is 'database' but no encryption key", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("KEYS_STORAGE", "database")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "ENCRYPTION_KEY must be non-empty when KEYS_STORAGE is database")
 	})
 	t.Run("should accept valid KEYS_STORAGE values", func(t *testing.T) {
 		validStorageTypes := []string{"file", "database"}
 		for _, storage := range validStorageTypes {
 			EnvConfig = defaultConfig()
 			t.Setenv("DB_PROVIDER", "sqlite")
 			t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 			t.Setenv("APP_URL", "http://localhost:3000")
 			t.Setenv("KEYS_STORAGE", storage)
 			if storage == "database" {
 				t.Setenv("ENCRYPTION_KEY", "test-key")
 			}
 			err := parseEnvConfig()
 			require.NoError(t, err)
 			assert.Equal(t, storage, EnvConfig.KeysStorage)
 		}
 	})
 	t.Run("should fail with invalid KEYS_STORAGE value", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("KEYS_STORAGE", "invalid")
 		err := parseEnvConfig()
 		require.Error(t, err)
 		assert.ErrorContains(t, err, "invalid value for KEYS_STORAGE")
 	})
 	t.Run("should parse boolean environment variables correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "sqlite")
 		t.Setenv("DB_CONNECTION_STRING", "file:test.db")
 		t.Setenv("APP_URL", "http://localhost:3000")
 		t.Setenv("UI_CONFIG_DISABLED", "true")
 		t.Setenv("METRICS_ENABLED", "true")
 		t.Setenv("TRACING_ENABLED", "false")
 		t.Setenv("TRUST_PROXY", "true")
 		t.Setenv("ANALYTICS_DISABLED", "false")
 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.True(t, EnvConfig.UiConfigDisabled)
 		assert.True(t, EnvConfig.MetricsEnabled)
 		assert.False(t, EnvConfig.TracingEnabled)
 		assert.True(t, EnvConfig.TrustProxy)
 		assert.False(t, EnvConfig.AnalyticsDisabled)
 	})
 	t.Run("should parse string environment variables correctly", func(t *testing.T) {
 		EnvConfig = defaultConfig()
 		t.Setenv("DB_PROVIDER", "postgres")
 		t.Setenv("DB_CONNECTION_STRING", "postgres://test")
 		t.Setenv("APP_URL", "https://prod.example.com")
 		t.Setenv("APP_ENV", "staging")
 		t.Setenv("UPLOAD_PATH", "/custom/uploads")
 		t.Setenv("KEYS_PATH", "/custom/keys")
 		t.Setenv("PORT", "8080")
 		t.Setenv("HOST", "127.0.0.1")
 		t.Setenv("UNIX_SOCKET", "/tmp/app.sock")
 		t.Setenv("MAXMIND_LICENSE_KEY", "test-license")
 		t.Setenv("GEOLITE_DB_PATH", "/custom/geolite.mmdb")
 		err := parseEnvConfig()
 		require.NoError(t, err)
 		assert.Equal(t, "staging", EnvConfig.AppEnv)
 		assert.Equal(t, "/custom/uploads", EnvConfig.UploadPath)
 		assert.Equal(t, "8080", EnvConfig.Port)
 		assert.Equal(t, "127.0.0.1", EnvConfig.Host)
 	})
 }
 func TestResolveFileBasedEnvVariables(t *testing.T) {
 	// Create temporary directory for test files
 	tempDir := t.TempDir()
 	// Create test files
 	encryptionKeyFile := tempDir + "/encryption_key.txt"
 	encryptionKeyContent := "test-encryption-key-123"
 	err := os.WriteFile(encryptionKeyFile, []byte(encryptionKeyContent), 0600)
 	require.NoError(t, err)
 	dbConnFile := tempDir + "/db_connection.txt"
 	dbConnContent := "postgres://user:pass@localhost/testdb"
 	err = os.WriteFile(dbConnFile, []byte(dbConnContent), 0600)
 	require.NoError(t, err)
 	// Create a binary file for testing binary data handling
 	binaryKeyFile := tempDir + "/binary_key.bin"
 	binaryKeyContent := []byte{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10}
 	err = os.WriteFile(binaryKeyFile, binaryKeyContent, 0600)
 	require.NoError(t, err)
 	t.Run("should read file content for fields with options:file tag", func(t *testing.T) {
 		config := defaultConfig()
 		// Set environment variables pointing to files
 		t.Setenv("ENCRYPTION_KEY_FILE", encryptionKeyFile)
 		t.Setenv("DB_CONNECTION_STRING_FILE", dbConnFile)
 		err := resolveFileBasedEnvVariables(&config)
 		require.NoError(t, err)
 		// Verify file contents were read correctly
 		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
 		assert.Equal(t, dbConnContent, config.DbConnectionString)
 	})
 	t.Run("should skip fields without options:file tag", func(t *testing.T) {
 		config := defaultConfig()
 		originalAppURL := config.AppURL
 		// Set a file for a field that doesn't have options:file tag
 		t.Setenv("APP_URL_FILE", "/tmp/nonexistent.txt")
 		err := resolveFileBasedEnvVariables(&config)
 		require.NoError(t, err)
 		// AppURL should remain unchanged
 		assert.Equal(t, originalAppURL, config.AppURL)
 	})
 	t.Run("should skip non-string fields", func(t *testing.T) {
 		// This test verifies that non-string fields are skipped
 		// We test this indirectly by ensuring the function doesn't error
 		// when processing the actual EnvConfigSchema which has bool fields
 		config := defaultConfig()
 		err := resolveFileBasedEnvVariables(&config)
 		require.NoError(t, err)
 	})
 	t.Run("should skip when _FILE environment variable is not set", func(t *testing.T) {
 		config := defaultConfig()
 		originalEncryptionKey := config.EncryptionKey
 		// Don't set ENCRYPTION_KEY_FILE environment variable
 		err := resolveFileBasedEnvVariables(&config)
 		require.NoError(t, err)
 		// EncryptionKey should remain unchanged
 		assert.Equal(t, originalEncryptionKey, config.EncryptionKey)
 	})
 	t.Run("should handle multiple file-based variables simultaneously", func(t *testing.T) {
 		config := defaultConfig()
 		// Set multiple file environment variables
 		t.Setenv("ENCRYPTION_KEY_FILE", encryptionKeyFile)
 		t.Setenv("DB_CONNECTION_STRING_FILE", dbConnFile)
 		err := resolveFileBasedEnvVariables(&config)
 		require.NoError(t, err)
 		// All should be resolved correctly
 		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
 		assert.Equal(t, dbConnContent, config.DbConnectionString)
 	})
 	t.Run("should handle mixed file and non-file environment variables", func(t *testing.T) {
 		config := defaultConfig()
 		// Set both file and non-file environment variables
 		t.Setenv("ENCRYPTION_KEY_FILE", encryptionKeyFile)
 		err := resolveFileBasedEnvVariables(&config)
 		require.NoError(t, err)
 		// File-based should be resolved, others should remain as set by env parser
 		assert.Equal(t, []byte(encryptionKeyContent), config.EncryptionKey)
 		assert.Equal(t, "http://localhost:1411", config.AppURL)
 	})
 	t.Run("should handle binary data correctly", func(t *testing.T) {
 		config := defaultConfig()
 		// Set environment variable pointing to binary file
 		t.Setenv("ENCRYPTION_KEY_FILE", binaryKeyFile)
 		err := resolveFileBasedEnvVariables(&config)
 		require.NoError(t, err)
 		// Verify binary data was read correctly without corruption
 		assert.Equal(t, binaryKeyContent, config.EncryptionKey)
 	})
 }
--- a/backend/internal/common/errors.go
+++ b/backend/internal/common/errors.go
@@ -349,3 +349,32 @@ func (e *OidcAuthorizationPendingError) Error() string {
 func (e *OidcAuthorizationPendingError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
 type ReauthenticationRequiredError struct{}
 func (e *ReauthenticationRequiredError) Error() string {
 	return "reauthentication required"
 }
 func (e *ReauthenticationRequiredError) HttpStatusCode() int {
 	return http.StatusUnauthorized
 }
 type OpenSignupDisabledError struct{}
 func (e *OpenSignupDisabledError) Error() string {
 	return "Open user signup is not enabled"
 }
 func (e *OpenSignupDisabledError) HttpStatusCode() int {
 	return http.StatusForbidden
 }
 type ClientIdAlreadyExistsError struct{}
 func (e *ClientIdAlreadyExistsError) Error() string {
 	return "Client ID already in use"
 }
 func (e *ClientIdAlreadyExistsError) HttpStatusCode() int {
 	return http.StatusBadRequest
 }
--- a/backend/internal/common/version.go
+++ b/backend/internal/common/version.go
@@ -1,5 +1,8 @@
 package common
 // Name is the name of the application
 const Name = "pocket-id"
 // Version contains the Pocket ID version.
 //
 // It can be set at build time using -ldflags.
--- a/backend/internal/controller/api_key_controller.go
+++ b/backend/internal/controller/api_key_controller.go
@@ -82,7 +82,7 @@ func (c *ApiKeyController) createApiKeyHandler(ctx *gin.Context) {
 	userID := ctx.GetString("userID")
 	var input dto.ApiKeyCreateDto
-	if err := ctx.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(ctx, &input); err != nil {
 		_ = ctx.Error(err)
 		return
 	}
--- a/backend/internal/controller/app_config_controller.go
+++ b/backend/internal/controller/app_config_controller.go
@@ -3,6 +3,7 @@ package controller
 import (
 	"net/http"
 	"strconv"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
@@ -108,7 +109,7 @@ func (acc *AppConfigController) listAllAppConfigHandler(c *gin.Context) {
 // @Router /api/application-configuration [put]
 func (acc *AppConfigController) updateAppConfigHandler(c *gin.Context) {
 	var input dto.AppConfigUpdateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -247,6 +248,8 @@ func (acc *AppConfigController) getImage(c *gin.Context, name string, imageType
 	mimeType := utils.GetImageMimeType(imageType)
 	c.Header("Content-Type", mimeType)
 	utils.SetCacheControlHeader(c, 15*time.Minute, 24*time.Hour)
 	c.File(imagePath)
 }
--- a/backend/internal/controller/audit_log_controller.go
+++ b/backend/internal/controller/audit_log_controller.go
@@ -89,6 +89,7 @@ func (alc *AuditLogController) listAuditLogsForUserHandler(c *gin.Context) {
 // @Param filters[userId] query string false "Filter by user ID"
 // @Param filters[event] query string false "Filter by event type"
 // @Param filters[clientName] query string false "Filter by client name"
 // @Param filters[location] query string false "Filter by location type (external or internal)"
 // @Success 200 {object} dto.Paginated[dto.AuditLogDto]
 // @Router /api/audit-logs/all [get]
 func (alc *AuditLogController) listAllAuditLogsHandler(c *gin.Context) {
--- a/backend/internal/controller/custom_claim_controller.go
+++ b/backend/internal/controller/custom_claim_controller.go
@@ -59,7 +59,7 @@ func (ccc *CustomClaimController) getSuggestionsHandler(c *gin.Context) {
 func (ccc *CustomClaimController) UpdateCustomClaimsForUserHandler(c *gin.Context) {
 	var input []dto.CustomClaimCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -93,7 +93,7 @@ func (ccc *CustomClaimController) UpdateCustomClaimsForUserHandler(c *gin.Contex
 func (ccc *CustomClaimController) UpdateCustomClaimsForUserGroupHandler(c *gin.Context) {
 	var input []dto.CustomClaimCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
--- a/backend/internal/controller/e2etest_controller.go
+++ b/backend/internal/controller/e2etest_controller.go
@@ -33,20 +33,23 @@ func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
 	}
 	skipLdap := c.Query("skip-ldap") == "true"
 	skipSeed := c.Query("skip-seed") == "true"
 	if err := tc.TestService.ResetDatabase(); err != nil {
 		_ = c.Error(err)
 		return
 	}
-	if err := tc.TestService.ResetApplicationImages(); err != nil {
+	if err := tc.TestService.ResetApplicationImages(c.Request.Context()); err != nil {
 		_ = c.Error(err)
 		return
 	}
-	if err := tc.TestService.SeedDatabase(baseURL); err != nil {
+	if !skipSeed {
-		_ = c.Error(err)
+		if err := tc.TestService.SeedDatabase(baseURL); err != nil {
-		return
+			_ = c.Error(err)
 			return
 		}
 	}
 	if err := tc.TestService.ResetAppConfig(c.Request.Context()); err != nil {
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -2,10 +2,11 @@ package controller
 import (
 	"errors"
-	"log"
+	"log/slog"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 	"github.com/gin-gonic/gin"
@@ -54,8 +55,13 @@ func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/oidc/device/verify", authMiddleware.WithAdminNotRequired().Add(), oc.verifyDeviceCodeHandler)
 	group.GET("/oidc/device/info", authMiddleware.WithAdminNotRequired().Add(), oc.getDeviceCodeInfoHandler)
-	group.GET("/oidc/users/me/clients", authMiddleware.WithAdminNotRequired().Add(), oc.listOwnAuthorizedClientsHandler)
+	group.GET("/oidc/users/me/authorized-clients", authMiddleware.WithAdminNotRequired().Add(), oc.listOwnAuthorizedClientsHandler)
-	group.GET("/oidc/users/:id/clients", authMiddleware.Add(), oc.listAuthorizedClientsHandler)
+	group.GET("/oidc/users/:id/authorized-clients", authMiddleware.Add(), oc.listAuthorizedClientsHandler)
 	group.DELETE("/oidc/users/me/authorized-clients/:clientId", authMiddleware.WithAdminNotRequired().Add(), oc.revokeOwnClientAuthorizationHandler)
 	group.GET("/oidc/users/me/clients", authMiddleware.WithAdminNotRequired().Add(), oc.listOwnAccessibleClientsHandler)
 }
 type OidcController struct {
@@ -88,6 +94,7 @@ func (oc *OidcController) authorizeHandler(c *gin.Context) {
 	response := dto.AuthorizeOidcClientResponseDto{
 		Code:        code,
 		CallbackURL: callbackURL,
 		Issuer:      common.EnvConfig.AppURL,
 	}
 	c.JSON(http.StatusOK, response)
@@ -255,7 +262,7 @@ func (oc *OidcController) EndSessionHandler(c *gin.Context) {
 	callbackURL, err := oc.oidcService.ValidateEndSession(c.Request.Context(), input, c.GetString("userID"))
 	if err != nil {
 		// If the validation fails, the user has to confirm the logout manually and doesn't get redirected
-		log.Printf("Error getting logout callback URL, the user has to confirm the logout manually: %v", err)
+		slog.WarnContext(c.Request.Context(), "Error getting logout callback URL, the user has to confirm the logout manually", "error", err)
 		c.Redirect(http.StatusFound, common.EnvConfig.AppURL+"/logout")
 		return
 	}
@@ -485,11 +492,11 @@ func (oc *OidcController) deleteClientHandler(c *gin.Context) {
 // @Accept json
 // @Produce json
 // @Param id path string true "Client ID"
-// @Param client body dto.OidcClientCreateDto true "Client information"
+// @Param client body dto.OidcClientUpdateDto true "Client information"
 // @Success 200 {object} dto.OidcClientWithAllowedUserGroupsDto "Updated client"
 // @Router /api/oidc/clients/{id} [put]
 func (oc *OidcController) updateClientHandler(c *gin.Context) {
-	var input dto.OidcClientCreateDto
+	var input dto.OidcClientUpdateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
 		_ = c.Error(err)
 		return
@@ -545,6 +552,8 @@ func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
 		return
 	}
 	utils.SetCacheControlHeader(c, 15*time.Minute, 12*time.Hour)
 	c.Header("Content-Type", mimeType)
 	c.File(imagePath)
 }
@@ -653,7 +662,7 @@ func (oc *OidcController) deviceAuthorizationHandler(c *gin.Context) {
 // @Param sort[column] query string false "Column to sort by"
 // @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
 // @Success 200 {object} dto.Paginated[dto.AuthorizedOidcClientDto]
-// @Router /api/oidc/users/me/clients [get]
+// @Router /api/oidc/users/me/authorized-clients [get]
 func (oc *OidcController) listOwnAuthorizedClientsHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	oc.listAuthorizedClients(c, userID)
@@ -669,7 +678,7 @@ func (oc *OidcController) listOwnAuthorizedClientsHandler(c *gin.Context) {
 // @Param sort[column] query string false "Column to sort by"
 // @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
 // @Success 200 {object} dto.Paginated[dto.AuthorizedOidcClientDto]
-// @Router /api/oidc/users/{id}/clients [get]
+// @Router /api/oidc/users/{id}/authorized-clients [get]
 func (oc *OidcController) listAuthorizedClientsHandler(c *gin.Context) {
 	userID := c.Param("id")
 	oc.listAuthorizedClients(c, userID)
@@ -700,6 +709,58 @@ func (oc *OidcController) listAuthorizedClients(c *gin.Context, userID string) {
 	})
 }
 // revokeOwnClientAuthorizationHandler godoc
 // @Summary Revoke authorization for an OIDC client
 // @Description Revoke the authorization for a specific OIDC client for the current user
 // @Tags OIDC
 // @Param clientId path string true "Client ID to revoke authorization for"
 // @Success 204 "No Content"
 // @Router /api/oidc/users/me/authorized-clients/{clientId} [delete]
 func (oc *OidcController) revokeOwnClientAuthorizationHandler(c *gin.Context) {
 	clientID := c.Param("clientId")
 	userID := c.GetString("userID")
 	err := oc.oidcService.RevokeAuthorizedClient(c.Request.Context(), userID, clientID)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.Status(http.StatusNoContent)
 }
 // listOwnAccessibleClientsHandler godoc
 // @Summary List accessible OIDC clients for current user
 // @Description Get a list of OIDC clients that the current user can access
 // @Tags OIDC
 // @Param pagination[page] query int false "Page number for pagination" default(1)
 // @Param pagination[limit] query int false "Number of items per page" default(20)
 // @Param sort[column] query string false "Column to sort by"
 // @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
 // @Success 200 {object} dto.Paginated[dto.AccessibleOidcClientDto]
 // @Router /api/oidc/users/me/clients [get]
 func (oc *OidcController) listOwnAccessibleClientsHandler(c *gin.Context) {
 	userID := c.GetString("userID")
 	var sortedPaginationRequest utils.SortedPaginationRequest
 	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	clients, pagination, err := oc.oidcService.ListAccessibleOidcClients(c.Request.Context(), userID, sortedPaginationRequest)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusOK, dto.Paginated[dto.AccessibleOidcClientDto]{
 		Data:       clients,
 		Pagination: pagination,
 	})
 }
 func (oc *OidcController) verifyDeviceCodeHandler(c *gin.Context) {
 	userCode := c.Query("code")
 	if userCode == "" {
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -14,6 +14,11 @@ import (
 	"golang.org/x/time/rate"
 )
 const (
 	defaultOneTimeAccessTokenDuration = 15 * time.Minute
 	defaultSignupTokenDuration        = time.Hour
 )
 // NewUserController creates a new controller for user management endpoints
 // @Summary User management controller
 // @Description Initializes all user-related API endpoints
@@ -44,11 +49,17 @@ func NewUserController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/users/:id/one-time-access-token", authMiddleware.Add(), uc.createAdminOneTimeAccessTokenHandler)
 	group.POST("/users/:id/one-time-access-email", authMiddleware.Add(), uc.RequestOneTimeAccessEmailAsAdminHandler)
 	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
 	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
 	group.POST("/one-time-access-email", rateLimitMiddleware.Add(rate.Every(10*time.Minute), 3), uc.RequestOneTimeAccessEmailAsUnauthenticatedUserHandler)
 	group.DELETE("/users/:id/profile-picture", authMiddleware.Add(), uc.resetUserProfilePictureHandler)
 	group.DELETE("/users/me/profile-picture", authMiddleware.WithAdminNotRequired().Add(), uc.resetCurrentUserProfilePictureHandler)
 	group.POST("/signup-tokens", authMiddleware.Add(), uc.createSignupTokenHandler)
 	group.GET("/signup-tokens", authMiddleware.Add(), uc.listSignupTokensHandler)
 	group.DELETE("/signup-tokens/:id", authMiddleware.Add(), uc.deleteSignupTokenHandler)
 	group.POST("/signup", rateLimitMiddleware.Add(rate.Every(1*time.Minute), 10), uc.signupHandler)
 	group.POST("/signup/setup", uc.signUpInitialAdmin)
 }
 type UserController struct {
@@ -187,7 +198,7 @@ func (uc *UserController) deleteUserHandler(c *gin.Context) {
 // @Router /api/users [post]
 func (uc *UserController) createUserHandler(c *gin.Context) {
 	var input dto.UserCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -250,10 +261,7 @@ func (uc *UserController) getUserProfilePictureHandler(c *gin.Context) {
 		defer picture.Close()
 	}
-	_, ok := c.GetQuery("skipCache")
+	utils.SetCacheControlHeader(c, 15*time.Minute, 1*time.Hour)
 	if !ok {
 		c.Header("Cache-Control", "public, max-age=900")
 	}
 	c.DataFromReader(http.StatusOK, size, "image/png", picture, nil)
 }
@@ -328,10 +336,17 @@ func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bo
 		return
 	}
 	var ttl time.Duration
 	if own {
 		input.UserID = c.GetString("userID")
 		ttl = defaultOneTimeAccessTokenDuration
 	} else {
 		ttl = input.TTL.Duration
 		if ttl <= 0 {
 			ttl = defaultOneTimeAccessTokenDuration
 		}
 	}
-	token, err := uc.userService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, input.ExpiresAt)
+	token, err := uc.userService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, ttl)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -375,7 +390,7 @@ func (uc *UserController) createAdminOneTimeAccessTokenHandler(c *gin.Context) {
 // @Router /api/one-time-access-email [post]
 func (uc *UserController) RequestOneTimeAccessEmailAsUnauthenticatedUserHandler(c *gin.Context) {
 	var input dto.OneTimeAccessEmailAsUnauthenticatedUserDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -408,7 +423,11 @@ func (uc *UserController) RequestOneTimeAccessEmailAsAdminHandler(c *gin.Context
 	userID := c.Param("id")
-	err := uc.userService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, input.ExpiresAt)
+	ttl := input.TTL.Duration
 	if ttl <= 0 {
 		ttl = defaultOneTimeAccessTokenDuration
 	}
 	err := uc.userService.RequestOneTimeAccessEmailAsAdmin(c.Request.Context(), userID, ttl)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -443,14 +462,23 @@ func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
 	c.JSON(http.StatusOK, userDto)
 }
-// getSetupAccessTokenHandler godoc
+// signUpInitialAdmin godoc
-// @Summary Setup initial admin
+// @Summary Sign up initial admin user
-// @Description Generate setup access token for initial admin user configuration
+// @Description Sign up and generate setup access token for initial admin user
 // @Tags Users
 // @Accept json
 // @Produce json
 // @Param body body dto.SignUpDto true "User information"
 // @Success 200 {object} dto.UserDto
-// @Router /api/one-time-access-token/setup [post]
+// @Router /api/signup/setup [post]
-func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
+func (uc *UserController) signUpInitialAdmin(c *gin.Context) {
-	user, token, err := uc.userService.SetupInitialAdmin(c.Request.Context())
+	var input dto.SignUpDto
 	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	user, token, err := uc.userService.SignUpInitialAdmin(c.Request.Context(), input)
 	if err != nil {
 		_ = c.Error(err)
 		return
@@ -498,10 +526,138 @@ func (uc *UserController) updateUserGroups(c *gin.Context) {
 	c.JSON(http.StatusOK, userDto)
 }
 // createSignupTokenHandler godoc
 // @Summary Create signup token
 // @Description Create a new signup token that allows user registration
 // @Tags Users
 // @Accept json
 // @Produce json
 // @Param token body dto.SignupTokenCreateDto true "Signup token information"
 // @Success 201 {object} dto.SignupTokenDto
 // @Router /api/signup-tokens [post]
 func (uc *UserController) createSignupTokenHandler(c *gin.Context) {
 	var input dto.SignupTokenCreateDto
 	if err := c.ShouldBindJSON(&input); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	ttl := input.TTL.Duration
 	if ttl <= 0 {
 		ttl = defaultSignupTokenDuration
 	}
 	signupToken, err := uc.userService.CreateSignupToken(c.Request.Context(), ttl, input.UsageLimit)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	var tokenDto dto.SignupTokenDto
 	err = dto.MapStruct(signupToken, &tokenDto)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusCreated, tokenDto)
 }
 // listSignupTokensHandler godoc
 // @Summary List signup tokens
 // @Description Get a paginated list of signup tokens
 // @Tags Users
 // @Param pagination[page] query int false "Page number for pagination" default(1)
 // @Param pagination[limit] query int false "Number of items per page" default(20)
 // @Param sort[column] query string false "Column to sort by"
 // @Param sort[direction] query string false "Sort direction (asc or desc)" default("asc")
 // @Success 200 {object} dto.Paginated[dto.SignupTokenDto]
 // @Router /api/signup-tokens [get]
 func (uc *UserController) listSignupTokensHandler(c *gin.Context) {
 	var sortedPaginationRequest utils.SortedPaginationRequest
 	if err := c.ShouldBindQuery(&sortedPaginationRequest); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	tokens, pagination, err := uc.userService.ListSignupTokens(c.Request.Context(), sortedPaginationRequest)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	var tokensDto []dto.SignupTokenDto
 	if err := dto.MapStructList(tokens, &tokensDto); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusOK, dto.Paginated[dto.SignupTokenDto]{
 		Data:       tokensDto,
 		Pagination: pagination,
 	})
 }
 // deleteSignupTokenHandler godoc
 // @Summary Delete signup token
 // @Description Delete a signup token by ID
 // @Tags Users
 // @Param id path string true "Token ID"
 // @Success 204 "No Content"
 // @Router /api/signup-tokens/{id} [delete]
 func (uc *UserController) deleteSignupTokenHandler(c *gin.Context) {
 	tokenID := c.Param("id")
 	err := uc.userService.DeleteSignupToken(c.Request.Context(), tokenID)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.Status(http.StatusNoContent)
 }
 // signupWithTokenHandler godoc
 // @Summary Sign up
 // @Description Create a new user account
 // @Tags Users
 // @Accept json
 // @Produce json
 // @Param user body dto.SignUpDto true "User information"
 // @Success 201 {object} dto.SignUpDto
 // @Router /api/signup [post]
 func (uc *UserController) signupHandler(c *gin.Context) {
 	var input dto.SignUpDto
 	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	ipAddress := c.ClientIP()
 	userAgent := c.GetHeader("User-Agent")
 	user, accessToken, err := uc.userService.SignUp(c.Request.Context(), input, ipAddress, userAgent)
 	if err != nil {
 		_ = c.Error(err)
 		return
 	}
 	maxAge := int(uc.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes().Seconds())
 	cookie.AddAccessTokenCookie(c, maxAge, accessToken)
 	var userDto dto.UserDto
 	if err := dto.MapStruct(user, &userDto); err != nil {
 		_ = c.Error(err)
 		return
 	}
 	c.JSON(http.StatusCreated, userDto)
 }
 // updateUser is an internal helper method, not exposed as an API endpoint
 func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
 	var input dto.UserCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
--- a/backend/internal/controller/user_group_controller.go
+++ b/backend/internal/controller/user_group_controller.go
@@ -120,7 +120,7 @@ func (ugc *UserGroupController) get(c *gin.Context) {
 // @Router /api/user-groups [post]
 func (ugc *UserGroupController) create(c *gin.Context) {
 	var input dto.UserGroupCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
@@ -152,7 +152,7 @@ func (ugc *UserGroupController) create(c *gin.Context) {
 // @Router /api/user-groups/{id} [put]
 func (ugc *UserGroupController) update(c *gin.Context) {
 	var input dto.UserGroupCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	if err := dto.ShouldBindWithNormalizedJSON(c, &input); err != nil {
 		_ = c.Error(err)
 		return
 	}
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -25,6 +25,8 @@ func NewWebauthnController(group *gin.RouterGroup, authMiddleware *middleware.Au
 	group.POST("/webauthn/logout", authMiddleware.WithAdminNotRequired().Add(), wc.logoutHandler)
 	group.POST("/webauthn/reauthenticate", authMiddleware.WithAdminNotRequired().Add(), rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), wc.reauthenticateHandler)
 	group.GET("/webauthn/credentials", authMiddleware.WithAdminNotRequired().Add(), wc.listCredentialsHandler)
 	group.PATCH("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.updateCredentialHandler)
 	group.DELETE("/webauthn/credentials/:id", authMiddleware.WithAdminNotRequired().Add(), wc.deleteCredentialHandler)
@@ -171,3 +173,33 @@ func (wc *WebauthnController) logoutHandler(c *gin.Context) {
 	cookie.AddAccessTokenCookie(c, 0, "")
 	c.Status(http.StatusNoContent)
 }
 func (wc *WebauthnController) reauthenticateHandler(c *gin.Context) {
 	sessionID, err := c.Cookie(cookie.SessionIdCookieName)
 	if err != nil {
 		_ = c.Error(&common.MissingSessionIdError{})
 		return
 	}
 	var token string
 	// Try to create a reauthentication token with WebAuthn
 	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
 	if err == nil {
 		token, err = wc.webAuthnService.CreateReauthenticationTokenWithWebauthn(c.Request.Context(), sessionID, credentialAssertionData)
 		if err != nil {
 			_ = c.Error(err)
 			return
 		}
 	} else {
 		// If WebAuthn fails, try to create a reauthentication token with the access token
 		accessToken, _ := c.Cookie(cookie.AccessTokenCookieName)
 		token, err = wc.webAuthnService.CreateReauthenticationTokenWithAccessToken(c.Request.Context(), accessToken)
 		if err != nil {
 			_ = c.Error(err)
 			return
 		}
 	}
 	c.JSON(http.StatusOK, gin.H{"reauthenticationToken": token})
 }
--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -3,8 +3,9 @@ package controller
 import (
 	"encoding/json"
 	"fmt"
-	"log"
+	"log/slog"
 	"net/http"
 	"os"
 	"github.com/gin-gonic/gin"
@@ -23,7 +24,9 @@ func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtServi
 	var err error
 	wkc.oidcConfig, err = wkc.computeOIDCConfiguration()
 	if err != nil {
-		log.Fatalf("Failed to pre-compute OpenID Connect configuration document: %v", err)
+		slog.Error("Failed to pre-compute OpenID Connect configuration document", slog.Any("error", err))
 		os.Exit(1)
 		return
 	}
 	group.GET("/.well-known/jwks.json", wkc.jwksHandler)
@@ -69,20 +72,22 @@ func (wkc *WellKnownController) computeOIDCConfiguration() ([]byte, error) {
 		return nil, fmt.Errorf("failed to get key algorithm: %w", err)
 	}
 	config := map[string]any{
-		"issuer":                                appUrl,
+		"issuer":                                         appUrl,
-		"authorization_endpoint":                appUrl + "/authorize",
+		"authorization_endpoint":                         appUrl + "/authorize",
-		"token_endpoint":                        appUrl + "/api/oidc/token",
+		"token_endpoint":                                 appUrl + "/api/oidc/token",
-		"userinfo_endpoint":                     appUrl + "/api/oidc/userinfo",
+		"userinfo_endpoint":                              appUrl + "/api/oidc/userinfo",
-		"end_session_endpoint":                  appUrl + "/api/oidc/end-session",
+		"end_session_endpoint":                           appUrl + "/api/oidc/end-session",
-		"introspection_endpoint":                appUrl + "/api/oidc/introspect",
+		"introspection_endpoint":                         appUrl + "/api/oidc/introspect",
-		"device_authorization_endpoint":         appUrl + "/api/oidc/device/authorize",
+		"device_authorization_endpoint":                  appUrl + "/api/oidc/device/authorize",
-		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
+		"jwks_uri":                                       appUrl + "/.well-known/jwks.json",
-		"grant_types_supported":                 []string{service.GrantTypeAuthorizationCode, service.GrantTypeRefreshToken, service.GrantTypeDeviceCode},
+		"grant_types_supported":                          []string{service.GrantTypeAuthorizationCode, service.GrantTypeRefreshToken, service.GrantTypeDeviceCode},
-		"scopes_supported":                      []string{"openid", "profile", "email", "groups"},
+		"scopes_supported":                               []string{"openid", "profile", "email", "groups"},
-		"claims_supported":                      []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
+		"claims_supported":                               []string{"sub", "given_name", "family_name", "name", "email", "email_verified", "preferred_username", "picture", "groups"},
-		"response_types_supported":              []string{"code", "id_token"},
+		"response_types_supported":                       []string{"code", "id_token"},
-		"subject_types_supported":               []string{"public"},
+		"subject_types_supported":                        []string{"public"},
-		"id_token_signing_alg_values_supported": []string{alg.String()},
+		"id_token_signing_alg_values_supported":          []string{alg.String()},
 		"authorization_response_iss_parameter_supported": true,
 		"code_challenge_methods_supported":               []string{"plain", "S256"},
 	}
 	return json.Marshal(config)
 }
--- a/backend/internal/dto/api_key_dto.go
+++ b/backend/internal/dto/api_key_dto.go
@@ -5,15 +5,15 @@ import (
 )
 type ApiKeyCreateDto struct {
-	Name        string            `json:"name" binding:"required,min=3,max=50"`
+	Name        string            `json:"name" binding:"required,min=3,max=50" unorm:"nfc"`
-	Description string            `json:"description"`
+	Description *string           `json:"description" unorm:"nfc"`
 	ExpiresAt   datatype.DateTime `json:"expiresAt" binding:"required"`
 }
 type ApiKeyDto struct {
 	ID                  string             `json:"id"`
 	Name                string             `json:"name"`
-	Description         string             `json:"description"`
+	Description         *string            `json:"description"`
 	ExpiresAt           datatype.DateTime  `json:"expiresAt"`
 	LastUsedAt          *datatype.DateTime `json:"lastUsedAt"`
 	CreatedAt           datatype.DateTime  `json:"createdAt"`
--- a/backend/internal/dto/app_config_dto.go
+++ b/backend/internal/dto/app_config_dto.go
@@ -12,11 +12,15 @@ type AppConfigVariableDto struct {
 }
 type AppConfigUpdateDto struct {
-	AppName                                    string `json:"appName" binding:"required,min=1,max=30"`
+	AppName                                    string `json:"appName" binding:"required,min=1,max=30" unorm:"nfc"`
 	SessionDuration                            string `json:"sessionDuration" binding:"required"`
 	EmailsVerified                             string `json:"emailsVerified" binding:"required"`
 	DisableAnimations                          string `json:"disableAnimations" binding:"required"`
 	AllowOwnAccountEdit                        string `json:"allowOwnAccountEdit" binding:"required"`
 	AllowUserSignups                           string `json:"allowUserSignups" binding:"required,oneof=disabled withToken open"`
 	SignupDefaultUserGroupIDs                  string `json:"signupDefaultUserGroupIDs" binding:"omitempty,json"`
 	SignupDefaultCustomClaims                  string `json:"signupDefaultCustomClaims" binding:"omitempty,json"`
 	AccentColor                                string `json:"accentColor"`
 	SmtpHost                                   string `json:"smtpHost"`
 	SmtpPort                                   string `json:"smtpPort"`
 	SmtpFrom                                   string `json:"smtpFrom" binding:"omitempty,email"`
--- a/backend/internal/dto/audit_log_dto.go
+++ b/backend/internal/dto/audit_log_dto.go
@@ -1,7 +1,6 @@
 package dto
 import (
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
@@ -9,18 +8,19 @@ type AuditLogDto struct {
 	ID        string            `json:"id"`
 	CreatedAt datatype.DateTime `json:"createdAt"`
-	Event     model.AuditLogEvent `json:"event"`
+	Event     string            `json:"event"`
-	IpAddress string              `json:"ipAddress"`
+	IpAddress string            `json:"ipAddress"`
-	Country   string              `json:"country"`
+	Country   string            `json:"country"`
-	City      string              `json:"city"`
+	City      string            `json:"city"`
-	Device    string              `json:"device"`
+	Device    string            `json:"device"`
-	UserID    string              `json:"userID"`
+	UserID    string            `json:"userID"`
-	Username  string              `json:"username"`
+	Username  string            `json:"username"`
-	Data      model.AuditLogData  `json:"data"`
+	Data      map[string]string `json:"data"`
 }
 type AuditLogFilterDto struct {
 	UserID     string `form:"filters[userId]"`
 	Event      string `form:"filters[event]"`
 	ClientName string `form:"filters[clientName]"`
 	Location   string `form:"filters[location]"`
 }
--- a/backend/internal/dto/custom_claim_dto.go
+++ b/backend/internal/dto/custom_claim_dto.go
@@ -6,6 +6,6 @@ type CustomClaimDto struct {
 }
 type CustomClaimCreateDto struct {
-	Key   string `json:"key" binding:"required"`
+	Key   string `json:"key" binding:"required" unorm:"nfc"`
-	Value string `json:"value" binding:"required"`
+	Value string `json:"value" binding:"required" unorm:"nfc"`
 }
--- a/backend/internal/dto/dto_mapper.go
+++ b/backend/internal/dto/dto_mapper.go
@@ -1,162 +1,27 @@
 package dto
 import (
-	"errors"
+	"fmt"
 	"reflect"
 	"time"
-	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
+	"github.com/jinzhu/copier"
 )
 // MapStructList maps a list of source structs to a list of destination structs
-func MapStructList[S any, D any](source []S, destination *[]D) error {
+func MapStructList[S any, D any](source []S, destination *[]D) (err error) {
-	*destination = make([]D, 0, len(source))
+	*destination = make([]D, len(source))
-	for _, item := range source {
+	for i, item := range source {
-		var destItem D
+		err = MapStruct(item, &((*destination)[i]))
-		if err := MapStruct(item, &destItem); err != nil {
+		if err != nil {
-			return err
+			return fmt.Errorf("failed to map field %d: %w", i, err)
 		}
 		*destination = append(*destination, destItem)
 	}
 	return nil
 }
 // MapStruct maps a source struct to a destination struct
-func MapStruct[S any, D any](source S, destination *D) error {
+func MapStruct(source any, destination any) error {
-	// Ensure destination is a non-nil pointer
+	return copier.CopyWithOption(destination, source, copier.Option{
-	destValue := reflect.ValueOf(destination)
+		DeepCopy: true,
-	if destValue.Kind() != reflect.Ptr || destValue.IsNil() {
+	})
 		return errors.New("destination must be a non-nil pointer to a struct")
 	}
 	// Ensure source is a struct
 	sourceValue := reflect.ValueOf(source)
 	if sourceValue.Kind() != reflect.Struct {
 		return errors.New("source must be a struct")
 	}
 	return mapStructInternal(sourceValue, destValue.Elem())
 }
 func mapStructInternal(sourceVal reflect.Value, destVal reflect.Value) error {
 	for i := 0; i < destVal.NumField(); i++ {
 		destField := destVal.Field(i)
 		destFieldType := destVal.Type().Field(i)
 		if destFieldType.Anonymous {
 			if err := mapStructInternal(sourceVal, destField); err != nil {
 				return err
 			}
 			continue
 		}
 		sourceField := sourceVal.FieldByName(destFieldType.Name)
 		if sourceField.IsValid() && destField.CanSet() {
 			if err := mapField(sourceField, destField); err != nil {
 				return err
 			}
 		}
 	}
 	return nil
 }
 //nolint:gocognit
 func mapField(sourceField reflect.Value, destField reflect.Value) error {
 	// Handle pointer to struct in source
 	if sourceField.Kind() == reflect.Ptr && !sourceField.IsNil() {
 		switch {
 		case sourceField.Elem().Kind() == reflect.Struct:
 			switch {
 			case destField.Kind() == reflect.Struct:
 				// Map from pointer to struct -> struct
 				return mapStructInternal(sourceField.Elem(), destField)
 			case destField.Kind() == reflect.Ptr && destField.CanSet():
 				// Map from pointer to struct -> pointer to struct
 				if destField.IsNil() {
 					destField.Set(reflect.New(destField.Type().Elem()))
 				}
 				return mapStructInternal(sourceField.Elem(), destField.Elem())
 			}
 		case destField.Kind() == reflect.Ptr &&
 			destField.CanSet() &&
 			sourceField.Elem().Type().AssignableTo(destField.Type().Elem()):
 			// Handle primitive pointer types (e.g., *string to *string)
 			if destField.IsNil() {
 				destField.Set(reflect.New(destField.Type().Elem()))
 			}
 			destField.Elem().Set(sourceField.Elem())
 			return nil
 		case destField.Kind() != reflect.Ptr &&
 			destField.CanSet() &&
 			sourceField.Elem().Type().AssignableTo(destField.Type()):
 			// Handle *T to T conversion for primitive types
 			destField.Set(sourceField.Elem())
 			return nil
 		}
 	}
 	// Handle pointer to struct in destination
 	if destField.Kind() == reflect.Ptr && destField.CanSet() {
 		switch {
 		case sourceField.Kind() == reflect.Struct:
 			// Map from struct -> pointer to struct
 			if destField.IsNil() {
 				destField.Set(reflect.New(destField.Type().Elem()))
 			}
 			return mapStructInternal(sourceField, destField.Elem())
 		case !sourceField.IsZero() && sourceField.Type().AssignableTo(destField.Type().Elem()):
 			// Handle T to *T conversion for primitive types
 			if destField.IsNil() {
 				destField.Set(reflect.New(destField.Type().Elem()))
 			}
 			destField.Elem().Set(sourceField)
 			return nil
 		}
 	}
 	switch {
 	case sourceField.Type() == destField.Type():
 		destField.Set(sourceField)
 	case sourceField.Kind() == reflect.Slice && destField.Kind() == reflect.Slice:
 		return mapSlice(sourceField, destField)
 	case sourceField.Kind() == reflect.Struct && destField.Kind() == reflect.Struct:
 		return mapStructInternal(sourceField, destField)
 	default:
 		return mapSpecialTypes(sourceField, destField)
 	}
 	return nil
 }
 func mapSlice(sourceField reflect.Value, destField reflect.Value) error {
 	if sourceField.Type().Elem() == destField.Type().Elem() {
 		newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
 		for j := 0; j < sourceField.Len(); j++ {
 			newSlice.Index(j).Set(sourceField.Index(j))
 		}
 		destField.Set(newSlice)
 	} else if sourceField.Type().Elem().Kind() == reflect.Struct && destField.Type().Elem().Kind() == reflect.Struct {
 		newSlice := reflect.MakeSlice(destField.Type(), sourceField.Len(), sourceField.Cap())
 		for j := 0; j < sourceField.Len(); j++ {
 			sourceElem := sourceField.Index(j)
 			destElem := reflect.New(destField.Type().Elem()).Elem()
 			if err := mapStructInternal(sourceElem, destElem); err != nil {
 				return err
 			}
 			newSlice.Index(j).Set(destElem)
 		}
 		destField.Set(newSlice)
 	}
 	return nil
 }
 func mapSpecialTypes(sourceField reflect.Value, destField reflect.Value) error {
 	if _, ok := sourceField.Interface().(datatype.DateTime); ok {
 		if sourceField.Type() == reflect.TypeOf(datatype.DateTime{}) && destField.Type() == reflect.TypeOf(time.Time{}) {
 			dateValue := sourceField.Interface().(datatype.DateTime)
 			destField.Set(reflect.ValueOf(dateValue.ToTime()))
 		}
 	}
 	return nil
 }
--- a/backend/internal/dto/dto_mapper_test.go
+++ b/backend/internal/dto/dto_mapper_test.go
@@ -0,0 +1,197 @@
 package dto
 import (
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 type sourceStruct struct {
 	AString            string
 	AStringPtr         *string
 	ABool              bool
 	ABoolPtr           *bool
 	ACustomDateTime    datatype.DateTime
 	ACustomDateTimePtr *datatype.DateTime
 	ANilStringPtr      *string
 	ASlice             []string
 	AMap               map[string]int
 	AStruct            embeddedStruct
 	AStructPtr         *embeddedStruct
 	StringPtrToString      *string
 	EmptyStringPtrToString *string
 	NilStringPtrToString   *string
 	IntToInt64             int
 	AuditLogEventToString  model.AuditLogEvent
 }
 type destStruct struct {
 	AString            string
 	AStringPtr         *string
 	ABool              bool
 	ABoolPtr           *bool
 	ACustomDateTime    datatype.DateTime
 	ACustomDateTimePtr *datatype.DateTime
 	ANilStringPtr      *string
 	ASlice             []string
 	AMap               map[string]int
 	AStruct            embeddedStruct
 	AStructPtr         *embeddedStruct
 	StringPtrToString      string
 	EmptyStringPtrToString string
 	NilStringPtrToString   string
 	IntToInt64             int64
 	AuditLogEventToString  string
 }
 type embeddedStruct struct {
 	Foo string
 	Bar int64
 }
 func TestMapStruct(t *testing.T) {
 	src := sourceStruct{
 		AString:            "abcd",
 		AStringPtr:         utils.Ptr("xyz"),
 		ABool:              true,
 		ABoolPtr:           utils.Ptr(false),
 		ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
 		ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
 		ANilStringPtr:      nil,
 		ASlice:             []string{"a", "b", "c"},
 		AMap: map[string]int{
 			"a": 1,
 			"b": 2,
 		},
 		AStruct: embeddedStruct{
 			Foo: "bar",
 			Bar: 42,
 		},
 		AStructPtr: &embeddedStruct{
 			Foo: "quo",
 			Bar: 111,
 		},
 		StringPtrToString:      utils.Ptr("foobar"),
 		EmptyStringPtrToString: utils.Ptr(""),
 		NilStringPtrToString:   nil,
 		IntToInt64:             99,
 		AuditLogEventToString:  model.AuditLogEventAccountCreated,
 	}
 	var dst destStruct
 	err := MapStruct(src, &dst)
 	require.NoError(t, err)
 	assert.Equal(t, src.AString, dst.AString)
 	_ = assert.NotNil(t, src.AStringPtr) &&
 		assert.Equal(t, *src.AStringPtr, *dst.AStringPtr)
 	assert.Equal(t, src.ABool, dst.ABool)
 	_ = assert.NotNil(t, src.ABoolPtr) &&
 		assert.Equal(t, *src.ABoolPtr, *dst.ABoolPtr)
 	assert.Equal(t, src.ACustomDateTime, dst.ACustomDateTime)
 	_ = assert.NotNil(t, src.ACustomDateTimePtr) &&
 		assert.Equal(t, *src.ACustomDateTimePtr, *dst.ACustomDateTimePtr)
 	assert.Nil(t, dst.ANilStringPtr)
 	assert.Equal(t, src.ASlice, dst.ASlice)
 	assert.Equal(t, src.AMap, dst.AMap)
 	assert.Equal(t, "bar", dst.AStruct.Foo)
 	assert.Equal(t, int64(42), dst.AStruct.Bar)
 	_ = assert.NotNil(t, src.AStructPtr) &&
 		assert.Equal(t, "quo", dst.AStructPtr.Foo) &&
 		assert.Equal(t, int64(111), dst.AStructPtr.Bar)
 	assert.Equal(t, "foobar", dst.StringPtrToString)
 	assert.Empty(t, dst.EmptyStringPtrToString)
 	assert.Empty(t, dst.NilStringPtrToString)
 	assert.Equal(t, int64(99), dst.IntToInt64)
 	assert.Equal(t, "ACCOUNT_CREATED", dst.AuditLogEventToString)
 }
 func TestMapStructList(t *testing.T) {
 	sources := []sourceStruct{
 		{
 			AString:            "first",
 			AStringPtr:         utils.Ptr("one"),
 			ABool:              true,
 			ABoolPtr:           utils.Ptr(false),
 			ACustomDateTime:    datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)),
 			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC))),
 			ASlice:             []string{"a", "b"},
 			AMap: map[string]int{
 				"a": 1,
 				"b": 2,
 			},
 			AStruct: embeddedStruct{
 				Foo: "first_struct",
 				Bar: 10,
 			},
 			IntToInt64: 10,
 		},
 		{
 			AString:            "second",
 			AStringPtr:         utils.Ptr("two"),
 			ABool:              false,
 			ABoolPtr:           utils.Ptr(true),
 			ACustomDateTime:    datatype.DateTime(time.Date(2026, 6, 7, 8, 9, 10, 0, time.UTC)),
 			ACustomDateTimePtr: utils.Ptr(datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC))),
 			ASlice:             []string{"c", "d", "e"},
 			AMap: map[string]int{
 				"c": 3,
 				"d": 4,
 			},
 			AStruct: embeddedStruct{
 				Foo: "second_struct",
 				Bar: 20,
 			},
 			IntToInt64: 20,
 		},
 	}
 	var destinations []destStruct
 	err := MapStructList(sources, &destinations)
 	require.NoError(t, err)
 	require.Len(t, destinations, 2)
 	// Verify first element
 	assert.Equal(t, "first", destinations[0].AString)
 	assert.Equal(t, "one", *destinations[0].AStringPtr)
 	assert.True(t, destinations[0].ABool)
 	assert.False(t, *destinations[0].ABoolPtr)
 	assert.Equal(t, datatype.DateTime(time.Date(2025, 1, 2, 3, 4, 5, 0, time.UTC)), destinations[0].ACustomDateTime)
 	assert.Equal(t, datatype.DateTime(time.Date(2024, 1, 2, 3, 4, 5, 0, time.UTC)), *destinations[0].ACustomDateTimePtr)
 	assert.Equal(t, []string{"a", "b"}, destinations[0].ASlice)
 	assert.Equal(t, map[string]int{"a": 1, "b": 2}, destinations[0].AMap)
 	assert.Equal(t, "first_struct", destinations[0].AStruct.Foo)
 	assert.Equal(t, int64(10), destinations[0].AStruct.Bar)
 	assert.Equal(t, int64(10), destinations[0].IntToInt64)
 	// Verify second element
 	assert.Equal(t, "second", destinations[1].AString)
 	assert.Equal(t, "two", *destinations[1].AStringPtr)
 	assert.False(t, destinations[1].ABool)
 	assert.True(t, *destinations[1].ABoolPtr)
 	assert.Equal(t, datatype.DateTime(time.Date(2026, 6, 7, 8, 9, 10, 0, time.UTC)), destinations[1].ACustomDateTime)
 	assert.Equal(t, datatype.DateTime(time.Date(2023, 6, 7, 8, 9, 10, 0, time.UTC)), *destinations[1].ACustomDateTimePtr)
 	assert.Equal(t, []string{"c", "d", "e"}, destinations[1].ASlice)
 	assert.Equal(t, map[string]int{"c": 3, "d": 4}, destinations[1].AMap)
 	assert.Equal(t, "second_struct", destinations[1].AStruct.Foo)
 	assert.Equal(t, int64(20), destinations[1].AStruct.Bar)
 	assert.Equal(t, int64(20), destinations[1].IntToInt64)
 }
 func TestMapStructList_EmptySource(t *testing.T) {
 	var sources []sourceStruct
 	var destinations []destStruct
 	err := MapStructList(sources, &destinations)
 	require.NoError(t, err)
 	assert.Empty(t, destinations)
 }
--- a/backend/internal/dto/dto_normalize.go
+++ b/backend/internal/dto/dto_normalize.go
@@ -0,0 +1,94 @@
 package dto
 import (
 	"net/http"
 	"reflect"
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
 	"golang.org/x/text/unicode/norm"
 )
 // Normalize iterates through an object and performs Unicode normalization on all string fields with the `unorm` tag.
 func Normalize(obj any) {
 	v := reflect.ValueOf(obj)
 	if v.Kind() != reflect.Ptr || v.IsNil() {
 		return
 	}
 	v = v.Elem()
 	// Handle case where obj is a slice of models
 	if v.Kind() == reflect.Slice {
 		for i := 0; i < v.Len(); i++ {
 			elem := v.Index(i)
 			if elem.Kind() == reflect.Ptr && !elem.IsNil() && elem.Elem().Kind() == reflect.Struct {
 				Normalize(elem.Interface())
 			} else if elem.Kind() == reflect.Struct && elem.CanAddr() {
 				Normalize(elem.Addr().Interface())
 			}
 		}
 		return
 	}
 	if v.Kind() != reflect.Struct {
 		return
 	}
 	// Iterate through all fields looking for those with the "unorm" tag
 	t := v.Type()
 loop:
 	for i := range t.NumField() {
 		field := t.Field(i)
 		unormTag := field.Tag.Get("unorm")
 		if unormTag == "" {
 			continue
 		}
 		fv := v.Field(i)
 		if !fv.CanSet() || fv.Kind() != reflect.String {
 			continue
 		}
 		var form norm.Form
 		switch unormTag {
 		case "nfc":
 			form = norm.NFC
 		case "nfkc":
 			form = norm.NFKC
 		case "nfd":
 			form = norm.NFD
 		case "nfkd":
 			form = norm.NFKD
 		default:
 			continue loop
 		}
 		val := fv.String()
 		val = form.String(val)
 		fv.SetString(val)
 	}
 }
 func ShouldBindWithNormalizedJSON(ctx *gin.Context, obj any) error {
 	return ctx.ShouldBindWith(obj, binding.JSON)
 }
 type NormalizerJSONBinding struct{}
 func (NormalizerJSONBinding) Name() string {
 	return "json"
 }
 func (NormalizerJSONBinding) Bind(req *http.Request, obj any) error {
 	// Use the default JSON binder
 	err := binding.JSON.Bind(req, obj)
 	if err != nil {
 		return err
 	}
 	// Perform normalization
 	Normalize(obj)
 	return nil
 }
--- a/backend/internal/dto/dto_normalize_test.go
+++ b/backend/internal/dto/dto_normalize_test.go
@@ -0,0 +1,84 @@
 package dto
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/text/unicode/norm"
 )
 type testDto struct {
 	Name        string `unorm:"nfc"`
 	Description string `unorm:"nfd"`
 	Other       string
 	BadForm     string `unorm:"bad"`
 }
 func TestNormalize(t *testing.T) {
 	input := testDto{
 		// Is in NFC form already
 		Name: norm.NFC.String("Café"),
 		// NFC form will be normalized to NFD
 		Description: norm.NFC.String("vërø"),
 		// Should be unchanged
 		Other: "NöTag",
 		// Should be unchanged
 		BadForm: "BåD",
 	}
 	Normalize(&input)
 	assert.Equal(t, norm.NFC.String("Café"), input.Name)
 	assert.Equal(t, norm.NFD.String("vërø"), input.Description)
 	assert.Equal(t, "NöTag", input.Other)
 	assert.Equal(t, "BåD", input.BadForm)
 }
 func TestNormalizeSlice(t *testing.T) {
 	obj1 := testDto{
 		Name:        norm.NFC.String("Café1"),
 		Description: norm.NFC.String("vërø1"),
 		Other:       "NöTag1",
 		BadForm:     "BåD1",
 	}
 	obj2 := testDto{
 		Name:        norm.NFD.String("Résumé2"),
 		Description: norm.NFD.String("accéléré2"),
 		Other:       "NöTag2",
 		BadForm:     "BåD2",
 	}
 	t.Run("slice of structs", func(t *testing.T) {
 		slice := []testDto{obj1, obj2}
 		Normalize(&slice)
 		// Verify first element
 		assert.Equal(t, norm.NFC.String("Café1"), slice[0].Name)
 		assert.Equal(t, norm.NFD.String("vërø1"), slice[0].Description)
 		assert.Equal(t, "NöTag1", slice[0].Other)
 		assert.Equal(t, "BåD1", slice[0].BadForm)
 		// Verify second element
 		assert.Equal(t, norm.NFC.String("Résumé2"), slice[1].Name)
 		assert.Equal(t, norm.NFD.String("accéléré2"), slice[1].Description)
 		assert.Equal(t, "NöTag2", slice[1].Other)
 		assert.Equal(t, "BåD2", slice[1].BadForm)
 	})
 	t.Run("slice of pointers to structs", func(t *testing.T) {
 		slice := []*testDto{&obj1, &obj2}
 		Normalize(&slice)
 		// Verify first element
 		assert.Equal(t, norm.NFC.String("Café1"), slice[0].Name)
 		assert.Equal(t, norm.NFD.String("vërø1"), slice[0].Description)
 		assert.Equal(t, "NöTag1", slice[0].Other)
 		assert.Equal(t, "BåD1", slice[0].BadForm)
 		// Verify second element
 		assert.Equal(t, norm.NFC.String("Résumé2"), slice[1].Name)
 		assert.Equal(t, norm.NFD.String("accéléré2"), slice[1].Description)
 		assert.Equal(t, "NöTag2", slice[1].Other)
 		assert.Equal(t, "BåD2", slice[1].BadForm)
 	})
 }
--- a/backend/internal/dto/oidc_dto.go
+++ b/backend/internal/dto/oidc_dto.go
@@ -1,9 +1,13 @@
 package dto
 import datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 type OidcClientMetaDataDto struct {
-	ID      string `json:"id"`
+	ID                       string  `json:"id"`
-	Name    string `json:"name"`
+	Name                     string  `json:"name"`
-	HasLogo bool   `json:"hasLogo"`
+	HasLogo                  bool    `json:"hasLogo"`
 	LaunchURL                *string `json:"launchURL"`
 	RequiresReauthentication bool    `json:"requiresReauthentication"`
 }
 type OidcClientDto struct {
@@ -25,13 +29,20 @@ type OidcClientWithAllowedGroupsCountDto struct {
 	AllowedUserGroupsCount int64 `json:"allowedUserGroupsCount"`
 }
 type OidcClientUpdateDto struct {
 	Name                     string                   `json:"name" binding:"required,max=50" unorm:"nfc"`
 	CallbackURLs             []string                 `json:"callbackURLs"`
 	LogoutCallbackURLs       []string                 `json:"logoutCallbackURLs"`
 	IsPublic                 bool                     `json:"isPublic"`
 	PkceEnabled              bool                     `json:"pkceEnabled"`
 	RequiresReauthentication bool                     `json:"requiresReauthentication"`
 	Credentials              OidcClientCredentialsDto `json:"credentials"`
 	LaunchURL                *string                  `json:"launchURL" binding:"omitempty,url"`
 }
 type OidcClientCreateDto struct {
-	Name               string                   `json:"name" binding:"required,max=50"`
+	OidcClientUpdateDto
-	CallbackURLs       []string                 `json:"callbackURLs"`
+	ID string `json:"id" binding:"omitempty,client_id,min=2,max=128"`
 	LogoutCallbackURLs []string                 `json:"logoutCallbackURLs"`
 	IsPublic           bool                     `json:"isPublic"`
 	PkceEnabled        bool                     `json:"pkceEnabled"`
 	Credentials        OidcClientCredentialsDto `json:"credentials"`
 }
 type OidcClientCredentialsDto struct {
@@ -46,17 +57,19 @@ type OidcClientFederatedIdentityDto struct {
 }
 type AuthorizeOidcClientRequestDto struct {
-	ClientID            string `json:"clientID" binding:"required"`
+	ClientID              string `json:"clientID" binding:"required"`
-	Scope               string `json:"scope" binding:"required"`
+	Scope                 string `json:"scope" binding:"required"`
-	CallbackURL         string `json:"callbackURL"`
+	CallbackURL           string `json:"callbackURL"`
-	Nonce               string `json:"nonce"`
+	Nonce                 string `json:"nonce"`
-	CodeChallenge       string `json:"codeChallenge"`
+	CodeChallenge         string `json:"codeChallenge"`
-	CodeChallengeMethod string `json:"codeChallengeMethod"`
+	CodeChallengeMethod   string `json:"codeChallengeMethod"`
 	ReauthenticationToken string `json:"reauthenticationToken"`
 }
 type AuthorizeOidcClientResponseDto struct {
 	Code        string `json:"code"`
 	CallbackURL string `json:"callbackURL"`
 	Issuer      string `json:"issuer"`
 }
 type AuthorizationRequiredDto struct {
@@ -144,12 +157,18 @@ type DeviceCodeInfoDto struct {
 }
 type AuthorizedOidcClientDto struct {
-	Scope  string                `json:"scope"`
+	Scope      string                `json:"scope"`
-	Client OidcClientMetaDataDto `json:"client"`
+	Client     OidcClientMetaDataDto `json:"client"`
 	LastUsedAt datatype.DateTime     `json:"lastUsedAt"`
 }
 type OidcClientPreviewDto struct {
-	IdToken     map[string]interface{} `json:"idToken"`
+	IdToken     map[string]any `json:"idToken"`
-	AccessToken map[string]interface{} `json:"accessToken"`
+	AccessToken map[string]any `json:"accessToken"`
-	UserInfo    map[string]interface{} `json:"userInfo"`
+	UserInfo    map[string]any `json:"userInfo"`
 }
 type AccessibleOidcClientDto struct {
 	OidcClientMetaDataDto
 	LastUsedAt *datatype.DateTime `json:"lastUsedAt"`
 }
--- a/backend/internal/dto/signup_token_dto.go
+++ b/backend/internal/dto/signup_token_dto.go
@@ -0,0 +1,20 @@
 package dto
 import (
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 type SignupTokenCreateDto struct {
 	TTL        utils.JSONDuration `json:"ttl" binding:"required,ttl"`
 	UsageLimit int                `json:"usageLimit" binding:"required,min=1,max=100"`
 }
 type SignupTokenDto struct {
 	ID         string            `json:"id"`
 	Token      string            `json:"token"`
 	ExpiresAt  datatype.DateTime `json:"expiresAt"`
 	UsageLimit int               `json:"usageLimit"`
 	UsageCount int               `json:"usageCount"`
 	CreatedAt  datatype.DateTime `json:"createdAt"`
 }
--- a/backend/internal/dto/user_dto.go
+++ b/backend/internal/dto/user_dto.go
@@ -1,6 +1,8 @@
 package dto
-import "time"
+import (
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 )
 type UserDto struct {
 	ID           string           `json:"id"`
@@ -17,10 +19,10 @@ type UserDto struct {
 }
 type UserCreateDto struct {
-	Username  string  `json:"username" binding:"required,username,min=2,max=50"`
+	Username  string  `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
-	Email     string  `json:"email" binding:"required,email"`
+	Email     string  `json:"email" binding:"required,email" unorm:"nfc"`
-	FirstName string  `json:"firstName" binding:"required,min=1,max=50"`
+	FirstName string  `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
-	LastName  string  `json:"lastName" binding:"max=50"`
+	LastName  string  `json:"lastName" binding:"max=50" unorm:"nfc"`
 	IsAdmin   bool    `json:"isAdmin"`
 	Locale    *string `json:"locale"`
 	Disabled  bool    `json:"disabled"`
@@ -28,19 +30,27 @@ type UserCreateDto struct {
 }
 type OneTimeAccessTokenCreateDto struct {
-	UserID    string    `json:"userId"`
+	UserID string             `json:"userId"`
-	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+	TTL    utils.JSONDuration `json:"ttl" binding:"ttl"`
 }
 type OneTimeAccessEmailAsUnauthenticatedUserDto struct {
-	Email        string `json:"email" binding:"required,email"`
+	Email        string `json:"email" binding:"required,email" unorm:"nfc"`
 	RedirectPath string `json:"redirectPath"`
 }
 type OneTimeAccessEmailAsAdminDto struct {
-	ExpiresAt time.Time `json:"expiresAt" binding:"required"`
+	TTL utils.JSONDuration `json:"ttl" binding:"ttl"`
 }
 type UserUpdateUserGroupDto struct {
 	UserGroupIds []string `json:"userGroupIds" binding:"required"`
 }
 type SignUpDto struct {
 	Username  string `json:"username" binding:"required,username,min=2,max=50" unorm:"nfc"`
 	Email     string `json:"email" binding:"required,email" unorm:"nfc"`
 	FirstName string `json:"firstName" binding:"required,min=1,max=50" unorm:"nfc"`
 	LastName  string `json:"lastName" binding:"max=50" unorm:"nfc"`
 	Token     string `json:"token"`
 }
--- a/backend/internal/dto/user_group_dto.go
+++ b/backend/internal/dto/user_group_dto.go
@@ -34,8 +34,8 @@ type UserGroupDtoWithUserCount struct {
 }
 type UserGroupCreateDto struct {
-	FriendlyName string `json:"friendlyName" binding:"required,min=2,max=50"`
+	FriendlyName string `json:"friendlyName" binding:"required,min=2,max=50" unorm:"nfc"`
-	Name         string `json:"name" binding:"required,min=2,max=255"`
+	Name         string `json:"name" binding:"required,min=2,max=255" unorm:"nfc"`
 	LdapID       string `json:"-"`
 }
--- a/backend/internal/dto/validations.go
+++ b/backend/internal/dto/validations.go
@@ -1,26 +1,52 @@
 package dto
 import (
 	"log"
 	"regexp"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/gin-gonic/gin/binding"
 	"github.com/go-playground/validator/v10"
 )
-var validateUsername validator.Func = func(fl validator.FieldLevel) bool {
+func init() {
 	v := binding.Validator.Engine().(*validator.Validate)
 	// [a-zA-Z0-9]      : The username must start with an alphanumeric character
 	// [a-zA-Z0-9_.@-]* : The rest of the username can contain alphanumeric characters, dots, underscores, hyphens, and "@" symbols
 	// [a-zA-Z0-9]$     : The username must end with an alphanumeric character
-	regex := "^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$"
+	var validateUsernameRegex = regexp.MustCompile("^[a-zA-Z0-9][a-zA-Z0-9_.@-]*[a-zA-Z0-9]$")
 	matched, _ := regexp.MatchString(regex, fl.Field().String())
 	return matched
 }
-func init() {
+	var validateClientIDRegex = regexp.MustCompile("^[a-zA-Z0-9._-]+$")
-	if v, ok := binding.Validator.Engine().(*validator.Validate); ok {
+
-		if err := v.RegisterValidation("username", validateUsername); err != nil {
+	// Maximum allowed value for TTLs
-			log.Fatalf("Failed to register custom validation: %v", err)
+	const maxTTL = 31 * 24 * time.Hour
 	// Errors here are development-time ones
 	err := v.RegisterValidation("username", func(fl validator.FieldLevel) bool {
 		return validateUsernameRegex.MatchString(fl.Field().String())
 	})
 	if err != nil {
 		panic("Failed to register custom validation for username: " + err.Error())
 	}
 	err = v.RegisterValidation("client_id", func(fl validator.FieldLevel) bool {
 		return validateClientIDRegex.MatchString(fl.Field().String())
 	})
 	if err != nil {
 		panic("Failed to register custom validation for client_id: " + err.Error())
 	}
 	err = v.RegisterValidation("ttl", func(fl validator.FieldLevel) bool {
 		ttl, ok := fl.Field().Interface().(utils.JSONDuration)
 		if !ok {
 			return false
 		}
 		// Allow zero, which means the field wasn't set
 		return ttl.Duration == 0 || ttl.Duration > time.Second && ttl.Duration <= maxTTL
 	})
 	if err != nil {
 		panic("Failed to register custom validation for ttl: " + err.Error())
 	}
 }
--- a/backend/internal/dto/webauthn_dto.go
+++ b/backend/internal/dto/webauthn_dto.go
@@ -19,5 +19,5 @@ type WebauthnCredentialDto struct {
 }
 type WebauthnCredentialUpdateDto struct {
-	Name string `json:"name" binding:"required,min=1,max=30"`
+	Name string `json:"name" binding:"required,min=1,max=50"`
 }
--- a/backend/internal/job/db_cleanup_job.go
+++ b/backend/internal/job/db_cleanup_job.go
@@ -22,8 +22,10 @@ func (s *Scheduler) RegisterDbCleanupJobs(ctx context.Context, db *gorm.DB) erro
 	return errors.Join(
 		s.registerJob(ctx, "ClearWebauthnSessions", def, jobs.clearWebauthnSessions, true),
 		s.registerJob(ctx, "ClearOneTimeAccessTokens", def, jobs.clearOneTimeAccessTokens, true),
 		s.registerJob(ctx, "ClearSignupTokens", def, jobs.clearSignupTokens, true),
 		s.registerJob(ctx, "ClearOidcAuthorizationCodes", def, jobs.clearOidcAuthorizationCodes, true),
 		s.registerJob(ctx, "ClearOidcRefreshTokens", def, jobs.clearOidcRefreshTokens, true),
 		s.registerJob(ctx, "ClearReauthenticationTokens", def, jobs.clearReauthenticationTokens, true),
 		s.registerJob(ctx, "ClearAuditLogs", def, jobs.clearAuditLogs, true),
 	)
 }
@@ -60,6 +62,21 @@ func (j *DbCleanupJobs) clearOneTimeAccessTokens(ctx context.Context) error {
 	return nil
 }
 // ClearSignupTokens deletes signup tokens that have expired
 func (j *DbCleanupJobs) clearSignupTokens(ctx context.Context) error {
 	// Delete tokens that are expired OR have reached their usage limit
 	st := j.db.
 		WithContext(ctx).
 		Delete(&model.SignupToken{}, "expires_at < ?", datatype.DateTime(time.Now()))
 	if st.Error != nil {
 		return fmt.Errorf("failed to clean expired tokens: %w", st.Error)
 	}
 	slog.InfoContext(ctx, "Cleaned expired tokens", slog.Int64("count", st.RowsAffected))
 	return nil
 }
 // ClearOidcAuthorizationCodes deletes OIDC authorization codes that have expired
 func (j *DbCleanupJobs) clearOidcAuthorizationCodes(ctx context.Context) error {
 	st := j.db.
@@ -88,6 +105,20 @@ func (j *DbCleanupJobs) clearOidcRefreshTokens(ctx context.Context) error {
 	return nil
 }
 // ClearReauthenticationTokens deletes reauthentication tokens that have expired
 func (j *DbCleanupJobs) clearReauthenticationTokens(ctx context.Context) error {
 	st := j.db.
 		WithContext(ctx).
 		Delete(&model.ReauthenticationToken{}, "expires_at < ?", datatype.DateTime(time.Now()))
 	if st.Error != nil {
 		return fmt.Errorf("failed to clean expired reauthentication tokens: %w", st.Error)
 	}
 	slog.InfoContext(ctx, "Cleaned expired reauthentication tokens", slog.Int64("count", st.RowsAffected))
 	return nil
 }
 // ClearAuditLogs deletes audit logs older than 90 days
 func (j *DbCleanupJobs) clearAuditLogs(ctx context.Context) error {
 	st := j.db.
--- a/backend/internal/middleware/rate_limit.go
+++ b/backend/internal/middleware/rate_limit.go
@@ -29,7 +29,7 @@ func (m *RateLimitMiddleware) Add(limit rate.Limit, burst int) gin.HandlerFunc {
 		// Skip rate limiting for localhost and test environment
 		// If the client ip is localhost the request comes from the frontend
-		if ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv == "test" {
+		if ip == "" || ip == "127.0.0.1" || ip == "::1" || common.EnvConfig.AppEnv == "test" {
 			c.Next()
 			return
 		}
--- a/backend/internal/model/app_config.go
+++ b/backend/internal/model/app_config.go
@@ -8,6 +8,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 type AppConfigVariable struct {
@@ -32,11 +34,15 @@ func (a *AppConfigVariable) AsDurationMinutes() time.Duration {
 type AppConfig struct {
 	// General
-	AppName             AppConfigVariable `key:"appName,public"` // Public
+	AppName                   AppConfigVariable `key:"appName,public"` // Public
-	SessionDuration     AppConfigVariable `key:"sessionDuration"`
+	SessionDuration           AppConfigVariable `key:"sessionDuration"`
-	EmailsVerified      AppConfigVariable `key:"emailsVerified"`
+	EmailsVerified            AppConfigVariable `key:"emailsVerified"`
-	DisableAnimations   AppConfigVariable `key:"disableAnimations,public"`   // Public
+	AccentColor               AppConfigVariable `key:"accentColor,public"`         // Public
-	AllowOwnAccountEdit AppConfigVariable `key:"allowOwnAccountEdit,public"` // Public
+	DisableAnimations         AppConfigVariable `key:"disableAnimations,public"`   // Public
 	AllowOwnAccountEdit       AppConfigVariable `key:"allowOwnAccountEdit,public"` // Public
 	AllowUserSignups          AppConfigVariable `key:"allowUserSignups,public"`    // Public
 	SignupDefaultUserGroupIDs AppConfigVariable `key:"signupDefaultUserGroupIDs"`
 	SignupDefaultCustomClaims AppConfigVariable `key:"signupDefaultCustomClaims"`
 	// Internal
 	BackgroundImageType AppConfigVariable `key:"backgroundImageType,internal"` // Internal
 	LogoLightImageType  AppConfigVariable `key:"logoLightImageType,internal"`  // Internal
@@ -47,7 +53,7 @@ type AppConfig struct {
 	SmtpPort                                   AppConfigVariable `key:"smtpPort"`
 	SmtpFrom                                   AppConfigVariable `key:"smtpFrom"`
 	SmtpUser                                   AppConfigVariable `key:"smtpUser"`
-	SmtpPassword                               AppConfigVariable `key:"smtpPassword"`
+	SmtpPassword                               AppConfigVariable `key:"smtpPassword,sensitive"`
 	SmtpTls                                    AppConfigVariable `key:"smtpTls"`
 	SmtpSkipCertVerify                         AppConfigVariable `key:"smtpSkipCertVerify"`
 	EmailLoginNotificationEnabled              AppConfigVariable `key:"emailLoginNotificationEnabled"`
@@ -58,7 +64,7 @@ type AppConfig struct {
 	LdapEnabled                        AppConfigVariable `key:"ldapEnabled,public"` // Public
 	LdapUrl                            AppConfigVariable `key:"ldapUrl"`
 	LdapBindDn                         AppConfigVariable `key:"ldapBindDn"`
-	LdapBindPassword                   AppConfigVariable `key:"ldapBindPassword"`
+	LdapBindPassword                   AppConfigVariable `key:"ldapBindPassword,sensitive"`
 	LdapBase                           AppConfigVariable `key:"ldapBase"`
 	LdapUserSearchFilter               AppConfigVariable `key:"ldapUserSearchFilter"`
 	LdapUserGroupSearchFilter          AppConfigVariable `key:"ldapUserGroupSearchFilter"`
@@ -76,7 +82,7 @@ type AppConfig struct {
 	LdapSoftDeleteUsers                AppConfigVariable `key:"ldapSoftDeleteUsers"`
 }
-func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {
+func (c *AppConfig) ToAppConfigVariableSlice(showAll bool, redactSensitiveValues bool) []AppConfigVariable {
 	// Use reflection to iterate through all fields
 	cfgValue := reflect.ValueOf(c).Elem()
 	cfgType := cfgValue.Type()
@@ -96,11 +102,16 @@ func (c *AppConfig) ToAppConfigVariableSlice(showAll bool) []AppConfigVariable {
 			continue
 		}
-		fieldValue := cfgValue.Field(i)
+		value := cfgValue.Field(i).FieldByName("Value").String()
 		// Redact sensitive values if the value isn't empty, the UI config is disabled, and redactSensitiveValues is true
 		if value != "" && common.EnvConfig.UiConfigDisabled && redactSensitiveValues && attrs == "sensitive" {
 			value = "XXXXXXXXXX"
 		}
 		appConfigVariable := AppConfigVariable{
 			Key:   key,
-			Value: fieldValue.FieldByName("Value").String(),
+			Value: value,
 		}
 		res = append(res, appConfigVariable)
@@ -169,7 +180,7 @@ type AppConfigKeyNotFoundError struct {
 }
 func (e AppConfigKeyNotFoundError) Error() string {
-	return fmt.Sprintf("cannot find config key '%s'", e.field)
+	return "cannot find config key '" + e.field + "'"
 }
 func (e AppConfigKeyNotFoundError) Is(target error) bool {
@@ -183,7 +194,7 @@ type AppConfigInternalForbiddenError struct {
 }
 func (e AppConfigInternalForbiddenError) Error() string {
-	return fmt.Sprintf("field '%s' is internal and can't be updated", e.field)
+	return "field '" + e.field + "' is internal and can't be updated"
 }
 func (e AppConfigInternalForbiddenError) Is(target error) bool {
--- a/backend/internal/model/audit_log.go
+++ b/backend/internal/model/audit_log.go
@@ -10,7 +10,7 @@ type AuditLog struct {
 	Base
 	Event     AuditLogEvent `sortable:"true"`
-	IpAddress string        `sortable:"true"`
+	IpAddress *string       `sortable:"true"`
 	Country   string        `sortable:"true"`
 	City      string        `sortable:"true"`
 	UserAgent string        `sortable:"true"`
@@ -28,6 +28,7 @@ type AuditLogEvent string //nolint:recvcheck
 const (
 	AuditLogEventSignIn                     AuditLogEvent = "SIGN_IN"
 	AuditLogEventOneTimeAccessTokenSignIn   AuditLogEvent = "TOKEN_SIGN_IN"
 	AuditLogEventAccountCreated             AuditLogEvent = "ACCOUNT_CREATED"
 	AuditLogEventClientAuthorization        AuditLogEvent = "CLIENT_AUTHORIZATION"
 	AuditLogEventNewClientAuthorization     AuditLogEvent = "NEW_CLIENT_AUTHORIZATION"
 	AuditLogEventDeviceCodeAuthorization    AuditLogEvent = "DEVICE_CODE_AUTHORIZATION"
--- a/backend/internal/model/kv.go
+++ b/backend/internal/model/kv.go
@@ -0,0 +1,11 @@
 package model
 type KV struct {
 	Key   string `gorm:"primaryKey;not null"`
 	Value *string
 }
 // TableName overrides the table name used by KV to `kv`
 func (KV) TableName() string {
 	return "kv"
 }
--- a/backend/internal/model/oidc.go
+++ b/backend/internal/model/oidc.go
@@ -11,7 +11,9 @@ import (
 )
 type UserAuthorizedOidcClient struct {
-	Scope  string
+	Scope      string
 	LastUsedAt datatype.DateTime `sortable:"true"`
 	UserID string `gorm:"primary_key;"`
 	User   User
@@ -38,19 +40,22 @@ type OidcAuthorizationCode struct {
 type OidcClient struct {
 	Base
-	Name               string `sortable:"true"`
+	Name                     string `sortable:"true"`
-	Secret             string
+	Secret                   string
-	CallbackURLs       UrlList
+	CallbackURLs             UrlList
-	LogoutCallbackURLs UrlList
+	LogoutCallbackURLs       UrlList
-	ImageType          *string
+	ImageType                *string
-	HasLogo            bool `gorm:"-"`
+	HasLogo                  bool `gorm:"-"`
-	IsPublic           bool
+	IsPublic                 bool
-	PkceEnabled        bool
+	PkceEnabled              bool
-	Credentials        OidcClientCredentials
+	RequiresReauthentication bool
 	Credentials              OidcClientCredentials
 	LaunchURL                *string
-	AllowedUserGroups []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
+	AllowedUserGroups         []UserGroup `gorm:"many2many:oidc_clients_allowed_user_groups;"`
-	CreatedByID       string
+	CreatedByID               *string
-	CreatedBy         User
+	CreatedBy                 *User
 	UserAuthorizedOidcClients []UserAuthorizedOidcClient `gorm:"foreignKey:ClientID;references:ID"`
 }
 type OidcRefreshToken struct {
--- a/backend/internal/model/signup_token.go
+++ b/backend/internal/model/signup_token.go
@@ -0,0 +1,28 @@
 package model
 import (
 	"time"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
 type SignupToken struct {
 	Base
 	Token      string            `json:"token"`
 	ExpiresAt  datatype.DateTime `json:"expiresAt" sortable:"true"`
 	UsageLimit int               `json:"usageLimit" sortable:"true"`
 	UsageCount int               `json:"usageCount" sortable:"true"`
 }
 func (st *SignupToken) IsExpired() bool {
 	return time.Time(st.ExpiresAt).Before(time.Now())
 }
 func (st *SignupToken) IsUsageLimitReached() bool {
 	return st.UsageCount >= st.UsageLimit
 }
 func (st *SignupToken) IsValid() bool {
 	return !st.IsExpired() && !st.IsUsageLimitReached()
 }
--- a/backend/internal/model/webauthn.go
+++ b/backend/internal/model/webauthn.go
@@ -45,6 +45,15 @@ type PublicKeyCredentialRequestOptions struct {
 	Timeout   time.Duration
 }
 type ReauthenticationToken struct {
 	Base
 	Token     string
 	ExpiresAt datatype.DateTime
 	UserID string
 	User   User
 }
 type AuthenticatorTransportList []protocol.AuthenticatorTransport //nolint:recvcheck
 // Scan and Value methods for GORM to handle the custom type
--- a/backend/internal/service/api_key_service.go
+++ b/backend/internal/service/api_key_service.go
@@ -55,8 +55,8 @@ func (s *ApiKeyService) CreateApiKey(ctx context.Context, userID string, input d
 	apiKey := model.ApiKey{
 		Name:        input.Name,
 		Key:         utils.CreateSha256Hash(token), // Hash the token for storage
-		Description: &input.Description,
+		Description: input.Description,
-		ExpiresAt:   datatype.DateTime(input.ExpiresAt),
+		ExpiresAt:   input.ExpiresAt,
 		UserID:      userID,
 	}
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -4,17 +4,14 @@ import (
 	"context"
 	"errors"
 	"fmt"
 	"log"
 	"mime/multipart"
 	"os"
 	"reflect"
 	"slices"
 	"strings"
 	"sync/atomic"
 	"time"
 	"github.com/hashicorp/go-uuid"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
@@ -29,22 +26,22 @@ type AppConfigService struct {
 	db       *gorm.DB
 }
-func NewAppConfigService(ctx context.Context, db *gorm.DB) *AppConfigService {
+func NewAppConfigService(ctx context.Context, db *gorm.DB) (*AppConfigService, error) {
 	service := &AppConfigService{
 		db: db,
 	}
 	err := service.LoadDbConfig(ctx)
 	if err != nil {
-		log.Fatalf("Failed to initialize app config service: %v", err)
+		return nil, fmt.Errorf("failed to initialize app config service: %w", err)
 	}
 	err = service.initInstanceID(ctx)
 	if err != nil {
-		log.Fatalf("Failed to initialize instance ID: %v", err)
+		return nil, fmt.Errorf("failed to initialize instance ID: %w", err)
 	}
-	return service
+	return service, nil
 }
 // GetDbConfig returns the application configuration.
@@ -63,11 +60,15 @@ func (s *AppConfigService) getDefaultDbConfig() *model.AppConfig {
 	// Values are the default ones
 	return &model.AppConfig{
 		// General
-		AppName:             model.AppConfigVariable{Value: "Pocket ID"},
+		AppName:                   model.AppConfigVariable{Value: "Pocket ID"},
-		SessionDuration:     model.AppConfigVariable{Value: "60"},
+		SessionDuration:           model.AppConfigVariable{Value: "60"},
-		EmailsVerified:      model.AppConfigVariable{Value: "false"},
+		EmailsVerified:            model.AppConfigVariable{Value: "false"},
-		DisableAnimations:   model.AppConfigVariable{Value: "false"},
+		DisableAnimations:         model.AppConfigVariable{Value: "false"},
-		AllowOwnAccountEdit: model.AppConfigVariable{Value: "true"},
+		AllowOwnAccountEdit:       model.AppConfigVariable{Value: "true"},
 		AllowUserSignups:          model.AppConfigVariable{Value: "disabled"},
 		SignupDefaultUserGroupIDs: model.AppConfigVariable{Value: "[]"},
 		SignupDefaultCustomClaims: model.AppConfigVariable{Value: "[]"},
 		AccentColor:               model.AppConfigVariable{Value: "default"},
 		// Internal
 		BackgroundImageType: model.AppConfigVariable{Value: "jpg"},
 		LogoLightImageType:  model.AppConfigVariable{Value: "svg"},
@@ -232,7 +233,7 @@ func (s *AppConfigService) UpdateAppConfig(ctx context.Context, input dto.AppCon
 	s.dbConfig.Store(cfg)
 	// Return the updated config
-	res := cfg.ToAppConfigVariableSlice(true)
+	res := cfg.ToAppConfigVariableSlice(true, false)
 	return res, nil
 }
@@ -317,11 +318,11 @@ func (s *AppConfigService) UpdateAppConfigValues(ctx context.Context, keysAndVal
 }
 func (s *AppConfigService) ListAppConfig(showAll bool) []model.AppConfigVariable {
-	return s.GetDbConfig().ToAppConfigVariableSlice(showAll)
+	return s.GetDbConfig().ToAppConfigVariableSlice(showAll, true)
 }
 func (s *AppConfigService) UpdateImage(ctx context.Context, uploadedFile *multipart.FileHeader, imageName string, oldImageType string) (err error) {
-	fileType := utils.GetFileExtension(uploadedFile.Filename)
+	fileType := strings.ToLower(utils.GetFileExtension(uploadedFile.Filename))
 	mimeType := utils.GetImageMimeType(fileType)
 	if mimeType == "" {
 		return &common.FileTypeNotSupportedError{}
@@ -368,7 +369,7 @@ func (s *AppConfigService) LoadDbConfig(ctx context.Context) (err error) {
 func (s *AppConfigService) loadDbConfigInternal(ctx context.Context, tx *gorm.DB) (*model.AppConfig, error) {
 	// If the UI config is disabled, only load from the env
 	if common.EnvConfig.UiConfigDisabled {
-		dest, err := s.loadDbConfigFromEnv(ctx, s.db)
+		dest, err := s.loadDbConfigFromEnv(ctx, tx)
 		return dest, err
 	}
@@ -412,12 +413,10 @@ func (s *AppConfigService) loadDbConfigFromEnv(ctx context.Context, tx *gorm.DB)
 		field := rt.Field(i)
 		// Get the key and internal tag values
-		tagValue := strings.Split(field.Tag.Get("key"), ",")
+		key, attrs, _ := strings.Cut(field.Tag.Get("key"), ",")
 		key := tagValue[0]
 		isInternal := slices.Contains(tagValue, "internal")
 		// Internal fields are loaded from the database as they can't be set from the environment
-		if isInternal {
+		if attrs == "internal" {
 			var value string
 			err := tx.WithContext(ctx).
 				Model(&model.AppConfigVariable{}).
@@ -436,6 +435,20 @@ func (s *AppConfigService) loadDbConfigFromEnv(ctx context.Context, tx *gorm.DB)
 		value, ok := os.LookupEnv(envVarName)
 		if ok {
 			rv.Field(i).FieldByName("Value").SetString(value)
 			continue
 		}
 		// If it's sensitive, we also allow reading from file
 		if attrs == "sensitive" {
 			fileName := os.Getenv(envVarName + "_FILE")
 			if fileName != "" {
 				b, err := os.ReadFile(fileName)
 				if err != nil {
 					return nil, fmt.Errorf("failed to read secret '%s' from file '%s': %w", envVarName, fileName, err)
 				}
 				rv.Field(i).FieldByName("Value").SetString(string(b))
 				continue
 			}
 		}
 	}
--- a/backend/internal/service/app_config_service_test.go
+++ b/backend/internal/service/app_config_service_test.go
@@ -4,10 +4,12 @@ import (
 	"sync/atomic"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
-	"github.com/stretchr/testify/require"
+	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 // NewTestAppConfigService is a function used by tests to create AppConfigService objects with pre-defined configuration values
@@ -22,7 +24,7 @@ func NewTestAppConfigService(config *model.AppConfig) *AppConfigService {
 func TestLoadDbConfig(t *testing.T) {
 	t.Run("empty config table", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		service := &AppConfigService{
 			db: db,
 		}
@@ -36,7 +38,7 @@ func TestLoadDbConfig(t *testing.T) {
 	})
 	t.Run("loads value from config table", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Populate the config table with some initial values
 		err := db.
@@ -66,7 +68,7 @@ func TestLoadDbConfig(t *testing.T) {
 	})
 	t.Run("ignores unknown config keys", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Add an entry with a key that doesn't exist in the config struct
 		err := db.Create([]model.AppConfigVariable{
@@ -87,7 +89,7 @@ func TestLoadDbConfig(t *testing.T) {
 	})
 	t.Run("loading config multiple times", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Initial state
 		err := db.Create([]model.AppConfigVariable{
@@ -129,7 +131,7 @@ func TestLoadDbConfig(t *testing.T) {
 		common.EnvConfig.UiConfigDisabled = true
 		// Create database with config that should be ignored
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		err := db.Create([]model.AppConfigVariable{
 			{Key: "appName", Value: "DB App"},
 			{Key: "sessionDuration", Value: "120"},
@@ -165,7 +167,7 @@ func TestLoadDbConfig(t *testing.T) {
 		common.EnvConfig.UiConfigDisabled = false
 		// Create database with config values that should take precedence
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		err := db.Create([]model.AppConfigVariable{
 			{Key: "appName", Value: "DB App"},
 			{Key: "sessionDuration", Value: "120"},
@@ -189,7 +191,7 @@ func TestLoadDbConfig(t *testing.T) {
 func TestUpdateAppConfigValues(t *testing.T) {
 	t.Run("update single value", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
@@ -214,7 +216,7 @@ func TestUpdateAppConfigValues(t *testing.T) {
 	})
 	t.Run("update multiple values", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
@@ -258,7 +260,7 @@ func TestUpdateAppConfigValues(t *testing.T) {
 	})
 	t.Run("empty value resets to default", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
@@ -279,7 +281,7 @@ func TestUpdateAppConfigValues(t *testing.T) {
 	})
 	t.Run("error with odd number of arguments", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
@@ -295,7 +297,7 @@ func TestUpdateAppConfigValues(t *testing.T) {
 	})
 	t.Run("error with invalid key", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
@@ -313,7 +315,7 @@ func TestUpdateAppConfigValues(t *testing.T) {
 func TestUpdateAppConfig(t *testing.T) {
 	t.Run("updates configuration values from DTO", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Create a service with default config
 		service := &AppConfigService{
@@ -386,7 +388,7 @@ func TestUpdateAppConfig(t *testing.T) {
 	})
 	t.Run("empty values reset to defaults", func(t *testing.T) {
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		// Create a service with default config and modify some values
 		service := &AppConfigService{
@@ -451,7 +453,7 @@ func TestUpdateAppConfig(t *testing.T) {
 		// Disable UI config
 		common.EnvConfig.UiConfigDisabled = true
-		db := newDatabaseForTest(t)
+		db := testutils.NewDatabaseForTest(t)
 		service := &AppConfigService{
 			db: db,
 		}
--- a/backend/internal/service/audit_log_service.go
+++ b/backend/internal/service/audit_log_service.go
@@ -3,13 +3,14 @@ package service
 import (
 	"context"
 	"fmt"
-	"log"
+	"log/slog"
 	userAgentParser "github.com/mileusna/useragent"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/email"
 	"go.opentelemetry.io/otel/trace"
 	"gorm.io/gorm"
 )
@@ -21,19 +22,24 @@ type AuditLogService struct {
 }
 func NewAuditLogService(db *gorm.DB, appConfigService *AppConfigService, emailService *EmailService, geoliteService *GeoLiteService) *AuditLogService {
-	return &AuditLogService{db: db, appConfigService: appConfigService, emailService: emailService, geoliteService: geoliteService}
+	return &AuditLogService{
 		db:               db,
 		appConfigService: appConfigService,
 		emailService:     emailService,
 		geoliteService:   geoliteService,
 	}
 }
 // Create creates a new audit log entry in the database
-func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData, tx *gorm.DB) model.AuditLog {
+func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent, ipAddress, userAgent, userID string, data model.AuditLogData, tx *gorm.DB) (model.AuditLog, bool) {
 	country, city, err := s.geoliteService.GetLocationByIP(ipAddress)
 	if err != nil {
-		log.Printf("Failed to get IP location: %v", err)
+		// Log the error but don't interrupt the operation
 		slog.Warn("Failed to get IP location", "error", err)
 	}
 	auditLog := model.AuditLog{
 		Event:     event,
 		IpAddress: ipAddress,
 		Country:   country,
 		City:      city,
 		UserAgent: userAgent,
@@ -41,33 +47,47 @@ func (s *AuditLogService) Create(ctx context.Context, event model.AuditLogEvent,
 		Data:      data,
 	}
 	if ipAddress != "" {
 		// Only set ipAddress if not empty, because on Postgres we use INET columns that don't allow non-null empty values
 		auditLog.IpAddress = &ipAddress
 	}
 	// Save the audit log in the database
 	err = tx.
 		WithContext(ctx).
 		Create(&auditLog).
 		Error
 	if err != nil {
-		log.Printf("Failed to create audit log: %v", err)
+		slog.Error("Failed to create audit log", "error", err)
-		return model.AuditLog{}
+		return model.AuditLog{}, false
 	}
-	return auditLog
+	return auditLog, true
 }
 // CreateNewSignInWithEmail creates a new audit log entry in the database and sends an email if the device hasn't been used before
 func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddress, userAgent, userID string, tx *gorm.DB) model.AuditLog {
-	createdAuditLog := s.Create(ctx, model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{}, tx)
+	createdAuditLog, ok := s.Create(ctx, model.AuditLogEventSignIn, ipAddress, userAgent, userID, model.AuditLogData{}, tx)
 	if !ok {
 		// At this point the transaction has been canceled already, and error has been logged
 		return createdAuditLog
 	}
 	// Count the number of times the user has logged in from the same device
 	var count int64
-	err := tx.
+	stmt := tx.
 		WithContext(ctx).
 		Model(&model.AuditLog{}).
-		Where("user_id = ? AND ip_address = ? AND user_agent = ?", userID, ipAddress, userAgent).
+		Where("user_id = ? AND user_agent = ?", userID, userAgent)
-		Count(&count).
+	if ipAddress == "" {
-		Error
+		// An empty IP address is stored as NULL in the database
 		stmt = stmt.Where("ip_address IS NULL")
 	} else {
 		stmt = stmt.Where("ip_address = ?", ipAddress)
 	}
 	err := stmt.Count(&count).Error
 	if err != nil {
-		log.Printf("Failed to count audit logs: %v\n", err)
+		slog.ErrorContext(ctx, "Failed to count audit logs", slog.Any("error", err))
 		return createdAuditLog
 	}
@@ -76,7 +96,8 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddres
 		// We use a background context here as this is running in a goroutine
 		//nolint:contextcheck
 		go func() {
-			innerCtx := context.Background()
+			span := trace.SpanFromContext(ctx)
 			innerCtx := trace.ContextWithSpan(context.Background(), span)
 			// Note we don't use the transaction here because this is running in background
 			var user model.User
@@ -86,7 +107,8 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddres
 				First(&user).
 				Error
 			if innerErr != nil {
-				log.Printf("Failed to load user: %v", innerErr)
+				slog.ErrorContext(innerCtx, "Failed to load user from database to send notification email", slog.Any("error", innerErr))
 				return
 			}
 			innerErr = SendEmail(innerCtx, s.emailService, email.Address{
@@ -100,7 +122,8 @@ func (s *AuditLogService) CreateNewSignInWithEmail(ctx context.Context, ipAddres
 				DateTime:  createdAuditLog.CreatedAt.UTC(),
 			})
 			if innerErr != nil {
-				log.Printf("Failed to send email to '%s': %v", user.Email, innerErr)
+				slog.ErrorContext(innerCtx, "Failed to send notification email", slog.Any("error", innerErr), slog.String("address", user.Email))
 				return
 			}
 		}()
 	}
@@ -150,6 +173,14 @@ func (s *AuditLogService) ListAllAuditLogs(ctx context.Context, sortedPagination
 			return nil, utils.PaginationResponse{}, fmt.Errorf("unsupported database dialect: %s", dialect)
 		}
 	}
 	if filters.Location != "" {
 		switch filters.Location {
 		case "external":
 			query = query.Where("country != 'Internal Network'")
 		case "internal":
 			query = query.Where("country = 'Internal Network'")
 		}
 	}
 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &logs)
 	if err != nil {
--- a/backend/internal/service/custom_claim_service.go
+++ b/backend/internal/service/custom_claim_service.go
@@ -55,16 +55,46 @@ const (
 // UpdateCustomClaimsForUser updates the custom claims for a user
 func (s *CustomClaimService) UpdateCustomClaimsForUser(ctx context.Context, userID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
-	return s.updateCustomClaims(ctx, UserID, userID, claims)
+	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	updatedClaims, err := s.updateCustomClaimsInternal(ctx, UserID, userID, claims, tx)
 	if err != nil {
 		return nil, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return nil, err
 	}
 	return updatedClaims, nil
 }
 // UpdateCustomClaimsForUserGroup updates the custom claims for a user group
 func (s *CustomClaimService) UpdateCustomClaimsForUserGroup(ctx context.Context, userGroupID string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
-	return s.updateCustomClaims(ctx, UserGroupID, userGroupID, claims)
+	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	updatedClaims, err := s.updateCustomClaimsInternal(ctx, UserGroupID, userGroupID, claims, tx)
 	if err != nil {
 		return nil, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return nil, err
 	}
 	return updatedClaims, nil
 }
-// updateCustomClaims updates the custom claims for a user or user group
+// updateCustomClaimsInternal updates the custom claims for a user or user group within a transaction
-func (s *CustomClaimService) updateCustomClaims(ctx context.Context, idType idType, value string, claims []dto.CustomClaimCreateDto) ([]model.CustomClaim, error) {
+func (s *CustomClaimService) updateCustomClaimsInternal(ctx context.Context, idType idType, value string, claims []dto.CustomClaimCreateDto, tx *gorm.DB) ([]model.CustomClaim, error) {
 	// Check for duplicate keys in the claims slice
 	seenKeys := make(map[string]struct{})
 	for _, claim := range claims {
@@ -74,11 +104,6 @@ func (s *CustomClaimService) updateCustomClaims(ctx context.Context, idType idTy
 		seenKeys[claim.Key] = struct{}{}
 	}
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var existingClaims []model.CustomClaim
 	err := tx.
 		WithContext(ctx).
@@ -150,11 +175,6 @@ func (s *CustomClaimService) updateCustomClaims(ctx context.Context, idType idTy
 		return nil, err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return nil, err
 	}
 	return updatedClaims, nil
 }
--- a/backend/internal/service/e2etest_service.go
+++ b/backend/internal/service/e2etest_service.go
@@ -10,13 +10,14 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
-	"log"
+	"log/slog"
 	"os"
 	"path/filepath"
 	"time"
 	"github.com/fxamacker/cbor/v2"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/lestrrat-go/jwx/v3/jwa"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/lestrrat-go/jwx/v3/jwt"
 	"gorm.io/gorm"
@@ -25,6 +26,7 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
@@ -60,7 +62,7 @@ func (s *TestService) initExternalIdP() error {
 		return fmt.Errorf("failed to generate private key: %w", err)
 	}
-	s.externalIdPKey, err = utils.ImportRawKey(rawKey)
+	s.externalIdPKey, err = jwkutils.ImportRawKey(rawKey, jwa.ES256().String(), "")
 	if err != nil {
 		return fmt.Errorf("failed to import private key: %w", err)
 	}
@@ -152,11 +154,12 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 					ID: "3654a746-35d4-4321-ac61-0bdcff2b4055",
 				},
 				Name:               "Nextcloud",
 				LaunchURL:          utils.Ptr("https://nextcloud.local"),
 				Secret:             "$2a$10$9dypwot8nGuCjT6wQWWpJOckZfRprhe2EkwpKizxS/fpVHrOLEJHC", // w2mUeZISmEvIDMEDvpY0PnxQIpj1m3zY
 				CallbackURLs:       model.UrlList{"http://nextcloud/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://nextcloud/auth/logout/callback"},
 				ImageType:          utils.StringPointer("png"),
-				CreatedByID:        users[0].ID,
+				CreatedByID:        utils.Ptr(users[0].ID),
 			},
 			{
 				Base: model.Base{
@@ -165,11 +168,21 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:         "Immich",
 				Secret:       "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs: model.UrlList{"http://immich/auth/callback"},
-				CreatedByID:  users[1].ID,
+				CreatedByID:  utils.Ptr(users[1].ID),
 				AllowedUserGroups: []model.UserGroup{
 					userGroups[1],
 				},
 			},
 			{
 				Base: model.Base{
 					ID: "7c21a609-96b5-4011-9900-272b8d31a9d1",
 				},
 				Name:               "Tailscale",
 				Secret:             "$2a$10$xcRReBsvkI1XI6FG8xu/pOgzeF00bH5Wy4d/NThwcdi3ZBpVq/B9a", // n4VfQeXlTzA6yKpWbR9uJcMdSx2qH0Lo
 				CallbackURLs:       model.UrlList{"http://tailscale/auth/callback"},
 				LogoutCallbackURLs: model.UrlList{"http://tailscale/auth/logout/callback"},
 				CreatedByID:        utils.Ptr(users[0].ID),
 			},
 			{
 				Base: model.Base{
 					ID: "c48232ff-ff65-45ed-ae96-7afa8a9b443b",
@@ -177,7 +190,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 				Name:              "Federated",
 				Secret:            "$2a$10$Ak.FP8riD1ssy2AGGbG.gOpnp/rBpymd74j0nxNMtW0GG1Lb4gzxe", // PYjrE9u4v9GVqXKi52eur0eb2Ci4kc0x
 				CallbackURLs:      model.UrlList{"http://federated/auth/callback"},
-				CreatedByID:       users[1].ID,
+				CreatedByID:       utils.Ptr(users[1].ID),
 				AllowedUserGroups: []model.UserGroup{},
 				Credentials: model.OidcClientCredentials{
 					FederatedIdentities: []model.OidcClientFederatedIdentity{
@@ -243,14 +256,22 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 		userAuthorizedClients := []model.UserAuthorizedOidcClient{
 			{
-				Scope:    "openid profile email",
+				Scope:      "openid profile email",
-				UserID:   users[0].ID,
+				UserID:     users[0].ID,
-				ClientID: oidcClients[0].ID,
+				ClientID:   oidcClients[0].ID,
 				LastUsedAt: datatype.DateTime(time.Date(2025, 8, 1, 13, 0, 0, 0, time.UTC)),
 			},
 			{
-				Scope:    "openid profile email",
+				Scope:      "openid profile email",
-				UserID:   users[1].ID,
+				UserID:     users[0].ID,
-				ClientID: oidcClients[2].ID,
+				ClientID:   oidcClients[2].ID,
 				LastUsedAt: datatype.DateTime(time.Date(2025, 8, 10, 14, 0, 0, 0, time.UTC)),
 			},
 			{
 				Scope:      "openid profile email",
 				UserID:     users[1].ID,
 				ClientID:   oidcClients[3].ID,
 				LastUsedAt: datatype.DateTime(time.Date(2025, 8, 12, 12, 0, 0, 0, time.UTC)),
 			},
 		}
 		for _, userAuthorizedClient := range userAuthorizedClients {
@@ -310,6 +331,50 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			return err
 		}
 		signupTokens := []model.SignupToken{
 			{
 				Base: model.Base{
 					ID: "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
 				},
 				Token:      "VALID1234567890A",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(24 * time.Hour)),
 				UsageLimit: 1,
 				UsageCount: 0,
 			},
 			{
 				Base: model.Base{
 					ID: "b2c3d4e5-f6g7-8901-bcde-f12345678901",
 				},
 				Token:      "PARTIAL567890ABC",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(7 * 24 * time.Hour)),
 				UsageLimit: 5,
 				UsageCount: 2,
 			},
 			{
 				Base: model.Base{
 					ID: "c3d4e5f6-g7h8-9012-cdef-123456789012",
 				},
 				Token:      "EXPIRED34567890B",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(-24 * time.Hour)), // Expired
 				UsageLimit: 3,
 				UsageCount: 1,
 			},
 			{
 				Base: model.Base{
 					ID: "d4e5f6g7-h8i9-0123-def0-234567890123",
 				},
 				Token:      "FULLYUSED567890C",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(24 * time.Hour)),
 				UsageLimit: 1,
 				UsageCount: 1, // Usage limit reached
 			},
 		}
 		for _, token := range signupTokens {
 			if err := tx.Create(&token).Error; err != nil {
 				return err
 			}
 		}
 		return nil
 	})
@@ -356,9 +421,9 @@ func (s *TestService) ResetDatabase() error {
 	return err
 }
-func (s *TestService) ResetApplicationImages() error {
+func (s *TestService) ResetApplicationImages(ctx context.Context) error {
 	if err := os.RemoveAll(common.EnvConfig.UploadPath); err != nil {
-		log.Printf("Error removing directory: %v", err)
+		slog.ErrorContext(ctx, "Error removing directory", slog.Any("error", err))
 		return err
 	}
--- a/backend/internal/service/geolite_service.go
+++ b/backend/internal/service/geolite_service.go
@@ -7,12 +7,13 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
+	"log/slog"
 	"net"
 	"net/http"
 	"net/netip"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
@@ -22,9 +23,10 @@ import (
 )
 type GeoLiteService struct {
-	httpClient     *http.Client
+	httpClient      *http.Client
-	disableUpdater bool
+	disableUpdater  bool
-	mutex          sync.RWMutex
+	mutex           sync.RWMutex
 	localIPv6Ranges []*net.IPNet
 }
 var localhostIPNets = []*net.IPNet{
@@ -50,21 +52,89 @@ func NewGeoLiteService(httpClient *http.Client) *GeoLiteService {
 	if common.EnvConfig.MaxMindLicenseKey == "" && common.EnvConfig.GeoLiteDBUrl == common.MaxMindGeoLiteCityUrl {
 		// Warn the user, and disable the periodic updater
-		log.Println("MAXMIND_LICENSE_KEY environment variable is empty. The GeoLite2 City database won't be updated.")
+		slog.Warn("MAXMIND_LICENSE_KEY environment variable is empty: the GeoLite2 City database won't be updated")
 		service.disableUpdater = true
 	}
 	// Initialize IPv6 local ranges
 	err := service.initializeIPv6LocalRanges()
 	if err != nil {
 		slog.Warn("Failed to initialize IPv6 local ranges", slog.Any("error", err))
 	}
 	return service
 }
 // initializeIPv6LocalRanges parses the LOCAL_IPV6_RANGES environment variable
 func (s *GeoLiteService) initializeIPv6LocalRanges() error {
 	rangesEnv := common.EnvConfig.LocalIPv6Ranges
 	if rangesEnv == "" {
 		return nil // No local IPv6 ranges configured
 	}
 	ranges := strings.Split(rangesEnv, ",")
 	localRanges := make([]*net.IPNet, 0, len(ranges))
 	for _, rangeStr := range ranges {
 		rangeStr = strings.TrimSpace(rangeStr)
 		if rangeStr == "" {
 			continue
 		}
 		_, ipNet, err := net.ParseCIDR(rangeStr)
 		if err != nil {
 			return fmt.Errorf("invalid IPv6 range '%s': %w", rangeStr, err)
 		}
 		// Ensure it's an IPv6 range
 		if ipNet.IP.To4() != nil {
 			return fmt.Errorf("range '%s' is not a valid IPv6 range", rangeStr)
 		}
 		localRanges = append(localRanges, ipNet)
 	}
 	s.localIPv6Ranges = localRanges
 	if len(localRanges) > 0 {
 		slog.Info("Initialized IPv6 local ranges", slog.Int("count", len(localRanges)))
 	}
 	return nil
 }
 // isLocalIPv6 checks if the given IPv6 address is within any of the configured local ranges
 func (s *GeoLiteService) isLocalIPv6(ip net.IP) bool {
 	if ip.To4() != nil {
 		return false // Not an IPv6 address
 	}
 	for _, localRange := range s.localIPv6Ranges {
 		if localRange.Contains(ip) {
 			return true
 		}
 	}
 	return false
 }
 func (s *GeoLiteService) DisableUpdater() bool {
 	return s.disableUpdater
 }
 // GetLocationByIP returns the country and city of the given IP address.
 func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
 	if ipAddress == "" {
 		return "", "", nil
 	}
 	// Check the IP address against known private IP ranges
 	if ip := net.ParseIP(ipAddress); ip != nil {
 		// Check IPv6 local ranges first
 		if s.isLocalIPv6(ip) {
 			return "Internal Network", "LAN", nil
 		}
 		// Check existing IPv4 ranges
 		for _, ipNet := range tailscaleIPNets {
 			if ipNet.Contains(ip) {
 				return "Internal Network", "Tailscale", nil
@@ -82,6 +152,11 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 		}
 	}
 	addr, err := netip.ParseAddr(ipAddress)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to parse IP address: %w", err)
 	}
 	// Race condition between reading and writing the database.
 	s.mutex.RLock()
 	defer s.mutex.RUnlock()
@@ -92,11 +167,6 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 	}
 	defer db.Close()
 	addr, err := netip.ParseAddr(ipAddress)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to parse IP address: %w", err)
 	}
 	var record struct {
 		City struct {
 			Names map[string]string `maxminddb:"names"`
@@ -117,11 +187,11 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 // UpdateDatabase checks the age of the database and updates it if it's older than 14 days.
 func (s *GeoLiteService) UpdateDatabase(parentCtx context.Context) error {
 	if s.isDatabaseUpToDate() {
-		log.Println("GeoLite2 City database is up-to-date")
+		slog.Info("GeoLite2 City database is up-to-date")
 		return nil
 	}
-	log.Println("Updating GeoLite2 City database")
+	slog.Info("Updating GeoLite2 City database")
 	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)
 	ctx, cancel := context.WithTimeout(parentCtx, 10*time.Minute)
@@ -148,7 +218,7 @@ func (s *GeoLiteService) UpdateDatabase(parentCtx context.Context) error {
 		return fmt.Errorf("failed to extract database: %w", err)
 	}
-	log.Println("GeoLite2 City database successfully updated.")
+	slog.Info("GeoLite2 City database successfully updated.")
 	return nil
 }
--- a/backend/internal/service/geolite_service_test.go
+++ b/backend/internal/service/geolite_service_test.go
@@ -0,0 +1,220 @@
 package service
 import (
 	"net"
 	"net/http"
 	"testing"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestGeoLiteService_IPv6LocalRanges(t *testing.T) {
 	tests := []struct {
 		name            string
 		localRanges     string
 		testIP          string
 		expectedCountry string
 		expectedCity    string
 		expectError     bool
 	}{
 		{
 			name:            "IPv6 in local range",
 			localRanges:     "2001:0db8:abcd:000::/56,2001:0db8:abcd:001::/56",
 			testIP:          "2001:0db8:abcd:000::1",
 			expectedCountry: "Internal Network",
 			expectedCity:    "LAN",
 			expectError:     false,
 		},
 		{
 			name:        "IPv6 not in local range",
 			localRanges: "2001:0db8:abcd:000::/56",
 			testIP:      "2001:0db8:ffff:000::1",
 			expectError: true,
 		},
 		{
 			name:            "Multiple ranges - second range match",
 			localRanges:     "2001:0db8:abcd:000::/56,2001:0db8:abcd:001::/56",
 			testIP:          "2001:0db8:abcd:001::1",
 			expectedCountry: "Internal Network",
 			expectedCity:    "LAN",
 			expectError:     false,
 		},
 		{
 			name:        "Empty local ranges",
 			localRanges: "",
 			testIP:      "2001:0db8:abcd:000::1",
 			expectError: true,
 		},
 		{
 			name:            "IPv4 private address still works",
 			localRanges:     "2001:0db8:abcd:000::/56",
 			testIP:          "192.168.1.1",
 			expectedCountry: "Internal Network",
 			expectedCity:    "LAN",
 			expectError:     false,
 		},
 		{
 			name:            "IPv6 loopback",
 			localRanges:     "2001:0db8:abcd:000::/56",
 			testIP:          "::1",
 			expectedCountry: "Internal Network",
 			expectedCity:    "localhost",
 			expectError:     false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			originalConfig := common.EnvConfig.LocalIPv6Ranges
 			common.EnvConfig.LocalIPv6Ranges = tt.localRanges
 			defer func() {
 				common.EnvConfig.LocalIPv6Ranges = originalConfig
 			}()
 			service := NewGeoLiteService(&http.Client{})
 			country, city, err := service.GetLocationByIP(tt.testIP)
 			if tt.expectError {
 				if err == nil && country != "Internal Network" {
 					t.Errorf("Expected error or internal network classification for external IP")
 				}
 			} else {
 				require.NoError(t, err)
 				assert.Equal(t, tt.expectedCountry, country)
 				assert.Equal(t, tt.expectedCity, city)
 			}
 		})
 	}
 }
 func TestGeoLiteService_isLocalIPv6(t *testing.T) {
 	tests := []struct {
 		name        string
 		localRanges string
 		testIP      string
 		expected    bool
 	}{
 		{
 			name:        "Valid IPv6 in range",
 			localRanges: "2001:0db8:abcd:000::/56",
 			testIP:      "2001:0db8:abcd:000::1",
 			expected:    true,
 		},
 		{
 			name:        "Valid IPv6 not in range",
 			localRanges: "2001:0db8:abcd:000::/56",
 			testIP:      "2001:0db8:ffff:000::1",
 			expected:    false,
 		},
 		{
 			name:        "IPv4 address should return false",
 			localRanges: "2001:0db8:abcd:000::/56",
 			testIP:      "192.168.1.1",
 			expected:    false,
 		},
 		{
 			name:        "No ranges configured",
 			localRanges: "",
 			testIP:      "2001:0db8:abcd:000::1",
 			expected:    false,
 		},
 		{
 			name:        "Edge of range",
 			localRanges: "2001:0db8:abcd:000::/56",
 			testIP:      "2001:0db8:abcd:00ff:ffff:ffff:ffff:ffff",
 			expected:    true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			originalConfig := common.EnvConfig.LocalIPv6Ranges
 			common.EnvConfig.LocalIPv6Ranges = tt.localRanges
 			defer func() {
 				common.EnvConfig.LocalIPv6Ranges = originalConfig
 			}()
 			service := NewGeoLiteService(&http.Client{})
 			ip := net.ParseIP(tt.testIP)
 			if ip == nil {
 				t.Fatalf("Invalid test IP: %s", tt.testIP)
 			}
 			result := service.isLocalIPv6(ip)
 			assert.Equal(t, tt.expected, result)
 		})
 	}
 }
 func TestGeoLiteService_initializeIPv6LocalRanges(t *testing.T) {
 	tests := []struct {
 		name        string
 		envValue    string
 		expectError bool
 		expectCount int
 	}{
 		{
 			name:        "Valid IPv6 ranges",
 			envValue:    "2001:0db8:abcd:000::/56,2001:0db8:abcd:001::/56",
 			expectError: false,
 			expectCount: 2,
 		},
 		{
 			name:        "Empty environment variable",
 			envValue:    "",
 			expectError: false,
 			expectCount: 0,
 		},
 		{
 			name:        "Invalid CIDR notation",
 			envValue:    "2001:0db8:abcd:000::/999",
 			expectError: true,
 			expectCount: 0,
 		},
 		{
 			name:        "IPv4 range in IPv6 env var",
 			envValue:    "192.168.1.0/24",
 			expectError: true,
 			expectCount: 0,
 		},
 		{
 			name:        "Mixed valid and invalid ranges",
 			envValue:    "2001:0db8:abcd:000::/56,invalid-range",
 			expectError: true,
 			expectCount: 0,
 		},
 		{
 			name:        "Whitespace handling",
 			envValue:    " 2001:0db8:abcd:000::/56 , 2001:0db8:abcd:001::/56 ",
 			expectError: false,
 			expectCount: 2,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			originalConfig := common.EnvConfig.LocalIPv6Ranges
 			common.EnvConfig.LocalIPv6Ranges = tt.envValue
 			defer func() {
 				common.EnvConfig.LocalIPv6Ranges = originalConfig
 			}()
 			service := &GeoLiteService{
 				httpClient: &http.Client{},
 			}
 			err := service.initializeIPv6LocalRanges()
 			if tt.expectError {
 				require.Error(t, err)
 			} else {
 				require.NoError(t, err)
 			}
 			assert.Len(t, service.localIPv6Ranges, tt.expectCount)
 		})
 	}
 }
--- a/backend/internal/service/jwt_service.go
+++ b/backend/internal/service/jwt_service.go
@@ -2,23 +2,19 @@ package service
 import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
 	"os"
 	"path/filepath"
 	"time"
 	"github.com/lestrrat-go/jwx/v3/jwa"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/lestrrat-go/jwx/v3/jwt"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 )
 const (
@@ -26,8 +22,9 @@ const (
 	// This is a JSON file containing a key encoded as JWK
 	PrivateKeyFile = "jwt_private_key.json"
-	// RsaKeySize is the size, in bits, of the RSA key to generate if none is found
+	// PrivateKeyFileEncrypted is the path in the data/keys folder where the encrypted key is stored
-	RsaKeySize = 2048
+	// This is a encrypted JSON file containing a key encoded as JWK
 	PrivateKeyFileEncrypted = "jwt_private_key.json.enc"
 	// KeyUsageSigning is the usage for the private keys, for the "use" property
 	KeyUsageSigning = "sig"
@@ -59,58 +56,74 @@ const (
 )
 type JwtService struct {
 	envConfig        *common.EnvConfigSchema
 	privateKey       jwk.Key
 	keyId            string
 	appConfigService *AppConfigService
 	jwksEncoded      []byte
 }
-func NewJwtService(appConfigService *AppConfigService) *JwtService {
+func NewJwtService(db *gorm.DB, appConfigService *AppConfigService) (*JwtService, error) {
 	service := &JwtService{}
 	// Ensure keys are generated or loaded
-	if err := service.init(appConfigService, common.EnvConfig.KeysPath); err != nil {
+	err := service.init(db, appConfigService, &common.EnvConfig)
-		log.Fatalf("Failed to initialize jwt service: %v", err)
+	if err != nil {
 		return nil, err
 	}
-	return service
+	return service, nil
 }
-func (s *JwtService) init(appConfigService *AppConfigService, keysPath string) error {
+func (s *JwtService) init(db *gorm.DB, appConfigService *AppConfigService, envConfig *common.EnvConfigSchema) (err error) {
 	s.appConfigService = appConfigService
 	s.envConfig = envConfig
 	// Ensure keys are generated or loaded
-	return s.loadOrGenerateKey(keysPath)
+	return s.loadOrGenerateKey(db)
 }
-// loadOrGenerateKey loads the private key from the given path or generates it if not existing.
+func (s *JwtService) loadOrGenerateKey(db *gorm.DB) error {
-func (s *JwtService) loadOrGenerateKey(keysPath string) error {
+	// Get the key provider
-	var key jwk.Key
+	keyProvider, err := jwkutils.GetKeyProvider(db, s.envConfig, s.appConfigService.GetDbConfig().InstanceID.Value)
 	// First, check if we have a JWK file
 	// If we do, then we just load that
 	jwkPath := filepath.Join(keysPath, PrivateKeyFile)
 	ok, err := utils.FileExists(jwkPath)
 	if err != nil {
-		return fmt.Errorf("failed to check if private key file (JWK) exists at path '%s': %w", jwkPath, err)
+		return fmt.Errorf("failed to get key provider: %w", err)
 	}
 	if ok {
 		key, err = s.loadKeyJWK(jwkPath)
 		if err != nil {
 			return fmt.Errorf("failed to load private key file (JWK) at path '%s': %w", jwkPath, err)
 		}
-		// Set the key, and we are done
+	// Try loading a key
 	key, err := keyProvider.LoadKey()
 	if err != nil {
 		return fmt.Errorf("failed to load key (provider type '%s'): %w", s.envConfig.KeysStorage, err)
 	}
 	// If we have a key, store it in the object and we're done
 	if key != nil {
 		err = s.SetKey(key)
 		if err != nil {
 			return fmt.Errorf("failed to set private key: %w", err)
 		}
 		return nil
 	}
 	// If we are here, we need to generate a new key
-	key, err = s.generateNewRSAKey()
+	err = s.generateKey()
 	if err != nil {
 		return fmt.Errorf("failed to generate key: %w", err)
 	}
 	// Save the newly-generated key
 	err = keyProvider.SaveKey(s.privateKey)
 	if err != nil {
 		return fmt.Errorf("failed to save private key (provider type '%s'): %w", s.envConfig.KeysStorage, err)
 	}
 	return nil
 }
 // generateKey generates a new key and stores it in the object
 func (s *JwtService) generateKey() error {
 	// Default is to generate RS256 (RSA-2048) keys
 	key, err := jwkutils.GenerateKey(jwa.RS256().String(), "")
 	if err != nil {
 		return fmt.Errorf("failed to generate new private key: %w", err)
 	}
@@ -121,12 +134,6 @@ func (s *JwtService) loadOrGenerateKey(keysPath string) error {
 		return fmt.Errorf("failed to set private key: %w", err)
 	}
 	// Save the key as JWK
 	err = SaveKeyJWK(s.privateKey, jwkPath)
 	if err != nil {
 		return fmt.Errorf("failed to save private key file at path '%s': %w", jwkPath, err)
 	}
 	return nil
 }
@@ -192,13 +199,13 @@ func (s *JwtService) GenerateAccessToken(user model.User) (string, error) {
 		Subject(user.ID).
 		Expiration(now.Add(s.appConfigService.GetDbConfig().SessionDuration.AsDurationMinutes())).
 		IssuedAt(now).
-		Issuer(common.EnvConfig.AppURL).
+		Issuer(s.envConfig.AppURL).
 		Build()
 	if err != nil {
 		return "", fmt.Errorf("failed to build token: %w", err)
 	}
-	err = SetAudienceString(token, common.EnvConfig.AppURL)
+	err = SetAudienceString(token, s.envConfig.AppURL)
 	if err != nil {
 		return "", fmt.Errorf("failed to set 'aud' claim in token: %w", err)
 	}
@@ -229,8 +236,8 @@ func (s *JwtService) VerifyAccessToken(tokenString string) (jwt.Token, error) {
 		jwt.WithValidate(true),
 		jwt.WithKey(alg, s.privateKey),
 		jwt.WithAcceptableSkew(clockSkew),
-		jwt.WithAudience(common.EnvConfig.AppURL),
+		jwt.WithAudience(s.envConfig.AppURL),
-		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithIssuer(s.envConfig.AppURL),
 		jwt.WithValidator(TokenTypeValidator(AccessTokenJWTType)),
 	)
 	if err != nil {
@@ -246,7 +253,7 @@ func (s *JwtService) BuildIDToken(userClaims map[string]any, clientID string, no
 	token, err := jwt.NewBuilder().
 		Expiration(now.Add(1 * time.Hour)).
 		IssuedAt(now).
-		Issuer(common.EnvConfig.AppURL).
+		Issuer(s.envConfig.AppURL).
 		Build()
 	if err != nil {
 		return nil, fmt.Errorf("failed to build token: %w", err)
@@ -305,7 +312,7 @@ func (s *JwtService) VerifyIdToken(tokenString string, acceptExpiredTokens bool)
 		jwt.WithValidate(true),
 		jwt.WithKey(alg, s.privateKey),
 		jwt.WithAcceptableSkew(clockSkew),
-		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithIssuer(s.envConfig.AppURL),
 		jwt.WithValidator(TokenTypeValidator(IDTokenJWTType)),
 	)
@@ -335,7 +342,7 @@ func (s *JwtService) BuildOAuthAccessToken(user model.User, clientID string) (jw
 		Subject(user.ID).
 		Expiration(now.Add(1 * time.Hour)).
 		IssuedAt(now).
-		Issuer(common.EnvConfig.AppURL).
+		Issuer(s.envConfig.AppURL).
 		Build()
 	if err != nil {
 		return nil, fmt.Errorf("failed to build token: %w", err)
@@ -377,7 +384,7 @@ func (s *JwtService) VerifyOAuthAccessToken(tokenString string) (jwt.Token, erro
 		jwt.WithValidate(true),
 		jwt.WithKey(alg, s.privateKey),
 		jwt.WithAcceptableSkew(clockSkew),
-		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithIssuer(s.envConfig.AppURL),
 		jwt.WithValidator(TokenTypeValidator(OAuthAccessTokenJWTType)),
 	)
 	if err != nil {
@@ -393,7 +400,7 @@ func (s *JwtService) GenerateOAuthRefreshToken(userID string, clientID string, r
 		Subject(userID).
 		Expiration(now.Add(RefreshTokenDuration)).
 		IssuedAt(now).
-		Issuer(common.EnvConfig.AppURL).
+		Issuer(s.envConfig.AppURL).
 		Build()
 	if err != nil {
 		return "", fmt.Errorf("failed to build token: %w", err)
@@ -430,7 +437,7 @@ func (s *JwtService) VerifyOAuthRefreshToken(tokenString string) (userID, client
 		jwt.WithValidate(true),
 		jwt.WithKey(alg, s.privateKey),
 		jwt.WithAcceptableSkew(clockSkew),
-		jwt.WithIssuer(common.EnvConfig.AppURL),
+		jwt.WithIssuer(s.envConfig.AppURL),
 		jwt.WithValidator(TokenTypeValidator(OAuthRefreshTokenJWTType)),
 	)
 	if err != nil {
@@ -488,7 +495,7 @@ func (s *JwtService) GetPublicJWK() (jwk.Key, error) {
 		return nil, fmt.Errorf("failed to get public key: %w", err)
 	}
-	utils.EnsureAlgInKey(pubKey)
+	jwkutils.EnsureAlgInKey(pubKey, "", "")
 	return pubKey, nil
 }
@@ -517,56 +524,6 @@ func (s *JwtService) GetKeyAlg() (jwa.KeyAlgorithm, error) {
 	return alg, nil
 }
 func (s *JwtService) loadKeyJWK(path string) (jwk.Key, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read key data: %w", err)
 	}
 	key, err := jwk.ParseKey(data)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse key: %w", err)
 	}
 	return key, nil
 }
 func (s *JwtService) generateNewRSAKey() (jwk.Key, error) {
 	// We generate RSA keys only
 	rawKey, err := rsa.GenerateKey(rand.Reader, RsaKeySize)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate RSA private key: %w", err)
 	}
 	// Import the raw key
 	return utils.ImportRawKey(rawKey)
 }
 // SaveKeyJWK saves a JWK to a file
 func SaveKeyJWK(key jwk.Key, path string) error {
 	dir := filepath.Dir(path)
 	err := os.MkdirAll(dir, 0700)
 	if err != nil {
 		return fmt.Errorf("failed to create directory '%s' for key file: %w", dir, err)
 	}
 	keyFile, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to create key file: %w", err)
 	}
 	defer keyFile.Close()
 	// Write the JSON file to disk
 	enc := json.NewEncoder(keyFile)
 	enc.SetEscapeHTML(false)
 	err = enc.Encode(key)
 	if err != nil {
 		return fmt.Errorf("failed to write key file: %w", err)
 	}
 	return nil
 }
 // GetIsAdmin returns the value of the "isAdmin" claim in the token
 func GetIsAdmin(token jwt.Token) (bool, error) {
 	if !token.Has(IsAdminClaim) {
--- a/backend/internal/service/jwt_service_test.go
+++ b/backend/internal/service/jwt_service_test.go
@@ -21,7 +21,7 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
-	"github.com/pocket-id/pocket-id/backend/internal/utils"
+	jwkutils "github.com/pocket-id/pocket-id/backend/internal/utils/jwk"
 )
 func TestJwtService_Init(t *testing.T) {
@@ -33,9 +33,16 @@ func TestJwtService_Init(t *testing.T) {
 		// Create a temporary directory for the test
 		tempDir := t.TempDir()
 		// Setup the environment variable required by the token verification
 		mockEnvConfig := &common.EnvConfigSchema{
 			AppURL:      "https://test.example.com",
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		}
 		// Initialize the JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify the private key was set
@@ -66,9 +73,16 @@ func TestJwtService_Init(t *testing.T) {
 		// Create a temporary directory for the test
 		tempDir := t.TempDir()
 		// Setup the environment variable required by the token verification
 		mockEnvConfig := &common.EnvConfigSchema{
 			AppURL:      "https://test.example.com",
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		}
 		// First create a service to generate a key
 		firstService := &JwtService{}
-		err := firstService.init(mockConfig, tempDir)
+		err := firstService.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err)
 		// Get the key ID of the first service
@@ -77,7 +91,7 @@ func TestJwtService_Init(t *testing.T) {
 		// Now create a new service that should load the existing key
 		secondService := &JwtService{}
-		err = secondService.init(mockConfig, tempDir)
+		err = secondService.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err)
 		// Verify the loaded key has the same ID as the original
@@ -90,12 +104,19 @@ func TestJwtService_Init(t *testing.T) {
 		// Create a temporary directory for the test
 		tempDir := t.TempDir()
 		// Setup the environment variable required by the token verification
 		mockEnvConfig := &common.EnvConfigSchema{
 			AppURL:      "https://test.example.com",
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		}
 		// Create a new JWK and save it to disk
 		origKeyID := createECDSAKeyJWK(t, tempDir)
 		// Now create a new service that should load the existing key
 		svc := &JwtService{}
-		err := svc.init(mockConfig, tempDir)
+		err := svc.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err)
 		// Ensure loaded key has the right algorithm
@@ -113,12 +134,19 @@ func TestJwtService_Init(t *testing.T) {
 		// Create a temporary directory for the test
 		tempDir := t.TempDir()
 		// Setup the environment variable required by the token verification
 		mockEnvConfig := &common.EnvConfigSchema{
 			AppURL:      "https://test.example.com",
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		}
 		// Create a new JWK and save it to disk
 		origKeyID := createEdDSAKeyJWK(t, tempDir)
 		// Now create a new service that should load the existing key
 		svc := &JwtService{}
-		err := svc.init(mockConfig, tempDir)
+		err := svc.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err)
 		// Ensure loaded key has the right algorithm and curve
@@ -147,9 +175,16 @@ func TestJwtService_GetPublicJWK(t *testing.T) {
 		// Create a temporary directory for the test
 		tempDir := t.TempDir()
 		// Setup the environment variable required by the token verification
 		mockEnvConfig := &common.EnvConfigSchema{
 			AppURL:      "https://test.example.com",
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		}
 		// Create a JWT service with initialized key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Get the JWK (public key)
@@ -178,12 +213,19 @@ func TestJwtService_GetPublicJWK(t *testing.T) {
 		// Create a temporary directory for the test
 		tempDir := t.TempDir()
 		// Setup the environment variable required by the token verification
 		mockEnvConfig := &common.EnvConfigSchema{
 			AppURL:      "https://test.example.com",
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		}
 		// Create an ECDSA key and save it as JWK
 		originalKeyID := createECDSAKeyJWK(t, tempDir)
 		// Create a JWT service that loads the ECDSA key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Get the JWK (public key)
@@ -216,12 +258,19 @@ func TestJwtService_GetPublicJWK(t *testing.T) {
 		// Create a temporary directory for the test
 		tempDir := t.TempDir()
 		// Setup the environment variable required by the token verification
 		mockEnvConfig := &common.EnvConfigSchema{
 			AppURL:      "https://test.example.com",
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		}
 		// Create an EdDSA key and save it as JWK
 		originalKeyID := createEdDSAKeyJWK(t, tempDir)
 		// Create a JWT service that loads the EdDSA key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Get the JWK (public key)
@@ -276,16 +325,16 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 	})
 	// Setup the environment variable required by the token verification
-	originalAppURL := common.EnvConfig.AppURL
+	mockEnvConfig := &common.EnvConfigSchema{
-	common.EnvConfig.AppURL = "https://test.example.com"
+		AppURL:      "https://test.example.com",
-	defer func() {
+		KeysStorage: "file",
-		common.EnvConfig.AppURL = originalAppURL
+		KeysPath:    tempDir,
-	}()
+	}
 	t.Run("generates token for regular user", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create a test user
@@ -328,7 +377,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 	t.Run("generates token for admin user", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create a test admin user
@@ -364,7 +413,7 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 		})
 		service := &JwtService{}
-		err := service.init(customMockConfig, tempDir)
+		err := service.init(nil, customMockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create a test user
@@ -399,7 +448,10 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -453,7 +505,10 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -507,7 +562,10 @@ func TestGenerateVerifyAccessToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -563,16 +621,16 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	})
 	// Setup the environment variable required by the token verification
-	originalAppURL := common.EnvConfig.AppURL
+	mockEnvConfig := &common.EnvConfigSchema{
-	common.EnvConfig.AppURL = "https://test.example.com"
+		AppURL:      "https://test.example.com",
-	defer func() {
+		KeysStorage: "file",
-		common.EnvConfig.AppURL = originalAppURL
+		KeysPath:    tempDir,
-	}()
+	}
 	t.Run("generates and verifies ID token with standard claims", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create test claims
@@ -601,7 +659,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 			assert.Equal(t, []string{clientID}, audience, "Audience should contain the client ID")
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
-			assert.Equal(t, common.EnvConfig.AppURL, issuer, "Issuer should match app URL")
+			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
 		// Check token expiration time is approximately 1 hour from now
 		expectedExp := time.Now().Add(1 * time.Hour)
@@ -614,7 +672,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("can accept expired tokens if told so", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create test claims
@@ -628,7 +686,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		// Create a token that's already expired
 		token, err := jwt.NewBuilder().
 			Subject(userClaims["sub"].(string)).
-			Issuer(common.EnvConfig.AppURL).
+			Issuer(service.envConfig.AppURL).
 			Audience([]string{clientID}).
 			IssuedAt(time.Now().Add(-2 * time.Hour)).
 			Expiration(time.Now().Add(-1 * time.Hour)). // Expired 1 hour ago
@@ -666,13 +724,13 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 			assert.Equal(t, userClaims["sub"], subject, "Token subject should match user ID")
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
-			assert.Equal(t, common.EnvConfig.AppURL, issuer, "Issuer should match app URL")
+			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
 	})
 	t.Run("generates and verifies ID token with nonce", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create test claims with nonce
@@ -703,7 +761,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 	t.Run("fails verification with incorrect issuer", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Generate a token with standard claims
@@ -714,7 +772,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		require.NoError(t, err, "Failed to generate ID token")
 		// Temporarily change the app URL to simulate wrong issuer
-		common.EnvConfig.AppURL = "https://wrong-issuer.com"
+		service.envConfig.AppURL = "https://wrong-issuer.com"
 		// Verify should fail due to issuer mismatch
 		_, err = service.VerifyIdToken(tokenString, false)
@@ -731,7 +789,10 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -762,7 +823,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 			assert.Equal(t, "eddsauser456", subject, "Token subject should match user ID")
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
-			assert.Equal(t, common.EnvConfig.AppURL, issuer, "Issuer should match app URL")
+			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
 		// Verify the key type is OKP
 		publicKey, err := service.GetPublicJWK()
@@ -784,7 +845,10 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -795,7 +859,6 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		// Create test claims
 		userClaims := map[string]interface{}{
 			"sub":   "ecdsauser456",
 			"name":  "ECDSA User",
 			"email": "ecdsauser@example.com",
 		}
 		const clientID = "ecdsa-client-123"
@@ -815,7 +878,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 			assert.Equal(t, "ecdsauser456", subject, "Token subject should match user ID")
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
-			assert.Equal(t, common.EnvConfig.AppURL, issuer, "Issuer should match app URL")
+			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
 		// Verify the key type is EC
 		publicKey, err := service.GetPublicJWK()
@@ -837,7 +900,10 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -868,17 +934,7 @@ func TestGenerateVerifyIdToken(t *testing.T) {
 			assert.Equal(t, "rsauser456", subject, "Token subject should match user ID")
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
-			assert.Equal(t, common.EnvConfig.AppURL, issuer, "Issuer should match app URL")
+			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
 		// Verify the key type is RSA
 		publicKey, err := service.GetPublicJWK()
 		require.NoError(t, err)
 		assert.Equal(t, jwa.RSA().String(), publicKey.KeyType().String(), "Key type should be RSA")
 		// Verify the algorithm is RS256
 		alg, ok := publicKey.Algorithm()
 		require.True(t, ok)
 		assert.Equal(t, jwa.RS256().String(), alg.String(), "Algorithm should be RS256")
 	})
 }
@@ -892,16 +948,16 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 	})
 	// Setup the environment variable required by the token verification
-	originalAppURL := common.EnvConfig.AppURL
+	mockEnvConfig := &common.EnvConfigSchema{
-	common.EnvConfig.AppURL = "https://test.example.com"
+		AppURL:      "https://test.example.com",
-	defer func() {
+		KeysStorage: "file",
-		common.EnvConfig.AppURL = originalAppURL
+		KeysPath:    tempDir,
-	}()
+	}
 	t.Run("generates and verifies OAuth access token with standard claims", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create a test user
@@ -931,7 +987,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 			assert.Equal(t, []string{clientID}, audience, "Audience should contain the client ID")
 		issuer, ok := claims.Issuer()
 		_ = assert.True(t, ok, "Issuer not found in token") &&
-			assert.Equal(t, common.EnvConfig.AppURL, issuer, "Issuer should match app URL")
+			assert.Equal(t, service.envConfig.AppURL, issuer, "Issuer should match app URL")
 		// Check token expiration time is approximately 1 hour from now
 		expectedExp := time.Now().Add(1 * time.Hour)
@@ -944,7 +1000,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 	t.Run("fails verification for expired token", func(t *testing.T) {
 		// Create a JWT service with a mock function to generate an expired token
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create a test user
@@ -961,7 +1017,7 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 			Expiration(time.Now().Add(-1 * time.Hour)). // Expired 1 hour ago
 			IssuedAt(time.Now().Add(-2 * time.Hour)).
 			Audience([]string{clientID}).
-			Issuer(common.EnvConfig.AppURL).
+			Issuer(service.envConfig.AppURL).
 			Build()
 		require.NoError(t, err, "Failed to build token")
@@ -980,11 +1036,17 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 	t.Run("fails verification with invalid signature", func(t *testing.T) {
 		// Create two JWT services with different keys
 		service1 := &JwtService{}
-		err := service1.init(mockConfig, t.TempDir()) // Use a different temp dir
+		err := service1.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    t.TempDir(), // Use a different temp dir
 		})
 		require.NoError(t, err, "Failed to initialize first JWT service")
 		service2 := &JwtService{}
-		err = service2.init(mockConfig, t.TempDir()) // Use a different temp dir
+		err = service2.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    t.TempDir(), // Use a different temp dir
 		})
 		require.NoError(t, err, "Failed to initialize second JWT service")
 		// Create a test user
@@ -1014,7 +1076,10 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -1068,7 +1133,10 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -1122,7 +1190,10 @@ func TestGenerateVerifyOAuthAccessToken(t *testing.T) {
 		// Create a JWT service that loads the key
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    tempDir,
 		})
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Verify it loaded the right key
@@ -1176,16 +1247,16 @@ func TestGenerateVerifyOAuthRefreshToken(t *testing.T) {
 	mockConfig := NewTestAppConfigService(&model.AppConfig{})
 	// Setup the environment variable required by the token verification
-	originalAppURL := common.EnvConfig.AppURL
+	mockEnvConfig := &common.EnvConfigSchema{
-	common.EnvConfig.AppURL = "https://test.example.com"
+		AppURL:      "https://test.example.com",
-	defer func() {
+		KeysStorage: "file",
-		common.EnvConfig.AppURL = originalAppURL
+		KeysPath:    tempDir,
-	}()
+	}
 	t.Run("generates and verifies refresh token", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Create a test user
@@ -1211,7 +1282,7 @@ func TestGenerateVerifyOAuthRefreshToken(t *testing.T) {
 	t.Run("fails verification for expired token", func(t *testing.T) {
 		// Create a JWT service
 		service := &JwtService{}
-		err := service.init(mockConfig, tempDir)
+		err := service.init(nil, mockConfig, mockEnvConfig)
 		require.NoError(t, err, "Failed to initialize JWT service")
 		// Generate a token using JWT directly to create an expired token
@@ -1220,7 +1291,7 @@ func TestGenerateVerifyOAuthRefreshToken(t *testing.T) {
 			Expiration(time.Now().Add(-1 * time.Hour)). // Expired 1 hour ago
 			IssuedAt(time.Now().Add(-2 * time.Hour)).
 			Audience([]string{"client123"}).
-			Issuer(common.EnvConfig.AppURL).
+			Issuer(service.envConfig.AppURL).
 			Build()
 		require.NoError(t, err, "Failed to build token")
@@ -1236,11 +1307,17 @@ func TestGenerateVerifyOAuthRefreshToken(t *testing.T) {
 	t.Run("fails verification with invalid signature", func(t *testing.T) {
 		// Create two JWT services with different keys
 		service1 := &JwtService{}
-		err := service1.init(mockConfig, t.TempDir())
+		err := service1.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    t.TempDir(), // Use a different temp dir
 		})
 		require.NoError(t, err, "Failed to initialize first JWT service")
 		service2 := &JwtService{}
-		err = service2.init(mockConfig, t.TempDir())
+		err = service2.init(nil, mockConfig, &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    t.TempDir(), // Use a different temp dir
 		})
 		require.NoError(t, err, "Failed to initialize second JWT service")
 		// Generate a token with the first service
@@ -1308,7 +1385,10 @@ func TestGetTokenType(t *testing.T) {
 	// Initialize the JWT service
 	mockConfig := NewTestAppConfigService(&model.AppConfig{})
 	service := &JwtService{}
-	err := service.init(mockConfig, tempDir)
+	err := service.init(nil, mockConfig, &common.EnvConfigSchema{
 		KeysStorage: "file",
 		KeysPath:    tempDir,
 	})
 	require.NoError(t, err, "Failed to initialize JWT service")
 	buildTokenForType := func(t *testing.T, typ string, setClaimsFn func(b *jwt.Builder)) string {
@@ -1402,10 +1482,19 @@ func TestGetTokenType(t *testing.T) {
 func importKey(t *testing.T, privateKeyRaw any, path string) string {
 	t.Helper()
-	privateKey, err := utils.ImportRawKey(privateKeyRaw)
+	privateKey, err := jwkutils.ImportRawKey(privateKeyRaw, "", "")
 	require.NoError(t, err, "Failed to import private key")
-	err = SaveKeyJWK(privateKey, filepath.Join(path, PrivateKeyFile))
+	keyProvider := &jwkutils.KeyProviderFile{}
 	err = keyProvider.Init(jwkutils.KeyProviderOpts{
 		EnvConfig: &common.EnvConfigSchema{
 			KeysStorage: "file",
 			KeysPath:    path,
 		},
 	})
 	require.NoError(t, err, "Failed to init file key provider")
 	err = keyProvider.SaveKey(privateKey)
 	require.NoError(t, err, "Failed to save key")
 	kid, _ := privateKey.KeyID()
--- a/backend/internal/service/ldap_service.go
+++ b/backend/internal/service/ldap_service.go
@@ -8,17 +8,21 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
+	"log/slog"
 	"net/http"
 	"net/url"
 	"strings"
 	"time"
 	"unicode/utf8"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/google/uuid"
 	"golang.org/x/text/unicode/norm"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	"gorm.io/gorm"
 )
 type LdapService struct {
@@ -122,11 +126,11 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 	ldapGroupIDs := make(map[string]struct{}, len(result.Entries))
 	for _, value := range result.Entries {
-		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value)
+		ldapId := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value))
 		// Skip groups without a valid LDAP ID
 		if ldapId == "" {
-			log.Printf("Skipping LDAP group without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeGroupUniqueIdentifier.Value)
+			slog.Warn("Skipping LDAP group without a valid unique identifier", slog.String("attribute", dbConfig.LdapAttributeGroupUniqueIdentifier.Value))
 			continue
 		}
@@ -164,13 +168,13 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 				userResult, err := client.Search(userSearchReq)
 				if err != nil || len(userResult.Entries) == 0 {
-					log.Printf("Could not resolve group member DN '%s': %v", member, err)
+					slog.WarnContext(ctx, "Could not resolve group member DN", slog.String("member", member), slog.Any("error", err))
 					continue
 				}
 				username = userResult.Entries[0].GetAttributeValue(dbConfig.LdapAttributeUserUsername.Value)
 				if username == "" {
-					log.Printf("Could not extract username from group member DN '%s'", member)
+					slog.WarnContext(ctx, "Could not extract username from group member DN", slog.String("member", member))
 					continue
 				}
 			}
@@ -178,7 +182,7 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 			var databaseUser model.User
 			err = tx.
 				WithContext(ctx).
-				Where("username = ? AND ldap_id IS NOT NULL", username).
+				Where("username = ? AND ldap_id IS NOT NULL", norm.NFC.String(username)).
 				First(&databaseUser).
 				Error
 			if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -194,8 +198,9 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 		syncGroup := dto.UserGroupCreateDto{
 			Name:         value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
 			FriendlyName: value.GetAttributeValue(dbConfig.LdapAttributeGroupName.Value),
-			LdapID:       value.GetAttributeValue(dbConfig.LdapAttributeGroupUniqueIdentifier.Value),
+			LdapID:       ldapId,
 		}
 		dto.Normalize(syncGroup)
 		if databaseGroup.ID == "" {
 			newGroup, err := s.groupService.createInternal(ctx, syncGroup, tx)
@@ -245,7 +250,7 @@ func (s *LdapService) SyncGroups(ctx context.Context, tx *gorm.DB, client *ldap.
 			return fmt.Errorf("failed to delete group '%s': %w", group.Name, err)
 		}
-		log.Printf("Deleted group '%s'", group.Name)
+		slog.Info("Deleted group", slog.String("group", group.Name))
 	}
 	return nil
@@ -286,11 +291,11 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 	ldapUserIDs := make(map[string]struct{}, len(result.Entries))
 	for _, value := range result.Entries {
-		ldapId := value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value)
+		ldapId := convertLdapIdToString(value.GetAttributeValue(dbConfig.LdapAttributeUserUniqueIdentifier.Value))
 		// Skip users without a valid LDAP ID
 		if ldapId == "" {
-			log.Printf("Skipping LDAP user without a valid unique identifier (attribute: %s)", dbConfig.LdapAttributeUserUniqueIdentifier.Value)
+			slog.Warn("Skipping LDAP user without a valid unique identifier", slog.String("attribute", dbConfig.LdapAttributeUserUniqueIdentifier.Value))
 			continue
 		}
@@ -306,7 +311,6 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		// If a user is found (even if disabled), enable them since they're now back in LDAP
 		if databaseUser.ID != "" && databaseUser.Disabled {
 			// Use the transaction instead of the direct context
 			err = tx.
 				WithContext(ctx).
 				Model(&model.User{}).
@@ -315,7 +319,7 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 				Error
 			if err != nil {
-				log.Printf("Failed to enable user %s: %v", databaseUser.Username, err)
+				return fmt.Errorf("failed to enable user %s: %w", databaseUser.Username, err)
 			}
 		}
@@ -341,11 +345,12 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 			IsAdmin:   isAdmin,
 			LdapID:    ldapId,
 		}
 		dto.Normalize(newUser)
 		if databaseUser.ID == "" {
 			_, err = s.userService.createUserInternal(ctx, newUser, true, tx)
 			if errors.Is(err, &common.AlreadyInUseError{}) {
-				log.Printf("Skipping creating LDAP user '%s': %v", newUser.Username, err)
+				slog.Warn("Skipping creating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
 				continue
 			} else if err != nil {
 				return fmt.Errorf("error creating user '%s': %w", newUser.Username, err)
@@ -353,7 +358,7 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 		} else {
 			_, err = s.userService.updateUserInternal(ctx, databaseUser.ID, newUser, false, true, tx)
 			if errors.Is(err, &common.AlreadyInUseError{}) {
-				log.Printf("Skipping updating LDAP user '%s': %v", newUser.Username, err)
+				slog.Warn("Skipping updating LDAP user", slog.String("username", newUser.Username), slog.Any("error", err))
 				continue
 			} else if err != nil {
 				return fmt.Errorf("error updating user '%s': %w", newUser.Username, err)
@@ -366,7 +371,7 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 			err = s.saveProfilePicture(ctx, databaseUser.ID, pictureString)
 			if err != nil {
 				// This is not a fatal error
-				log.Printf("Error saving profile picture for user %s: %v", newUser.Username, err)
+				slog.Warn("Error saving profile picture for user", slog.String("username", newUser.Username), slog.Any("error", err))
 			}
 		}
 	}
@@ -395,7 +400,7 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 				return fmt.Errorf("failed to disable user %s: %w", user.Username, err)
 			}
-			log.Printf("Disabled user '%s'", user.Username)
+			slog.Info("Disabled user", slog.String("username", user.Username))
 		} else {
 			err = s.userService.deleteUserInternal(ctx, user.ID, true, tx)
 			target := &common.LdapUserUpdateError{}
@@ -405,7 +410,7 @@ func (s *LdapService) SyncUsers(ctx context.Context, tx *gorm.DB, client *ldap.C
 				return fmt.Errorf("failed to delete user %s: %w", user.Username, err)
 			}
-			log.Printf("Deleted user '%s'", user.Username)
+			slog.Info("Deleted user", slog.String("username", user.Username))
 		}
 	}
@@ -468,3 +473,21 @@ func getDNProperty(property string, str string) string {
 	// CN not found, return an empty string
 	return ""
 }
 // convertLdapIdToString converts LDAP IDs to valid UTF-8 strings.
 // LDAP servers may return binary UUIDs (16 bytes) or other non-UTF-8 data.
 func convertLdapIdToString(ldapId string) string {
 	if utf8.ValidString(ldapId) {
 		return norm.NFC.String(ldapId)
 	}
 	// Try to parse as binary UUID (16 bytes)
 	if len(ldapId) == 16 {
 		if parsedUUID, err := uuid.FromBytes([]byte(ldapId)); err == nil {
 			return parsedUUID.String()
 		}
 	}
 	// As a last resort, encode as base64 to make it UTF-8 safe
 	return base64.StdEncoding.EncodeToString([]byte(ldapId))
 }
--- a/backend/internal/service/ldap_service_test.go
+++ b/backend/internal/service/ldap_service_test.go
@@ -71,3 +71,36 @@ func TestGetDNProperty(t *testing.T) {
 		})
 	}
 }
 func TestConvertLdapIdToString(t *testing.T) {
 	tests := []struct {
 		name     string
 		input    string
 		expected string
 	}{
 		{
 			name:     "valid UTF-8 string",
 			input:    "simple-utf8-id",
 			expected: "simple-utf8-id",
 		},
 		{
 			name:     "binary UUID (16 bytes)",
 			input:    string([]byte{0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf1}),
 			expected: "12345678-9abc-def0-1234-56789abcdef1",
 		},
 		{
 			name:     "non-UTF8, non-UUID returns base64",
 			input:    string([]byte{0xff, 0xfe, 0xfd, 0xfc}),
 			expected: "//79/A==",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got := convertLdapIdToString(tt.input)
 			if got != tt.expected {
 				t.Errorf("Expected %q, got %q", tt.expected, got)
 			}
 		})
 	}
 }
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -8,7 +8,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
 	"log/slog"
 	"mime/multipart"
 	"net/http"
@@ -51,6 +50,7 @@ type OidcService struct {
 	appConfigService   *AppConfigService
 	auditLogService    *AuditLogService
 	customClaimService *CustomClaimService
 	webAuthnService    *WebAuthnService
 	httpClient *http.Client
 	jwkCache   *jwk.Cache
@@ -63,6 +63,7 @@ func NewOidcService(
 	appConfigService *AppConfigService,
 	auditLogService *AuditLogService,
 	customClaimService *CustomClaimService,
 	webAuthnService *WebAuthnService,
 ) (s *OidcService, err error) {
 	s = &OidcService{
 		db:                 db,
@@ -70,6 +71,7 @@ func NewOidcService(
 		appConfigService:   appConfigService,
 		auditLogService:    auditLogService,
 		customClaimService: customClaimService,
 		webAuthnService:    webAuthnService,
 	}
 	// Note: we don't pass the HTTP Client with OTel instrumented to this because requests are always made in background and not tied to a specific trace
@@ -124,6 +126,16 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 		return "", "", err
 	}
 	if client.RequiresReauthentication {
 		if input.ReauthenticationToken == "" {
 			return "", "", &common.ReauthenticationRequiredError{}
 		}
 		err = s.webAuthnService.ConsumeReauthenticationToken(ctx, tx, input.ReauthenticationToken, userID)
 		if err != nil {
 			return "", "", err
 		}
 	}
 	// If the client is not public, the code challenge must be provided
 	if client.IsPublic && input.CodeChallenge == "" {
 		return "", "", &common.OidcMissingCodeChallengeError{}
@@ -150,20 +162,11 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 		return "", "", &common.OidcAccessDeniedError{}
 	}
-	// Check if the user has already authorized the client with the given scope
+	hasAlreadyAuthorizedClient, err := s.createAuthorizedClientInternal(ctx, userID, input.ClientID, input.Scope, tx)
 	hasAuthorizedClient, err := s.hasAuthorizedClientInternal(ctx, input.ClientID, userID, input.Scope, tx)
 	if err != nil {
 		return "", "", err
 	}
 	// If the user has not authorized the client, create a new authorization in the database
 	if !hasAuthorizedClient {
 		err := s.createAuthorizedClientInternal(ctx, userID, input.ClientID, input.Scope, tx)
 		if err != nil {
 			return "", "", err
 		}
 	}
 	// Create the authorization code
 	code, err := s.createAuthorizationCode(ctx, input.ClientID, userID, input.Scope, input.Nonce, input.CodeChallenge, input.CodeChallengeMethod, tx)
 	if err != nil {
@@ -171,7 +174,7 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 	}
 	// Log the authorization event
-	if hasAuthorizedClient {
+	if hasAlreadyAuthorizedClient {
 		s.auditLogService.Create(ctx, model.AuditLogEventClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name}, tx)
 	} else {
 		s.auditLogService.Create(ctx, model.AuditLogEventNewClientAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": client.Name}, tx)
@@ -255,7 +258,7 @@ func (s *OidcService) createTokenFromDeviceCode(ctx context.Context, input dto.O
 		tx.Rollback()
 	}()
-	_, err := s.verifyClientCredentialsInternal(ctx, tx, clientAuthCredentialsFromCreateTokensDto(&input))
+	_, err := s.verifyClientCredentialsInternal(ctx, tx, clientAuthCredentialsFromCreateTokensDto(&input), true)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -336,7 +339,7 @@ func (s *OidcService) createTokenFromAuthorizationCode(ctx context.Context, inpu
 		tx.Rollback()
 	}()
-	client, err := s.verifyClientCredentialsInternal(ctx, tx, clientAuthCredentialsFromCreateTokensDto(&input))
+	client, err := s.verifyClientCredentialsInternal(ctx, tx, clientAuthCredentialsFromCreateTokensDto(&input), true)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -420,7 +423,7 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
 		tx.Rollback()
 	}()
-	client, err := s.verifyClientCredentialsInternal(ctx, tx, clientAuthCredentialsFromCreateTokensDto(&input))
+	client, err := s.verifyClientCredentialsInternal(ctx, tx, clientAuthCredentialsFromCreateTokensDto(&input), true)
 	if err != nil {
 		return CreatedTokens{}, err
 	}
@@ -490,6 +493,11 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
 }
 func (s *OidcService) IntrospectToken(ctx context.Context, creds ClientAuthCredentials, tokenString string) (introspectDto dto.OidcIntrospectionResponseDto, err error) {
 	client, err := s.verifyClientCredentialsInternal(ctx, s.db, creds, false)
 	if err != nil {
 		return introspectDto, err
 	}
 	// Get the type of the token and the client ID
 	tokenType, token, err := s.jwtService.GetTokenType(tokenString)
 	if err != nil {
@@ -498,24 +506,16 @@ func (s *OidcService) IntrospectToken(ctx context.Context, creds ClientAuthCrede
 		return introspectDto, nil //nolint:nilerr
 	}
-	// If we don't have a client ID, get it from the token
+	// Get the audience from the token
 	// Otherwise, we need to make sure that the client ID passed as credential matches
 	tokenAudiences, _ := token.Audience()
 	if len(tokenAudiences) != 1 || tokenAudiences[0] == "" {
 		// We just treat the token as invalid
 		introspectDto.Active = false
 		return introspectDto, nil
 	}
 	if creds.ClientID == "" {
 		creds.ClientID = tokenAudiences[0]
 	} else if creds.ClientID != tokenAudiences[0] {
 		return introspectDto, &common.OidcMissingClientCredentialsError{}
 	}
-	// Verify the credentials for the call
+	// Audience must match the client ID
-	client, err := s.verifyClientCredentialsInternal(ctx, s.db, creds)
+	if client.ID != tokenAudiences[0] {
-	if err != nil {
+		return introspectDto, &common.OidcMissingClientCredentialsError{}
 		return introspectDto, err
 	}
 	// Introspect the token
@@ -654,8 +654,7 @@ func (s *OidcService) ListClients(ctx context.Context, name string, sortedPagina
 	}
 	// As allowedUserGroupsCount is not a column, we need to manually sort it
-	isValidSortDirection := sortedPaginationRequest.Sort.Direction == "asc" || sortedPaginationRequest.Sort.Direction == "desc"
+	if sortedPaginationRequest.Sort.Column == "allowedUserGroupsCount" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
 	if sortedPaginationRequest.Sort.Column == "allowedUserGroupsCount" && isValidSortDirection {
 		query = query.Select("oidc_clients.*, COUNT(oidc_clients_allowed_user_groups.oidc_client_id)").
 			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
 			Group("oidc_clients.id").
@@ -671,22 +670,28 @@ func (s *OidcService) ListClients(ctx context.Context, name string, sortedPagina
 func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCreateDto, userID string) (model.OidcClient, error) {
 	client := model.OidcClient{
-		CreatedByID: userID,
+		Base: model.Base{
 			ID: input.ID,
 		},
 		CreatedByID: utils.Ptr(userID),
 	}
-	updateOIDCClientModelFromDto(&client, &input)
+	updateOIDCClientModelFromDto(&client, &input.OidcClientUpdateDto)
 	err := s.db.
 		WithContext(ctx).
 		Create(&client).
 		Error
 	if err != nil {
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
 			return model.OidcClient{}, &common.ClientIdAlreadyExistsError{}
 		}
 		return model.OidcClient{}, err
 	}
 	return client, nil
 }
-func (s *OidcService) UpdateClient(ctx context.Context, clientID string, input dto.OidcClientCreateDto) (model.OidcClient, error) {
+func (s *OidcService) UpdateClient(ctx context.Context, clientID string, input dto.OidcClientUpdateDto) (model.OidcClient, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -720,7 +725,7 @@ func (s *OidcService) UpdateClient(ctx context.Context, clientID string, input d
 	return client, nil
 }
-func updateOIDCClientModelFromDto(client *model.OidcClient, input *dto.OidcClientCreateDto) {
+func updateOIDCClientModelFromDto(client *model.OidcClient, input *dto.OidcClientUpdateDto) {
 	// Base fields
 	client.Name = input.Name
 	client.CallbackURLs = input.CallbackURLs
@@ -728,19 +733,20 @@ func updateOIDCClientModelFromDto(client *model.OidcClient, input *dto.OidcClien
 	client.IsPublic = input.IsPublic
 	// PKCE is required for public clients
 	client.PkceEnabled = input.IsPublic || input.PkceEnabled
 	client.RequiresReauthentication = input.RequiresReauthentication
 	client.LaunchURL = input.LaunchURL
 	// Credentials
-	if len(input.Credentials.FederatedIdentities) > 0 {
+	client.Credentials.FederatedIdentities = make([]model.OidcClientFederatedIdentity, len(input.Credentials.FederatedIdentities))
-		client.Credentials.FederatedIdentities = make([]model.OidcClientFederatedIdentity, len(input.Credentials.FederatedIdentities))
+	for i, fi := range input.Credentials.FederatedIdentities {
-		for i, fi := range input.Credentials.FederatedIdentities {
+		client.Credentials.FederatedIdentities[i] = model.OidcClientFederatedIdentity{
-			client.Credentials.FederatedIdentities[i] = model.OidcClientFederatedIdentity{
+			Issuer:   fi.Issuer,
-				Issuer:   fi.Issuer,
+			Audience: fi.Audience,
-				Audience: fi.Audience,
+			Subject:  fi.Subject,
-				Subject:  fi.Subject,
+			JWKS:     fi.JWKS,
 				JWKS:     fi.JWKS,
 			}
 		}
 	}
 }
 func (s *OidcService) DeleteClient(ctx context.Context, clientID string) error {
@@ -820,7 +826,7 @@ func (s *OidcService) GetClientLogo(ctx context.Context, clientID string) (strin
 }
 func (s *OidcService) UpdateClientLogo(ctx context.Context, clientID string, file *multipart.FileHeader) error {
-	fileType := utils.GetFileExtension(file.Filename)
+	fileType := strings.ToLower(utils.GetFileExtension(file.Filename))
 	if mimeType := utils.GetImageMimeType(fileType); mimeType == "" {
 		return &common.FileTypeNotSupportedError{}
 	}
@@ -1137,7 +1143,7 @@ func (s *OidcService) CreateDeviceAuthorization(ctx context.Context, input dto.O
 		ClientSecret:        input.ClientSecret,
 		ClientAssertionType: input.ClientAssertionType,
 		ClientAssertion:     input.ClientAssertion,
-	})
+	}, true)
 	if err != nil {
 		return nil, err
 	}
@@ -1183,9 +1189,13 @@ func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, use
 	}()
 	var deviceAuth model.OidcDeviceCode
-	if err := tx.WithContext(ctx).Preload("Client.AllowedUserGroups").First(&deviceAuth, "user_code = ?", userCode).Error; err != nil {
+	err := tx.
-		log.Printf("Error finding device code with user_code %s: %v", userCode, err)
+		WithContext(ctx).
-		return err
+		Preload("Client.AllowedUserGroups").
 		First(&deviceAuth, "user_code = ?", userCode).
 		Error
 	if err != nil {
 		return fmt.Errorf("error finding device code: %w", err)
 	}
 	if time.Now().After(deviceAuth.ExpiresAt.ToTime()) {
@@ -1194,17 +1204,26 @@ func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, use
 	// Check if the user group is allowed to authorize the client
 	var user model.User
-	if err := tx.WithContext(ctx).Preload("UserGroups").First(&user, "id = ?", userID).Error; err != nil {
+	err = tx.
-		return err
+		WithContext(ctx).
 		Preload("UserGroups").
 		First(&user, "id = ?", userID).
 		Error
 	if err != nil {
 		return fmt.Errorf("error finding user groups: %w", err)
 	}
 	if !s.IsUserGroupAllowedToAuthorize(user, deviceAuth.Client) {
 		return &common.OidcAccessDeniedError{}
 	}
-	if err := tx.WithContext(ctx).Preload("Client").First(&deviceAuth, "user_code = ?", userCode).Error; err != nil {
+	err = tx.
-		log.Printf("Error finding device code with user_code %s: %v", userCode, err)
+		WithContext(ctx).
-		return err
+		Preload("Client").
 		First(&deviceAuth, "user_code = ?", userCode).
 		Error
 	if err != nil {
 		return fmt.Errorf("error finding device code: %w", err)
 	}
 	if time.Now().After(deviceAuth.ExpiresAt.ToTime()) {
@@ -1214,33 +1233,24 @@ func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, use
 	deviceAuth.UserID = &userID
 	deviceAuth.IsAuthorized = true
-	if err := tx.WithContext(ctx).Save(&deviceAuth).Error; err != nil {
+	err = tx.
-		log.Printf("Error saving device auth: %v", err)
+		WithContext(ctx).
-		return err
+		Save(&deviceAuth).
 		Error
 	if err != nil {
 		return fmt.Errorf("error saving device auth: %w", err)
 	}
-	// Verify the update was successful
+	hasAlreadyAuthorizedClient, err := s.createAuthorizedClientInternal(ctx, userID, deviceAuth.ClientID, deviceAuth.Scope, tx)
 	var verifiedAuth model.OidcDeviceCode
 	if err := tx.WithContext(ctx).First(&verifiedAuth, "device_code = ?", deviceAuth.DeviceCode).Error; err != nil {
 		log.Printf("Error verifying update: %v", err)
 		return err
 	}
 	// Create user authorization if needed
 	hasAuthorizedClient, err := s.hasAuthorizedClientInternal(ctx, deviceAuth.ClientID, userID, deviceAuth.Scope, tx)
 	if err != nil {
 		return err
 	}
-	if !hasAuthorizedClient {
+	auditLogData := model.AuditLogData{"clientName": deviceAuth.Client.Name}
-		err := s.createAuthorizedClientInternal(ctx, userID, deviceAuth.ClientID, deviceAuth.Scope, tx)
+	if hasAlreadyAuthorizedClient {
-		if err != nil {
+		s.auditLogService.Create(ctx, model.AuditLogEventDeviceCodeAuthorization, ipAddress, userAgent, userID, auditLogData, tx)
 			return err
 		}
 		s.auditLogService.Create(ctx, model.AuditLogEventNewDeviceCodeAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": deviceAuth.Client.Name}, tx)
 	} else {
-		s.auditLogService.Create(ctx, model.AuditLogEventDeviceCodeAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": deviceAuth.Client.Name}, tx)
+		s.auditLogService.Create(ctx, model.AuditLogEventNewDeviceCodeAuthorization, ipAddress, userAgent, userID, auditLogData, tx)
 	}
 	return tx.Commit().Error
@@ -1316,6 +1326,109 @@ func (s *OidcService) ListAuthorizedClients(ctx context.Context, userID string,
 	return authorizedClients, response, err
 }
 func (s *OidcService) RevokeAuthorizedClient(ctx context.Context, userID string, clientID string) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var authorizedClient model.UserAuthorizedOidcClient
 	err := tx.
 		WithContext(ctx).
 		Where("user_id = ? AND client_id = ?", userID, clientID).
 		First(&authorizedClient).Error
 	if err != nil {
 		return err
 	}
 	err = tx.WithContext(ctx).Delete(&authorizedClient).Error
 	if err != nil {
 		return err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID string, sortedPaginationRequest utils.SortedPaginationRequest) ([]dto.AccessibleOidcClientDto, utils.PaginationResponse, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	var user model.User
 	err := tx.
 		WithContext(ctx).
 		Preload("UserGroups").
 		First(&user, "id = ?", userID).
 		Error
 	if err != nil {
 		return nil, utils.PaginationResponse{}, err
 	}
 	userGroupIDs := make([]string, len(user.UserGroups))
 	for i, group := range user.UserGroups {
 		userGroupIDs[i] = group.ID
 	}
 	// Build the query for accessible clients
 	query := tx.
 		WithContext(ctx).
 		Model(&model.OidcClient{}).
 		Preload("UserAuthorizedOidcClients", "user_id = ?", userID).
 		Distinct()
 	// If user has no groups, only return clients with no allowed user groups
 	if len(userGroupIDs) == 0 {
 		query = query.
 			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
 			Where("oidc_clients_allowed_user_groups.oidc_client_id IS NULL")
 	} else {
 		// Return clients with no allowed user groups OR clients where user is in allowed groups
 		query = query.
 			Joins("LEFT JOIN oidc_clients_allowed_user_groups ON oidc_clients.id = oidc_clients_allowed_user_groups.oidc_client_id").
 			Where("oidc_clients_allowed_user_groups.oidc_client_id IS NULL OR oidc_clients_allowed_user_groups.user_group_id IN (?)", userGroupIDs)
 	}
 	var clients []model.OidcClient
 	// Handle custom sorting for lastUsedAt column
 	var response utils.PaginationResponse
 	if sortedPaginationRequest.Sort.Column == "lastUsedAt" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
 		query = query.
 			Joins("LEFT JOIN user_authorized_oidc_clients ON oidc_clients.id = user_authorized_oidc_clients.client_id AND user_authorized_oidc_clients.user_id = ?", userID).
 			Order("user_authorized_oidc_clients.last_used_at " + sortedPaginationRequest.Sort.Direction)
 	}
 	response, err = utils.PaginateAndSort(sortedPaginationRequest, query, &clients)
 	if err != nil {
 		return nil, utils.PaginationResponse{}, err
 	}
 	dtos := make([]dto.AccessibleOidcClientDto, len(clients))
 	for i, client := range clients {
 		var lastUsedAt *datatype.DateTime
 		if len(client.UserAuthorizedOidcClients) > 0 {
 			lastUsedAt = &client.UserAuthorizedOidcClients[0].LastUsedAt
 		}
 		dtos[i] = dto.AccessibleOidcClientDto{
 			OidcClientMetaDataDto: dto.OidcClientMetaDataDto{
 				ID:        client.ID,
 				Name:      client.Name,
 				LaunchURL: client.LaunchURL,
 				HasLogo:   client.HasLogo,
 			},
 			LastUsedAt: lastUsedAt,
 		}
 	}
 	return dtos, response, err
 }
 func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, userID string, scope string, tx *gorm.DB) (string, error) {
 	refreshToken, err := utils.GenerateRandomAlphanumericString(40)
 	if err != nil {
@@ -1351,14 +1464,37 @@ func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, u
 	return signed, nil
 }
-func (s *OidcService) createAuthorizedClientInternal(ctx context.Context, userID string, clientID string, scope string, tx *gorm.DB) error {
+func (s *OidcService) createAuthorizedClientInternal(ctx context.Context, userID string, clientID string, scope string, tx *gorm.DB) (hasAlreadyAuthorizedClient bool, err error) {
-	userAuthorizedClient := model.UserAuthorizedOidcClient{
+
-		UserID:   userID,
+	// Check if the user has already authorized the client with the given scope
-		ClientID: clientID,
+	hasAlreadyAuthorizedClient, err = s.hasAuthorizedClientInternal(ctx, clientID, userID, scope, tx)
-		Scope:    scope,
+	if err != nil {
 		return false, err
 	}
-	err := tx.WithContext(ctx).
+	if hasAlreadyAuthorizedClient {
 		err = tx.
 			WithContext(ctx).
 			Model(&model.UserAuthorizedOidcClient{}).
 			Where("user_id = ? AND client_id = ?", userID, clientID).
 			Update("last_used_at", datatype.DateTime(time.Now())).
 			Error
 		if err != nil {
 			return hasAlreadyAuthorizedClient, err
 		}
 		return hasAlreadyAuthorizedClient, nil
 	}
 	userAuthorizedClient := model.UserAuthorizedOidcClient{
 		UserID:     userID,
 		ClientID:   clientID,
 		Scope:      scope,
 		LastUsedAt: datatype.DateTime(time.Now()),
 	}
 	err = tx.WithContext(ctx).
 		Clauses(clause.OnConflict{
 			Columns:   []clause.Column{{Name: "user_id"}, {Name: "client_id"}},
 			DoUpdates: clause.AssignmentColumns([]string{"scope"}),
@@ -1366,7 +1502,7 @@ func (s *OidcService) createAuthorizedClientInternal(ctx context.Context, userID
 		Create(&userAuthorizedClient).
 		Error
-	return err
+	return hasAlreadyAuthorizedClient, err
 }
 type ClientAuthCredentials struct {
@@ -1385,46 +1521,61 @@ func clientAuthCredentialsFromCreateTokensDto(d *dto.OidcCreateTokensDto) Client
 	}
 }
-func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *gorm.DB, input ClientAuthCredentials) (*model.OidcClient, error) {
+func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, tx *gorm.DB, input ClientAuthCredentials, allowPublicClientsWithoutAuth bool) (client *model.OidcClient, err error) {
-	// First, ensure we have a valid client ID
+	isClientAssertion := input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != ""
-	if input.ClientID == "" {
+
 	// Determine the client ID based on the authentication method
 	var clientID string
 	switch {
 	case isClientAssertion:
 		// Extract client ID from the JWT assertion's 'sub' claim
 		clientID, err = s.extractClientIDFromAssertion(input.ClientAssertion)
 		if err != nil {
 			slog.Error("Failed to extract client ID from assertion", "error", err)
 			return nil, &common.OidcClientAssertionInvalidError{}
 		}
 	case input.ClientID != "":
 		// Use the provided client ID for other authentication methods
 		clientID = input.ClientID
 	default:
 		return nil, &common.OidcMissingClientCredentialsError{}
 	}
 	// Load the OIDC client's configuration
-	var client model.OidcClient
+	err = tx.
 	err := tx.
 		WithContext(ctx).
-		First(&client, "id = ?", input.ClientID).
+		First(&client, "id = ?", clientID).
 		Error
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) && isClientAssertion {
 			return nil, &common.OidcClientAssertionInvalidError{}
 		}
 		return nil, err
 	}
-	// We have 3 options
+	// Validate credentials based on the authentication method
 	// If credentials are provided, we validate them; otherwise, we can continue without credentials for public clients only
 	switch {
-	// First, if we have a client secret, we validate it
+	// First, if we have a client secret, we validate it unless client is marked as public
-	case input.ClientSecret != "":
+	case input.ClientSecret != "" && !client.IsPublic:
 		err = bcrypt.CompareHashAndPassword([]byte(client.Secret), []byte(input.ClientSecret))
 		if err != nil {
 			return nil, &common.OidcClientSecretInvalidError{}
 		}
-		return &client, nil
+		return client, nil
 	// Next, check if we want to use client assertions from federated identities
-	case input.ClientAssertionType == ClientAssertionTypeJWTBearer && input.ClientAssertion != "":
+	case isClientAssertion:
-		err = s.verifyClientAssertionFromFederatedIdentities(ctx, &client, input)
+		err = s.verifyClientAssertionFromFederatedIdentities(ctx, client, input)
 		if err != nil {
-			log.Printf("Invalid assertion for client '%s': %v", client.ID, err)
+			slog.WarnContext(ctx, "Invalid assertion for client", slog.String("client", client.ID), slog.Any("error", err))
 			return nil, &common.OidcClientAssertionInvalidError{}
 		}
-		return &client, nil
+		return client, nil
 	// There's no credentials
 	// This is allowed only if the client is public
-	case client.IsPublic:
+	case client.IsPublic && allowPublicClientsWithoutAuth:
-		return &client, nil
+		return client, nil
 	// If we're here, we have no credentials AND the client is not public, so credentials are required
 	default:
@@ -1523,6 +1674,23 @@ func (s *OidcService) verifyClientAssertionFromFederatedIdentities(ctx context.C
 	return nil
 }
 // extractClientIDFromAssertion extracts the client_id from the JWT assertion's 'sub' claim
 func (s *OidcService) extractClientIDFromAssertion(assertion string) (string, error) {
 	// Parse the JWT without verification first to get the claims
 	insecureToken, err := jwt.ParseInsecure([]byte(assertion))
 	if err != nil {
 		return "", fmt.Errorf("failed to parse JWT assertion: %w", err)
 	}
 	// Extract the subject claim which must be the client_id according to RFC 7523
 	sub, ok := insecureToken.Subject()
 	if !ok || sub == "" {
 		return "", fmt.Errorf("missing or invalid 'sub' claim in JWT assertion")
 	}
 	return sub, nil
 }
 func (s *OidcService) GetClientPreview(ctx context.Context, clientID string, userID string, scopes string) (*dto.OidcClientPreviewDto, error) {
 	tx := s.db.Begin()
 	defer func() {
@@ -1666,3 +1834,19 @@ func (s *OidcService) getUserClaimsFromAuthorizedClient(ctx context.Context, aut
 	return claims, nil
 }
 func (s *OidcService) IsClientAccessibleToUser(ctx context.Context, clientID string, userID string) (bool, error) {
 	var user model.User
 	err := s.db.WithContext(ctx).Preload("UserGroups").First(&user, "id = ?", userID).Error
 	if err != nil {
 		return false, err
 	}
 	var client model.OidcClient
 	err = s.db.WithContext(ctx).Preload("AllowedUserGroups").First(&client, "id = ?", clientID).Error
 	if err != nil {
 		return false, err
 	}
 	return s.IsUserGroupAllowedToAuthorize(user, client), nil
 }
--- a/backend/internal/service/oidc_service_test.go
+++ b/backend/internal/service/oidc_service_test.go
@@ -18,6 +18,7 @@ import (
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 // generateTestECDSAKey creates an ECDSA key for testing
@@ -62,12 +63,12 @@ func TestOidcService_jwkSetForURL(t *testing.T) {
 	)
 	mockResponses := map[string]*http.Response{
 		//nolint:bodyclose
-		url1: NewMockResponse(http.StatusOK, string(jwkSetJSON1)),
+		url1: testutils.NewMockResponse(http.StatusOK, string(jwkSetJSON1)),
 		//nolint:bodyclose
-		url2: NewMockResponse(http.StatusOK, string(jwkSetJSON2)),
+		url2: testutils.NewMockResponse(http.StatusOK, string(jwkSetJSON2)),
 	}
 	httpClient := &http.Client{
-		Transport: &MockRoundTripper{
+		Transport: &testutils.MockRoundTripper{
 			Responses: mockResponses,
 		},
 	}
@@ -134,13 +135,12 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	const (
 		federatedClientIssuer         = "https://external-idp.com"
 		federatedClientAudience       = "https://pocket-id.com"
 		federatedClientSubject        = "123456abcdef"
 		federatedClientIssuerDefaults = "https://external-idp-defaults.com/"
 	)
 	var err error
 	// Create a test database
-	db := newDatabaseForTest(t)
+	db := testutils.NewDatabaseForTest(t)
 	// Create two JWKs for testing
 	privateJWK, jwkSetJSON := generateTestECDSAKey(t)
@@ -150,12 +150,12 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	// Create a mock HTTP client with custom transport to return the JWKS
 	httpClient := &http.Client{
-		Transport: &MockRoundTripper{
+		Transport: &testutils.MockRoundTripper{
 			Responses: map[string]*http.Response{
 				//nolint:bodyclose
-				federatedClientIssuer + "/jwks.json": NewMockResponse(http.StatusOK, string(jwkSetJSON)),
+				federatedClientIssuer + "/jwks.json": testutils.NewMockResponse(http.StatusOK, string(jwkSetJSON)),
 				//nolint:bodyclose
-				federatedClientIssuerDefaults + ".well-known/jwks.json": NewMockResponse(http.StatusOK, string(jwkSetJSONDefaults)),
+				federatedClientIssuerDefaults + ".well-known/jwks.json": testutils.NewMockResponse(http.StatusOK, string(jwkSetJSONDefaults)),
 			},
 		},
 	}
@@ -171,8 +171,10 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	// Create the test clients
 	// 1. Confidential client
 	confidentialClient, err := s.CreateClient(t.Context(), dto.OidcClientCreateDto{
-		Name:         "Confidential Client",
+		OidcClientUpdateDto: dto.OidcClientUpdateDto{
-		CallbackURLs: []string{"https://example.com/callback"},
+			Name:         "Confidential Client",
 			CallbackURLs: []string{"https://example.com/callback"},
 		},
 	}, "test-user-id")
 	require.NoError(t, err)
@@ -182,28 +184,38 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 	// 2. Public client
 	publicClient, err := s.CreateClient(t.Context(), dto.OidcClientCreateDto{
-		Name:         "Public Client",
+		OidcClientUpdateDto: dto.OidcClientUpdateDto{
-		CallbackURLs: []string{"https://example.com/callback"},
+			Name:         "Public Client",
-		IsPublic:     true,
+			CallbackURLs: []string{"https://example.com/callback"},
 			IsPublic:     true,
 		},
 	}, "test-user-id")
 	require.NoError(t, err)
 	// 3. Confidential client with federated identity
 	federatedClient, err := s.CreateClient(t.Context(), dto.OidcClientCreateDto{
-		Name:         "Federated Client",
+		OidcClientUpdateDto: dto.OidcClientUpdateDto{
-		CallbackURLs: []string{"https://example.com/callback"},
+			Name:         "Federated Client",
 			CallbackURLs: []string{"https://example.com/callback"},
 		},
 	}, "test-user-id")
 	require.NoError(t, err)
 	federatedClient, err = s.UpdateClient(t.Context(), federatedClient.ID, dto.OidcClientUpdateDto{
 		Name:         federatedClient.Name,
 		CallbackURLs: federatedClient.CallbackURLs,
 		Credentials: dto.OidcClientCredentialsDto{
 			FederatedIdentities: []dto.OidcClientFederatedIdentityDto{
 				{
 					Issuer:   federatedClientIssuer,
 					Audience: federatedClientAudience,
-					Subject:  federatedClientSubject,
+					Subject:  federatedClient.ID,
 					JWKS:     federatedClientIssuer + "/jwks.json",
 				},
 				{Issuer: federatedClientIssuerDefaults},
 			},
 		},
-	}, "test-user-id")
+	})
 	require.NoError(t, err)
 	// Test cases for confidential client (using client secret)
@@ -213,7 +225,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 			client, err := s.verifyClientCredentialsInternal(t.Context(), s.db, ClientAuthCredentials{
 				ClientID:     confidentialClient.ID,
 				ClientSecret: confidentialSecret,
-			})
+			}, true)
 			require.NoError(t, err)
 			require.NotNil(t, client)
 			assert.Equal(t, confidentialClient.ID, client.ID)
@@ -224,7 +236,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 			client, err := s.verifyClientCredentialsInternal(t.Context(), s.db, ClientAuthCredentials{
 				ClientID:     confidentialClient.ID,
 				ClientSecret: "invalid-secret",
-			})
+			}, true)
 			require.Error(t, err)
 			require.ErrorIs(t, err, &common.OidcClientSecretInvalidError{})
 			assert.Nil(t, client)
@@ -234,7 +246,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 			// Test with missing client secret
 			client, err := s.verifyClientCredentialsInternal(t.Context(), s.db, ClientAuthCredentials{
 				ClientID: confidentialClient.ID,
-			})
+			}, true)
 			require.Error(t, err)
 			require.ErrorIs(t, err, &common.OidcMissingClientCredentialsError{})
 			assert.Nil(t, client)
@@ -247,11 +259,21 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 			// Public clients don't require client secret
 			client, err := s.verifyClientCredentialsInternal(t.Context(), s.db, ClientAuthCredentials{
 				ClientID: publicClient.ID,
-			})
+			}, true)
 			require.NoError(t, err)
 			require.NotNil(t, client)
 			assert.Equal(t, publicClient.ID, client.ID)
 		})
 		t.Run("Fails with no credentials if allowPublicClientsWithoutAuth is false", func(t *testing.T) {
 			// Public clients don't require client secret
 			client, err := s.verifyClientCredentialsInternal(t.Context(), s.db, ClientAuthCredentials{
 				ClientID: publicClient.ID,
 			}, false)
 			require.Error(t, err)
 			require.ErrorIs(t, err, &common.OidcMissingClientCredentialsError{})
 			assert.Nil(t, client)
 		})
 	})
 	// Test cases for federated client using JWT assertion
@@ -261,7 +283,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 			token, err := jwt.NewBuilder().
 				Issuer(federatedClientIssuer).
 				Audience([]string{federatedClientAudience}).
-				Subject(federatedClientSubject).
+				Subject(federatedClient.ID).
 				IssuedAt(time.Now()).
 				Expiration(time.Now().Add(10 * time.Minute)).
 				Build()
@@ -274,7 +296,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 				ClientID:            federatedClient.ID,
 				ClientAssertionType: ClientAssertionTypeJWTBearer,
 				ClientAssertion:     string(signedToken),
-			})
+			}, true)
 			require.NoError(t, err)
 			require.NotNil(t, client)
 			assert.Equal(t, federatedClient.ID, client.ID)
@@ -286,7 +308,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 				ClientID:            federatedClient.ID,
 				ClientAssertionType: ClientAssertionTypeJWTBearer,
 				ClientAssertion:     "invalid.jwt.token",
-			})
+			}, true)
 			require.Error(t, err)
 			require.ErrorIs(t, err, &common.OidcClientAssertionInvalidError{})
 			assert.Nil(t, client)
@@ -298,7 +320,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 				builder := jwt.NewBuilder().
 					Issuer(federatedClientIssuer).
 					Audience([]string{federatedClientAudience}).
-					Subject(federatedClientSubject).
+					Subject(federatedClient.ID).
 					IssuedAt(time.Now()).
 					Expiration(time.Now().Add(10 * time.Minute))
@@ -315,7 +337,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 					ClientID:            federatedClient.ID,
 					ClientAssertionType: ClientAssertionTypeJWTBearer,
 					ClientAssertion:     string(signedToken),
-				})
+				}, true)
 				require.Error(t, err)
 				require.ErrorIs(t, err, &common.OidcClientAssertionInvalidError{})
 				require.Nil(t, client)
@@ -356,7 +378,7 @@ func TestOidcService_verifyClientCredentialsInternal(t *testing.T) {
 				ClientID:            federatedClient.ID,
 				ClientAssertionType: ClientAssertionTypeJWTBearer,
 				ClientAssertion:     string(signedToken),
-			})
+			}, true)
 			require.NoError(t, err)
 			require.NotNil(t, client)
 			assert.Equal(t, federatedClient.ID, client.ID)
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -32,8 +32,7 @@ func (s *UserGroupService) List(ctx context.Context, name string, sortedPaginati
 	}
 	// As userCount is not a column we need to manually sort it
-	isValidSortDirection := sortedPaginationRequest.Sort.Direction == "asc" || sortedPaginationRequest.Sort.Direction == "desc"
+	if sortedPaginationRequest.Sort.Column == "userCount" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
 	if sortedPaginationRequest.Sort.Column == "userCount" && isValidSortDirection {
 		query = query.Select("user_groups.*, COUNT(user_groups_users.user_id)").
 			Joins("LEFT JOIN user_groups_users ON user_groups.id = user_groups_users.user_group_id").
 			Group("user_groups.id").
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -3,16 +3,18 @@ package service
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
-	"log"
+	"log/slog"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 	"github.com/google/uuid"
 	"go.opentelemetry.io/otel/trace"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
@@ -25,15 +27,23 @@ import (
 )
 type UserService struct {
-	db               *gorm.DB
+	db                 *gorm.DB
-	jwtService       *JwtService
+	jwtService         *JwtService
-	auditLogService  *AuditLogService
+	auditLogService    *AuditLogService
-	emailService     *EmailService
+	emailService       *EmailService
-	appConfigService *AppConfigService
+	appConfigService   *AppConfigService
 	customClaimService *CustomClaimService
 }
-func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService) *UserService {
+func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService, customClaimService *CustomClaimService) *UserService {
-	return &UserService{db: db, jwtService: jwtService, auditLogService: auditLogService, emailService: emailService, appConfigService: appConfigService}
+	return &UserService{
 		db:                 db,
 		jwtService:         jwtService,
 		auditLogService:    auditLogService,
 		emailService:       emailService,
 		appConfigService:   appConfigService,
 		customClaimService: customClaimService,
 	}
 }
 func (s *UserService) ListUsers(ctx context.Context, searchTerm string, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.User, utils.PaginationResponse, error) {
@@ -45,7 +55,8 @@ func (s *UserService) ListUsers(ctx context.Context, searchTerm string, sortedPa
 	if searchTerm != "" {
 		searchPattern := "%" + searchTerm + "%"
-		query = query.Where("email LIKE ? OR first_name LIKE ? OR last_name LIKE ? OR username LIKE ?",
+		query = query.Where(
 			"email LIKE ? OR first_name LIKE ? OR last_name LIKE ? OR username LIKE ?",
 			searchPattern, searchPattern, searchPattern, searchPattern)
 	}
@@ -118,13 +129,14 @@ func (s *UserService) GetProfilePicture(ctx context.Context, userID string) (io.
 	defaultPictureBytes := defaultPicture.Bytes()
 	go func() {
 		// Ensure the directory exists
-		err = os.MkdirAll(defaultProfilePicturesDir, os.ModePerm)
+		errInternal := os.MkdirAll(defaultProfilePicturesDir, os.ModePerm)
-		if err != nil {
+		if errInternal != nil {
-			log.Printf("Failed to create directory for default profile picture: %v", err)
+			slog.Error("Failed to create directory for default profile picture", slog.Any("error", errInternal))
 			return
 		}
-		if err := utils.SaveFileStream(bytes.NewReader(defaultPictureBytes), defaultPicturePath); err != nil {
+		errInternal = utils.SaveFileStream(bytes.NewReader(defaultPictureBytes), defaultPicturePath)
-			log.Printf("Failed to cache default profile picture for initials %s: %v", user.Initials(), err)
+		if errInternal != nil {
 			slog.Error("Failed to cache default profile picture for initials", slog.String("initials", user.Initials()), slog.Any("error", errInternal))
 		}
 	}()
@@ -259,9 +271,53 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 	} else if err != nil {
 		return model.User{}, err
 	}
 	// Apply default groups and claims for new non-LDAP users
 	if !isLdapSync {
 		if err := s.applySignupDefaults(ctx, &user, tx); err != nil {
 			return model.User{}, err
 		}
 	}
 	return user, nil
 }
 func (s *UserService) applySignupDefaults(ctx context.Context, user *model.User, tx *gorm.DB) error {
 	config := s.appConfigService.GetDbConfig()
 	// Apply default user groups
 	var groupIDs []string
 	if v := config.SignupDefaultUserGroupIDs.Value; v != "" && v != "[]" {
 		if err := json.Unmarshal([]byte(v), &groupIDs); err != nil {
 			return fmt.Errorf("invalid SignupDefaultUserGroupIDs JSON: %w", err)
 		}
 		if len(groupIDs) > 0 {
 			var groups []model.UserGroup
 			if err := tx.WithContext(ctx).Where("id IN ?", groupIDs).Find(&groups).Error; err != nil {
 				return fmt.Errorf("failed to find default user groups: %w", err)
 			}
 			if err := tx.WithContext(ctx).Model(user).Association("UserGroups").Replace(groups); err != nil {
 				return fmt.Errorf("failed to associate default user groups: %w", err)
 			}
 		}
 	}
 	// Apply default custom claims
 	var claims []dto.CustomClaimCreateDto
 	if v := config.SignupDefaultCustomClaims.Value; v != "" && v != "[]" {
 		if err := json.Unmarshal([]byte(v), &claims); err != nil {
 			return fmt.Errorf("invalid SignupDefaultCustomClaims JSON: %w", err)
 		}
 		if len(claims) > 0 {
 			if _, err := s.customClaimService.updateCustomClaimsInternal(ctx, UserID, user.ID, claims, tx); err != nil {
 				return fmt.Errorf("failed to apply default custom claims: %w", err)
 			}
 		}
 	}
 	return nil
 }
 func (s *UserService) UpdateUser(ctx context.Context, userID string, updatedUser dto.UserCreateDto, updateOwnUser bool, isLdapSync bool) (model.User, error) {
 	tx := s.db.Begin()
 	defer func() {
@@ -296,15 +352,21 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 	isLdapUser := user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue()
 	allowOwnAccountEdit := s.appConfigService.GetDbConfig().AllowOwnAccountEdit.IsTrue()
-	// For LDAP users or if own account editing is not allowed, only allow updating the locale unless it's an LDAP sync
+	if !isLdapSync && (isLdapUser || (!allowOwnAccountEdit && updateOwnUser)) {
-	if !isLdapSync && (isLdapUser || (!allowOwnAccountEdit && !updateOwnUser)) {
+		// Restricted update: Only locale can be changed when:
 		// - User is from LDAP, OR
 		// - User is editing their own account but global setting disallows self-editing
 		// (Exception: LDAP sync operations can update everything)
 		user.Locale = updatedUser.Locale
 	} else {
 		// Full update: Allow updating all personal fields
 		user.FirstName = updatedUser.FirstName
 		user.LastName = updatedUser.LastName
 		user.Email = updatedUser.Email
 		user.Username = updatedUser.Username
 		user.Locale = updatedUser.Locale
 		// Admin-only fields: Only allow updates when not updating own account
 		if !updateOwnUser {
 			user.IsAdmin = updatedUser.IsAdmin
 			user.Disabled = updatedUser.Disabled
@@ -333,13 +395,13 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 	return user, nil
 }
-func (s *UserService) RequestOneTimeAccessEmailAsAdmin(ctx context.Context, userID string, expiration time.Time) error {
+func (s *UserService) RequestOneTimeAccessEmailAsAdmin(ctx context.Context, userID string, ttl time.Duration) error {
 	isDisabled := !s.appConfigService.GetDbConfig().EmailOneTimeAccessAsAdminEnabled.IsTrue()
 	if isDisabled {
 		return &common.OneTimeAccessDisabledError{}
 	}
-	return s.requestOneTimeAccessEmailInternal(ctx, userID, "", expiration)
+	return s.requestOneTimeAccessEmailInternal(ctx, userID, "", ttl)
 }
 func (s *UserService) RequestOneTimeAccessEmailAsUnauthenticatedUser(ctx context.Context, userID, redirectPath string) error {
@@ -359,11 +421,10 @@ func (s *UserService) RequestOneTimeAccessEmailAsUnauthenticatedUser(ctx context
 		}
 	}
-	expiration := time.Now().Add(15 * time.Minute)
+	return s.requestOneTimeAccessEmailInternal(ctx, userId, redirectPath, 15*time.Minute)
 	return s.requestOneTimeAccessEmailInternal(ctx, userId, redirectPath, expiration)
 }
-func (s *UserService) requestOneTimeAccessEmailInternal(ctx context.Context, userID, redirectPath string, expiration time.Time) error {
+func (s *UserService) requestOneTimeAccessEmailInternal(ctx context.Context, userID, redirectPath string, ttl time.Duration) error {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -374,7 +435,7 @@ func (s *UserService) requestOneTimeAccessEmailInternal(ctx context.Context, use
 		return err
 	}
-	oneTimeAccessToken, err := s.createOneTimeAccessTokenInternal(ctx, user.ID, expiration, tx)
+	oneTimeAccessToken, err := s.createOneTimeAccessTokenInternal(ctx, user.ID, ttl, tx)
 	if err != nil {
 		return err
 	}
@@ -387,7 +448,8 @@ func (s *UserService) requestOneTimeAccessEmailInternal(ctx context.Context, use
 	// We use a background context here as this is running in a goroutine
 	//nolint:contextcheck
 	go func() {
-		innerCtx := context.Background()
+		span := trace.SpanFromContext(ctx)
 		innerCtx := trace.ContextWithSpan(context.Background(), span)
 		link := common.EnvConfig.AppURL + "/lc"
 		linkWithCode := link + "/" + oneTimeAccessToken
@@ -405,27 +467,29 @@ func (s *UserService) requestOneTimeAccessEmailInternal(ctx context.Context, use
 			Code:              oneTimeAccessToken,
 			LoginLink:         link,
 			LoginLinkWithCode: linkWithCode,
-			ExpirationString:  utils.DurationToString(time.Until(expiration).Round(time.Second)),
+			ExpirationString:  utils.DurationToString(ttl),
 		})
 		if errInternal != nil {
-			log.Printf("Failed to send email to '%s': %v\n", user.Email, errInternal)
+			slog.ErrorContext(innerCtx, "Failed to send one-time access token email", slog.Any("error", errInternal), slog.String("address", user.Email))
 			return
 		}
 	}()
 	return nil
 }
-func (s *UserService) CreateOneTimeAccessToken(ctx context.Context, userID string, expiresAt time.Time) (string, error) {
+func (s *UserService) CreateOneTimeAccessToken(ctx context.Context, userID string, ttl time.Duration) (string, error) {
-	return s.createOneTimeAccessTokenInternal(ctx, userID, expiresAt, s.db)
+	return s.createOneTimeAccessTokenInternal(ctx, userID, ttl, s.db)
 }
-func (s *UserService) createOneTimeAccessTokenInternal(ctx context.Context, userID string, expiresAt time.Time, tx *gorm.DB) (string, error) {
+func (s *UserService) createOneTimeAccessTokenInternal(ctx context.Context, userID string, ttl time.Duration, tx *gorm.DB) (string, error) {
-	oneTimeAccessToken, err := NewOneTimeAccessToken(userID, expiresAt)
+	oneTimeAccessToken, err := NewOneTimeAccessToken(userID, ttl)
 	if err != nil {
 		return "", err
 	}
-	if err := tx.WithContext(ctx).Create(oneTimeAccessToken).Error; err != nil {
+	err = tx.WithContext(ctx).Create(oneTimeAccessToken).Error
 	if err != nil {
 		return "", err
 	}
@@ -463,9 +527,7 @@ func (s *UserService) ExchangeOneTimeAccessToken(ctx context.Context, token stri
 		return model.User{}, "", err
 	}
-	if ipAddress != "" && userAgent != "" {
+	s.auditLogService.Create(ctx, model.AuditLogEventOneTimeAccessTokenSignIn, ipAddress, userAgent, oneTimeAccessToken.User.ID, model.AuditLogData{}, tx)
 		s.auditLogService.Create(ctx, model.AuditLogEventOneTimeAccessTokenSignIn, ipAddress, userAgent, oneTimeAccessToken.User.ID, model.AuditLogData{}, tx)
 	}
 	err = tx.Commit().Error
 	if err != nil {
@@ -489,7 +551,7 @@ func (s *UserService) UpdateUserGroups(ctx context.Context, id string, userGroup
 	// Fetch the groups based on userGroupIds
 	var groups []model.UserGroup
 	if len(userGroupIds) > 0 {
-		err = tx.
+		err := tx.
 			WithContext(ctx).
 			Where("id IN (?)", userGroupIds).
 			Find(&groups).
@@ -523,7 +585,7 @@ func (s *UserService) UpdateUserGroups(ctx context.Context, id string, userGroup
 	return user, nil
 }
-func (s *UserService) SetupInitialAdmin(ctx context.Context) (model.User, string, error) {
+func (s *UserService) SignUpInitialAdmin(ctx context.Context, signUpData dto.SignUpDto) (model.User, string, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
@@ -533,26 +595,23 @@ func (s *UserService) SetupInitialAdmin(ctx context.Context) (model.User, string
 	if err := tx.WithContext(ctx).Model(&model.User{}).Count(&userCount).Error; err != nil {
 		return model.User{}, "", err
 	}
-	if userCount > 1 {
+	if userCount != 0 {
 		return model.User{}, "", &common.SetupAlreadyCompletedError{}
 	}
-	user := model.User{
+	userToCreate := dto.UserCreateDto{
-		FirstName: "Admin",
+		FirstName: signUpData.FirstName,
-		LastName:  "Admin",
+		LastName:  signUpData.LastName,
-		Username:  "admin",
+		Username:  signUpData.Username,
-		Email:     "admin@admin.com",
+		Email:     signUpData.Email,
 		IsAdmin:   true,
 	}
-	if err := tx.WithContext(ctx).Model(&model.User{}).Preload("Credentials").FirstOrCreate(&user).Error; err != nil {
+	user, err := s.createUserInternal(ctx, userToCreate, false, tx)
 	if err != nil {
 		return model.User{}, "", err
 	}
 	if len(user.Credentials) > 0 {
 		return model.User{}, "", &common.SetupAlreadyCompletedError{}
 	}
 	token, err := s.jwtService.GenerateAccessToken(user)
 	if err != nil {
 		return model.User{}, "", err
@@ -630,10 +689,111 @@ func (s *UserService) disableUserInternal(ctx context.Context, userID string, tx
 		Error
 }
-func NewOneTimeAccessToken(userID string, expiresAt time.Time) (*model.OneTimeAccessToken, error) {
+func (s *UserService) CreateSignupToken(ctx context.Context, ttl time.Duration, usageLimit int) (model.SignupToken, error) {
 	signupToken, err := NewSignupToken(ttl, usageLimit)
 	if err != nil {
 		return model.SignupToken{}, err
 	}
 	err = s.db.WithContext(ctx).Create(signupToken).Error
 	if err != nil {
 		return model.SignupToken{}, err
 	}
 	return *signupToken, nil
 }
 func (s *UserService) SignUp(ctx context.Context, signupData dto.SignUpDto, ipAddress, userAgent string) (model.User, string, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	tokenProvided := signupData.Token != ""
 	config := s.appConfigService.GetDbConfig()
 	if config.AllowUserSignups.Value != "open" && !tokenProvided {
 		return model.User{}, "", &common.OpenSignupDisabledError{}
 	}
 	var signupToken model.SignupToken
 	if tokenProvided {
 		err := tx.
 			WithContext(ctx).
 			Where("token = ?", signupData.Token).
 			First(&signupToken).
 			Error
 		if err != nil {
 			if errors.Is(err, gorm.ErrRecordNotFound) {
 				return model.User{}, "", &common.TokenInvalidOrExpiredError{}
 			}
 			return model.User{}, "", err
 		}
 		if !signupToken.IsValid() {
 			return model.User{}, "", &common.TokenInvalidOrExpiredError{}
 		}
 	}
 	userToCreate := dto.UserCreateDto{
 		Username:  signupData.Username,
 		Email:     signupData.Email,
 		FirstName: signupData.FirstName,
 		LastName:  signupData.LastName,
 	}
 	user, err := s.createUserInternal(ctx, userToCreate, false, tx)
 	if err != nil {
 		return model.User{}, "", err
 	}
 	accessToken, err := s.jwtService.GenerateAccessToken(user)
 	if err != nil {
 		return model.User{}, "", err
 	}
 	if tokenProvided {
 		s.auditLogService.Create(ctx, model.AuditLogEventAccountCreated, ipAddress, userAgent, user.ID, model.AuditLogData{
 			"signupToken": signupToken.Token,
 		}, tx)
 		signupToken.UsageCount++
 		err = tx.WithContext(ctx).Save(&signupToken).Error
 		if err != nil {
 			return model.User{}, "", err
 		}
 	} else {
 		s.auditLogService.Create(ctx, model.AuditLogEventAccountCreated, ipAddress, userAgent, user.ID, model.AuditLogData{
 			"method": "open_signup",
 		}, tx)
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return model.User{}, "", err
 	}
 	return user, accessToken, nil
 }
 func (s *UserService) ListSignupTokens(ctx context.Context, sortedPaginationRequest utils.SortedPaginationRequest) ([]model.SignupToken, utils.PaginationResponse, error) {
 	var tokens []model.SignupToken
 	query := s.db.WithContext(ctx).Model(&model.SignupToken{})
 	pagination, err := utils.PaginateAndSort(sortedPaginationRequest, query, &tokens)
 	return tokens, pagination, err
 }
 func (s *UserService) DeleteSignupToken(ctx context.Context, tokenID string) error {
 	return s.db.WithContext(ctx).Delete(&model.SignupToken{}, "id = ?", tokenID).Error
 }
 func NewOneTimeAccessToken(userID string, ttl time.Duration) (*model.OneTimeAccessToken, error) {
 	// If expires at is less than 15 minutes, use a 6-character token instead of 16
 	tokenLength := 16
-	if time.Until(expiresAt) <= 15*time.Minute {
+	if ttl <= 15*time.Minute {
 		tokenLength = 6
 	}
@@ -642,11 +802,30 @@ func NewOneTimeAccessToken(userID string, expiresAt time.Time) (*model.OneTimeAc
 		return nil, err
 	}
 	now := time.Now().Round(time.Second)
 	o := &model.OneTimeAccessToken{
 		UserID:    userID,
-		ExpiresAt: datatype.DateTime(expiresAt),
+		ExpiresAt: datatype.DateTime(now.Add(ttl)),
 		Token:     randomString,
 	}
 	return o, nil
 }
 func NewSignupToken(ttl time.Duration, usageLimit int) (*model.SignupToken, error) {
 	// Generate a random token
 	randomString, err := utils.GenerateRandomAlphanumericString(16)
 	if err != nil {
 		return nil, err
 	}
 	now := time.Now().Round(time.Second)
 	token := &model.SignupToken{
 		Token:      randomString,
 		ExpiresAt:  datatype.DateTime(now.Add(ttl)),
 		UsageLimit: usageLimit,
 		UsageCount: 0,
 	}
 	return token, nil
 }
--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"gorm.io/gorm"
 	"gorm.io/gorm/clause"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
@@ -24,8 +25,8 @@ type WebAuthnService struct {
 	appConfigService *AppConfigService
 }
-func NewWebAuthnService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, appConfigService *AppConfigService) *WebAuthnService {
+func NewWebAuthnService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, appConfigService *AppConfigService) (*WebAuthnService, error) {
-	webauthnConfig := &webauthn.Config{
+	wa, err := webauthn.New(&webauthn.Config{
 		RPDisplayName: appConfigService.GetDbConfig().AppName.Value,
 		RPID:          utils.GetHostnameFromURL(common.EnvConfig.AppURL),
 		RPOrigins:     []string{common.EnvConfig.AppURL},
@@ -44,15 +45,18 @@ func NewWebAuthnService(db *gorm.DB, jwtService *JwtService, auditLogService *Au
 				TimeoutUVD: time.Second * 60,
 			},
 		},
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to init webauthn object: %w", err)
 	}
-	wa, _ := webauthn.New(webauthnConfig)
+
 	return &WebAuthnService{
 		db:               db,
 		webAuthn:         wa,
 		jwtService:       jwtService,
 		auditLogService:  auditLogService,
 		appConfigService: appConfigService,
-	}
+	}, nil
 }
 func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string) (*model.PublicKeyCredentialCreationOptions, error) {
@@ -70,8 +74,7 @@ func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string)
 		Find(&user, "id = ?", userID).
 		Error
 	if err != nil {
-		tx.Rollback()
+		return nil, fmt.Errorf("failed to load user: %w", err)
 		return nil, err
 	}
 	options, session, err := s.webAuthn.BeginRegistration(
@@ -80,7 +83,7 @@ func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string)
 		webauthn.WithExclusions(user.WebAuthnCredentialDescriptors()),
 	)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to begin WebAuthn registration: %w", err)
 	}
 	sessionToStore := &model.WebauthnSession{
@@ -94,12 +97,12 @@ func (s *WebAuthnService) BeginRegistration(ctx context.Context, userID string)
 		Create(&sessionToStore).
 		Error
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to save WebAuthn session: %w", err)
 	}
 	err = tx.Commit().Error
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to commit transaction: %w", err)
 	}
 	return &model.PublicKeyCredentialCreationOptions{
@@ -115,13 +118,15 @@ func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, use
 		tx.Rollback()
 	}()
 	// Load & delete the session row
 	var storedSession model.WebauthnSession
 	err := tx.
 		WithContext(ctx).
-		First(&storedSession, "id = ?", sessionID).
+		Clauses(clause.Returning{}).
 		Delete(&storedSession, "id = ?", sessionID).
 		Error
 	if err != nil {
-		return model.WebauthnCredential{}, err
+		return model.WebauthnCredential{}, fmt.Errorf("failed to load WebAuthn session: %w", err)
 	}
 	session := webauthn.SessionData{
@@ -136,12 +141,12 @@ func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, use
 		Find(&user, "id = ?", userID).
 		Error
 	if err != nil {
-		return model.WebauthnCredential{}, err
+		return model.WebauthnCredential{}, fmt.Errorf("failed to load user: %w", err)
 	}
 	credential, err := s.webAuthn.FinishRegistration(&user, session, r)
 	if err != nil {
-		return model.WebauthnCredential{}, err
+		return model.WebauthnCredential{}, fmt.Errorf("failed to finish WebAuthn registration: %w", err)
 	}
 	// Determine passkey name using AAGUID and User-Agent
@@ -162,12 +167,12 @@ func (s *WebAuthnService) VerifyRegistration(ctx context.Context, sessionID, use
 		Create(&credentialToStore).
 		Error
 	if err != nil {
-		return model.WebauthnCredential{}, err
+		return model.WebauthnCredential{}, fmt.Errorf("failed to store WebAuthn credential: %w", err)
 	}
 	err = tx.Commit().Error
 	if err != nil {
-		return model.WebauthnCredential{}, err
+		return model.WebauthnCredential{}, fmt.Errorf("failed to commit transaction: %w", err)
 	}
 	return credentialToStore, nil
@@ -216,13 +221,15 @@ func (s *WebAuthnService) VerifyLogin(ctx context.Context, sessionID string, cre
 		tx.Rollback()
 	}()
 	// Load & delete the session row
 	var storedSession model.WebauthnSession
 	err := tx.
 		WithContext(ctx).
-		First(&storedSession, "id = ?", sessionID).
+		Clauses(clause.Returning{}).
 		Delete(&storedSession, "id = ?", sessionID).
 		Error
 	if err != nil {
-		return model.User{}, "", err
+		return model.User{}, "", fmt.Errorf("failed to load WebAuthn session: %w", err)
 	}
 	session := webauthn.SessionData{
@@ -329,3 +336,136 @@ func (s *WebAuthnService) UpdateCredential(ctx context.Context, userID, credenti
 func (s *WebAuthnService) updateWebAuthnConfig() {
 	s.webAuthn.Config.RPDisplayName = s.appConfigService.GetDbConfig().AppName.Value
 }
 func (s *WebAuthnService) CreateReauthenticationTokenWithAccessToken(ctx context.Context, accessToken string) (string, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	token, err := s.jwtService.VerifyAccessToken(accessToken)
 	if err != nil {
 		return "", fmt.Errorf("invalid access token: %w", err)
 	}
 	userID, ok := token.Subject()
 	if !ok {
 		return "", fmt.Errorf("access token does not contain user ID")
 	}
 	// Check if token is issued less than a minute ago
 	tokenExpiration, ok := token.IssuedAt()
 	if !ok || time.Since(tokenExpiration) > time.Minute {
 		return "", &common.ReauthenticationRequiredError{}
 	}
 	var user model.User
 	err = tx.
 		WithContext(ctx).
 		First(&user, "id = ?", userID).
 		Error
 	if err != nil {
 		return "", fmt.Errorf("failed to load user: %w", err)
 	}
 	reauthToken, err := s.createReauthenticationToken(ctx, tx, user.ID)
 	if err != nil {
 		return "", err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return "", err
 	}
 	return reauthToken, nil
 }
 func (s *WebAuthnService) CreateReauthenticationTokenWithWebauthn(ctx context.Context, sessionID string, credentialAssertionData *protocol.ParsedCredentialAssertionData) (string, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
 	// Retrieve and delete the session
 	var storedSession model.WebauthnSession
 	err := tx.
 		WithContext(ctx).
 		Clauses(clause.Returning{}).
 		Delete(&storedSession, "id = ? AND expires_at > ?", sessionID, datatype.DateTime(time.Now())).
 		Error
 	if err != nil {
 		return "", fmt.Errorf("failed to load WebAuthn session: %w", err)
 	}
 	session := webauthn.SessionData{
 		Challenge: storedSession.Challenge,
 		Expires:   storedSession.ExpiresAt.ToTime(),
 	}
 	// Validate the credential assertion
 	var user *model.User
 	_, err = s.webAuthn.ValidateDiscoverableLogin(func(_, userHandle []byte) (webauthn.User, error) {
 		innerErr := tx.
 			WithContext(ctx).
 			Preload("Credentials").
 			First(&user, "id = ?", string(userHandle)).
 			Error
 		if innerErr != nil {
 			return nil, innerErr
 		}
 		return user, nil
 	}, session, credentialAssertionData)
 	if err != nil || user == nil {
 		return "", err
 	}
 	// Create reauthentication token
 	token, err := s.createReauthenticationToken(ctx, tx, user.ID)
 	if err != nil {
 		return "", err
 	}
 	err = tx.Commit().Error
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
 func (s *WebAuthnService) ConsumeReauthenticationToken(ctx context.Context, tx *gorm.DB, token string, userID string) error {
 	hashedToken := utils.CreateSha256Hash(token)
 	result := tx.WithContext(ctx).
 		Clauses(clause.Returning{}).
 		Delete(&model.ReauthenticationToken{}, "token = ? AND user_id = ? AND expires_at > ?", hashedToken, userID, datatype.DateTime(time.Now()))
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected == 0 {
 		return &common.ReauthenticationRequiredError{}
 	}
 	return nil
 }
 func (s *WebAuthnService) createReauthenticationToken(ctx context.Context, tx *gorm.DB, userID string) (string, error) {
 	token, err := utils.GenerateRandomAlphanumericString(32)
 	if err != nil {
 		return "", err
 	}
 	reauthToken := model.ReauthenticationToken{
 		Token:     utils.CreateSha256Hash(token),
 		ExpiresAt: datatype.DateTime(time.Now().Add(3 * time.Minute)),
 		UserID:    userID,
 	}
 	err = tx.WithContext(ctx).Create(&reauthToken).Error
 	if err != nil {
 		return "", err
 	}
 	return token, nil
 }
--- a/backend/internal/utils/aaguid_util.go
+++ b/backend/internal/utils/aaguid_util.go
@@ -4,7 +4,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"log"
+	"log/slog"
 	"sync"
 	"github.com/pocket-id/pocket-id/backend/resources"
@@ -57,12 +57,13 @@ func loadAAGUIDsFromFile() {
 	// Read from embedded file system
 	data, err := resources.FS.ReadFile("aaguids.json")
 	if err != nil {
-		log.Printf("Error reading embedded AAGUID file: %v", err)
+		slog.Error("Error reading embedded AAGUID file", slog.Any("error", err))
 		return
 	}
-	if err := json.Unmarshal(data, &aaguidMap); err != nil {
+	err = json.Unmarshal(data, &aaguidMap)
-		log.Printf("Error unmarshalling AAGUID data: %v", err)
+	if err != nil {
 		slog.Error("Error unmarshalling AAGUID data", slog.Any("error", err))
 		return
 	}
 }
--- a/backend/internal/utils/cmd_util.go
+++ b/backend/internal/utils/cmd_util.go
@@ -0,0 +1,24 @@
 package utils
 import (
 	"bufio"
 	"fmt"
 	"os"
 	"strings"
 )
 // PromptForConfirmation prompts the user to answer "y" in the terminal
 func PromptForConfirmation(prompt string) (bool, error) {
 	fmt.Print(prompt + " [y/N]: ")
 	reader := bufio.NewReader(os.Stdin)
 	r, err := reader.ReadString('\n')
 	if err != nil {
 		return false, fmt.Errorf("failed to read response: %w", err)
 	}
 	r = strings.TrimSpace(strings.ToLower(r))
 	ok := r == "yes" || r == "y"
 	return ok, nil
 }
--- a/backend/internal/utils/crypto/crypto.go
+++ b/backend/internal/utils/crypto/crypto.go
@@ -0,0 +1,69 @@
 package crypto
 import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
 	"errors"
 	"fmt"
 	"io"
 )
 // ErrDecrypt is returned by Decrypt when the operation failed for any reason
 var ErrDecrypt = errors.New("failed to decrypt data")
 // Encrypt a byte slice using AES-GCM and a random nonce
 // Important: do not encrypt more than ~4 billion messages with the same key!
 func Encrypt(key []byte, plaintext []byte, associatedData []byte) (ciphertext []byte, err error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create block cipher: %w", err)
 	}
 	aead, err := cipher.NewGCM(block)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create AEAD cipher: %w", err)
 	}
 	// Generate a random nonce
 	nonce := make([]byte, aead.NonceSize())
 	_, err = io.ReadFull(rand.Reader, nonce)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate random nonce: %w", err)
 	}
 	// Allocate the slice for the result, with additional space for the nonce and overhead
 	ciphertext = make([]byte, 0, len(plaintext)+aead.NonceSize()+aead.Overhead())
 	ciphertext = append(ciphertext, nonce...)
 	// Encrypt the plaintext
 	// Tag is automatically added at the end
 	ciphertext = aead.Seal(ciphertext, nonce, plaintext, associatedData)
 	return ciphertext, nil
 }
 // Decrypt a byte slice using AES-GCM
 func Decrypt(key []byte, ciphertext []byte, associatedData []byte) (plaintext []byte, err error) {
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create block cipher: %w", err)
 	}
 	aead, err := cipher.NewGCM(block)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create AEAD cipher: %w", err)
 	}
 	// Extract the nonce
 	if len(ciphertext) < (aead.NonceSize() + aead.Overhead()) {
 		return nil, ErrDecrypt
 	}
 	// Decrypt the data
 	plaintext, err = aead.Open(nil, ciphertext[:aead.NonceSize()], ciphertext[aead.NonceSize():], associatedData)
 	if err != nil {
 		// Note: we do not return the exact error here, to avoid disclosing information
 		return nil, ErrDecrypt
 	}
 	return plaintext, nil
 }
--- a/backend/internal/utils/crypto/crypto_test.go
+++ b/backend/internal/utils/crypto/crypto_test.go
@@ -0,0 +1,208 @@
 package crypto
 import (
 	"crypto/rand"
 	"fmt"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestEncryptDecrypt(t *testing.T) {
 	tests := []struct {
 		name           string
 		keySize        int
 		plaintext      string
 		associatedData []byte
 	}{
 		{
 			name:           "AES-128 with short plaintext",
 			keySize:        16,
 			plaintext:      "Hello, World!",
 			associatedData: []byte("test-aad"),
 		},
 		{
 			name:           "AES-192 with medium plaintext",
 			keySize:        24,
 			plaintext:      "This is a longer message to test encryption and decryption",
 			associatedData: []byte("associated-data-192"),
 		},
 		{
 			name:           "AES-256 with unicode",
 			keySize:        32,
 			plaintext:      "Hello 世界! 🌍 Testing unicode characters", //nolint:gosmopolitan
 			associatedData: []byte("unicode-test"),
 		},
 		{
 			name:           "No associated data",
 			keySize:        32,
 			plaintext:      "Testing without associated data",
 			associatedData: nil,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Generate random key
 			key := make([]byte, tt.keySize)
 			_, err := rand.Read(key)
 			require.NoError(t, err, "Failed to generate random key")
 			plaintext := []byte(tt.plaintext)
 			// Test encryption
 			ciphertext, err := Encrypt(key, plaintext, tt.associatedData)
 			require.NoError(t, err, "Encrypt should succeed")
 			// Verify ciphertext is different from plaintext (unless empty)
 			if len(plaintext) > 0 {
 				assert.NotEqual(t, plaintext, ciphertext)
 			}
 			// Test decryption
 			decrypted, err := Decrypt(key, ciphertext, tt.associatedData)
 			require.NoError(t, err, "Decrypt should succeed")
 			// Verify decrypted text matches original
 			assert.Equal(t, plaintext, decrypted, "Decrypted text should match original")
 		})
 	}
 }
 func TestEncryptWithInvalidKeySize(t *testing.T) {
 	invalidKeySizes := []int{8, 12, 33, 47, 55, 128}
 	for _, keySize := range invalidKeySizes {
 		t.Run(fmt.Sprintf("Key size %d", keySize), func(t *testing.T) {
 			key := make([]byte, keySize)
 			plaintext := []byte("test message")
 			_, err := Encrypt(key, plaintext, nil)
 			require.Error(t, err)
 			assert.ErrorContains(t, err, "invalid key size")
 		})
 	}
 }
 func TestDecryptWithInvalidKeySize(t *testing.T) {
 	invalidKeySizes := []int{8, 12, 33, 47, 55, 128}
 	for _, keySize := range invalidKeySizes {
 		t.Run(fmt.Sprintf("Key size %d", keySize), func(t *testing.T) {
 			key := make([]byte, keySize)
 			ciphertext := []byte("fake ciphertext")
 			_, err := Decrypt(key, ciphertext, nil)
 			require.Error(t, err)
 			assert.ErrorContains(t, err, "invalid key size")
 		})
 	}
 }
 func TestDecryptWithInvalidCiphertext(t *testing.T) {
 	key := make([]byte, 32)
 	_, err := rand.Read(key)
 	require.NoError(t, err, "Failed to generate random key")
 	tests := []struct {
 		name       string
 		ciphertext []byte
 	}{
 		{
 			name:       "empty ciphertext",
 			ciphertext: []byte{},
 		},
 		{
 			name:       "too short ciphertext",
 			ciphertext: []byte("short"),
 		},
 		{
 			name:       "random invalid data",
 			ciphertext: []byte("this is not valid encrypted data"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			_, err := Decrypt(key, tt.ciphertext, nil)
 			require.Error(t, err)
 			require.ErrorIs(t, err, ErrDecrypt)
 		})
 	}
 }
 func TestDecryptWithWrongKey(t *testing.T) {
 	// Generate two different keys
 	key1 := make([]byte, 32)
 	key2 := make([]byte, 32)
 	_, err := rand.Read(key1)
 	require.NoError(t, err)
 	_, err = rand.Read(key2)
 	require.NoError(t, err)
 	plaintext := []byte("secret message")
 	// Encrypt with key1
 	ciphertext, err := Encrypt(key1, plaintext, nil)
 	require.NoError(t, err)
 	// Try to decrypt with key2
 	_, err = Decrypt(key2, ciphertext, nil)
 	require.Error(t, err)
 	require.ErrorIs(t, err, ErrDecrypt)
 }
 func TestDecryptWithWrongAssociatedData(t *testing.T) {
 	key := make([]byte, 32)
 	_, err := rand.Read(key)
 	require.NoError(t, err, "Failed to generate random key")
 	plaintext := []byte("secret message")
 	correctAAD := []byte("correct-aad")
 	wrongAAD := []byte("wrong-aad")
 	// Encrypt with correct AAD
 	ciphertext, err := Encrypt(key, plaintext, correctAAD)
 	require.NoError(t, err)
 	// Try to decrypt with wrong AAD
 	_, err = Decrypt(key, ciphertext, wrongAAD)
 	require.Error(t, err)
 	require.ErrorIs(t, err, ErrDecrypt)
 	// Verify correct AAD works
 	decrypted, err := Decrypt(key, ciphertext, correctAAD)
 	require.NoError(t, err)
 	assert.Equal(t, plaintext, decrypted, "Decrypted text should match original when using correct AAD")
 }
 func TestEncryptDecryptConsistency(t *testing.T) {
 	key := make([]byte, 32)
 	_, err := rand.Read(key)
 	require.NoError(t, err)
 	plaintext := []byte("consistency test message")
 	associatedData := []byte("test-aad")
 	// Encrypt multiple times and verify we get different ciphertexts (due to random IV)
 	ciphertext1, err := Encrypt(key, plaintext, associatedData)
 	require.NoError(t, err)
 	ciphertext2, err := Encrypt(key, plaintext, associatedData)
 	require.NoError(t, err)
 	// Ciphertexts should be different (due to random IV)
 	assert.NotEqual(t, ciphertext1, ciphertext2, "Multiple encryptions of same plaintext should produce different ciphertexts")
 	// Both should decrypt to the same plaintext
 	decrypted1, err := Decrypt(key, ciphertext1, associatedData)
 	require.NoError(t, err)
 	decrypted2, err := Decrypt(key, ciphertext2, associatedData)
 	require.NoError(t, err)
 	assert.Equal(t, plaintext, decrypted1, "First decrypted text should match original")
 	assert.Equal(t, plaintext, decrypted2, "Second decrypted text should match original")
 	assert.Equal(t, decrypted1, decrypted2, "Both decrypted texts should be identical")
 }
--- a/backend/internal/utils/http_util.go
+++ b/backend/internal/utils/http_util.go
@@ -2,7 +2,11 @@ package utils
 import (
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/gin-gonic/gin"
 )
 // BearerAuth returns the value of the bearer token in the Authorization header if present
@@ -16,3 +20,14 @@ func BearerAuth(r *http.Request) (string, bool) {
 	return "", false
 }
 // SetCacheControlHeader sets the Cache-Control header for the response.
 func SetCacheControlHeader(ctx *gin.Context, maxAge, staleWhileRevalidate time.Duration) {
 	_, ok := ctx.GetQuery("skipCache")
 	if !ok {
 		maxAgeSeconds := strconv.Itoa(int(maxAge.Seconds()))
 		staleWhileRevalidateSeconds := strconv.Itoa(int(staleWhileRevalidate.Seconds()))
 		ctx.Header("Cache-Control", "public, max-age="+maxAgeSeconds+", stale-while-revalidate="+staleWhileRevalidateSeconds)
 	}
 }
--- a/backend/internal/utils/image/profile_picture.go
+++ b/backend/internal/utils/image/profile_picture.go
@@ -29,9 +29,9 @@ func CreateProfilePicture(file io.Reader) (io.Reader, error) {
 	pr, pw := io.Pipe()
 	go func() {
-		err = imaging.Encode(pw, img, imaging.PNG)
+		innerErr := imaging.Encode(pw, img, imaging.PNG)
-		if err != nil {
+		if innerErr != nil {
-			_ = pw.CloseWithError(fmt.Errorf("failed to encode image: %w", err))
+			_ = pw.CloseWithError(fmt.Errorf("failed to encode image: %w", innerErr))
 			return
 		}
 		pw.Close()
--- a/backend/internal/utils/json_util.go
+++ b/backend/internal/utils/json_util.go
@@ -0,0 +1,42 @@
 package utils
 import (
 	"encoding/json"
 	"errors"
 	"time"
 )
 // JSONDuration is a type that allows marshalling/unmarshalling a Duration
 type JSONDuration struct {
 	time.Duration
 }
 func (d JSONDuration) MarshalJSON() ([]byte, error) {
 	return json.Marshal(d.String())
 }
 func (d *JSONDuration) UnmarshalJSON(b []byte) error {
 	var v any
 	err := json.Unmarshal(b, &v)
 	if err != nil {
 		return err
 	}
 	switch value := v.(type) {
 	case float64:
 		// If the value is a number, interpret it as a number of seconds
 		d.Duration = time.Duration(value) * time.Second
 		return nil
 	case string:
 		if v == "" {
 			return nil
 		}
 		var err error
 		d.Duration, err = time.ParseDuration(value)
 		if err != nil {
 			return err
 		}
 		return nil
 	default:
 		return errors.New("invalid duration")
 	}
 }
--- a/backend/internal/utils/json_util_test.go
+++ b/backend/internal/utils/json_util_test.go
@@ -0,0 +1,64 @@
 package utils
 import (
 	"encoding/json"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestJSONDuration_MarshalJSON(t *testing.T) {
 	tests := []struct {
 		duration time.Duration
 		want     string
 	}{
 		{time.Minute + 30*time.Second, "1m30s"},
 		{0, "0s"},
 	}
 	for _, tc := range tests {
 		d := JSONDuration{Duration: tc.duration}
 		b, err := json.Marshal(d)
 		require.NoError(t, err)
 		assert.Equal(t, `"`+tc.want+`"`, string(b))
 	}
 }
 func TestJSONDuration_UnmarshalJSON_String(t *testing.T) {
 	var d JSONDuration
 	err := json.Unmarshal([]byte(`"2h15m5s"`), &d)
 	require.NoError(t, err)
 	want := 2*time.Hour + 15*time.Minute + 5*time.Second
 	assert.Equal(t, want, d.Duration)
 }
 func TestJSONDuration_UnmarshalJSON_NumberSeconds(t *testing.T) {
 	tests := []struct {
 		json string
 		want time.Duration
 	}{
 		{"0", 0},
 		{"1", 1 * time.Second},
 		{"2.25", 2 * time.Second}, // Milliseconds are truncated
 	}
 	for _, tc := range tests {
 		var d JSONDuration
 		err := json.Unmarshal([]byte(tc.json), &d)
 		require.NoError(t, err, "input: %s", tc.json)
 		assert.Equal(t, tc.want, d.Duration, "input: %s", tc.json)
 	}
 }
 func TestJSONDuration_UnmarshalJSON_Invalid(t *testing.T) {
 	cases := [][]byte{
 		[]byte(`true`),
 		[]byte(`{}`),
 		[]byte(`"not-a-duration"`),
 	}
 	for _, b := range cases {
 		var d JSONDuration
 		err := json.Unmarshal(b, &d)
 		require.Error(t, err, "input: %s", string(b))
 	}
 }
--- a/backend/internal/utils/jwk/key_provider.go
+++ b/backend/internal/utils/jwk/key_provider.go
@@ -0,0 +1,50 @@
 package jwk
 import (
 	"fmt"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 )
 type KeyProviderOpts struct {
 	EnvConfig *common.EnvConfigSchema
 	DB        *gorm.DB
 	Kek       []byte
 }
 type KeyProvider interface {
 	Init(opts KeyProviderOpts) error
 	LoadKey() (jwk.Key, error)
 	SaveKey(key jwk.Key) error
 }
 func GetKeyProvider(db *gorm.DB, envConfig *common.EnvConfigSchema, instanceID string) (keyProvider KeyProvider, err error) {
 	// Load the encryption key (KEK) if present
 	kek, err := LoadKeyEncryptionKey(envConfig, instanceID)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load encryption key: %w", err)
 	}
 	// Get the key provider
 	switch envConfig.KeysStorage {
 	case "file", "":
 		keyProvider = &KeyProviderFile{}
 	case "database":
 		keyProvider = &KeyProviderDatabase{}
 	default:
 		return nil, fmt.Errorf("invalid key storage '%s'", envConfig.KeysStorage)
 	}
 	err = keyProvider.Init(KeyProviderOpts{
 		DB:        db,
 		EnvConfig: envConfig,
 		Kek:       kek,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to init key provider of type '%s': %w", envConfig.KeysStorage, err)
 	}
 	return keyProvider, nil
 }
--- a/backend/internal/utils/jwk/key_provider_database.go
+++ b/backend/internal/utils/jwk/key_provider_database.go
@@ -0,0 +1,109 @@
 package jwk
 import (
 	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"time"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
 )
 const PrivateKeyDBKey = "jwt_private_key.json"
 type KeyProviderDatabase struct {
 	db  *gorm.DB
 	kek []byte
 }
 func (f *KeyProviderDatabase) Init(opts KeyProviderOpts) error {
 	if len(opts.Kek) == 0 {
 		return errors.New("an encryption key is required when using the 'database' key provider")
 	}
 	f.db = opts.DB
 	f.kek = opts.Kek
 	return nil
 }
 func (f *KeyProviderDatabase) LoadKey() (key jwk.Key, err error) {
 	row := model.KV{
 		Key: PrivateKeyDBKey,
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 	err = f.db.WithContext(ctx).First(&row).Error
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		// Key not present in the database - return nil so a new one can be generated
 		return nil, nil
 	} else if err != nil {
 		return nil, fmt.Errorf("failed to retrieve private key from the database: %w", err)
 	}
 	if row.Value == nil || *row.Value == "" {
 		// Key not present in the database - return nil so a new one can be generated
 		return nil, nil
 	}
 	// Decode from base64
 	enc, err := base64.StdEncoding.DecodeString(*row.Value)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read encrypted private key: not a valid base64-encoded value: %w", err)
 	}
 	// Decrypt the data
 	data, err := cryptoutils.Decrypt(f.kek, enc, nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to decrypt private key: %w", err)
 	}
 	// Parse the key
 	key, err = jwk.ParseKey(data)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse encrypted private key: %w", err)
 	}
 	return key, nil
 }
 func (f *KeyProviderDatabase) SaveKey(key jwk.Key) error {
 	// Encode the key to JSON
 	data, err := EncodeJWKBytes(key)
 	if err != nil {
 		return fmt.Errorf("failed to encode key to JSON: %w", err)
 	}
 	// Encrypt the key then encode to Base64
 	enc, err := cryptoutils.Encrypt(f.kek, data, nil)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt key: %w", err)
 	}
 	encB64 := base64.StdEncoding.EncodeToString(enc)
 	// Save to database
 	row := model.KV{
 		Key:   PrivateKeyDBKey,
 		Value: &encB64,
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 	err = f.db.WithContext(ctx).Create(&row).Error
 	if err != nil {
 		// There's one scenario where if Pocket ID is started fresh with more than 1 replica, they both could be trying to create the private key in the database at the same time
 		// In this case, only one of the replicas will succeed; the other one(s) will return an error here, which will cascade down and cause the replica(s) to crash and be restarted (at that point they'll load the then-existing key from the database)
 		return fmt.Errorf("failed to store private key in database: %w", err)
 	}
 	return nil
 }
 // Compile-time interface check
 var _ KeyProvider = (*KeyProviderDatabase)(nil)
--- a/backend/internal/utils/jwk/key_provider_database_test.go
+++ b/backend/internal/utils/jwk/key_provider_database_test.go
@@ -0,0 +1,275 @@
 package jwk
 import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"encoding/base64"
 	"testing"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
 	testutils "github.com/pocket-id/pocket-id/backend/internal/utils/testing"
 )
 func TestKeyProviderDatabase_Init(t *testing.T) {
 	t.Run("Init fails when KEK is not provided", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: nil, // No KEK
 		})
 		require.Error(t, err, "Expected error when KEK is not provided")
 		require.ErrorContains(t, err, "encryption key is required")
 	})
 	t.Run("Init succeeds with KEK", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: generateTestKEK(t),
 		})
 		require.NoError(t, err, "Expected no error when KEK is provided")
 	})
 }
 func TestKeyProviderDatabase_LoadKey(t *testing.T) {
 	// Generate a test key to use in our tests
 	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
 	key, err := jwk.Import(pk)
 	require.NoError(t, err)
 	t.Run("LoadKey with no existing key", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		kek := generateTestKEK(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Load key when none exists
 		loadedKey, err := provider.LoadKey()
 		require.NoError(t, err)
 		assert.Nil(t, loadedKey, "Expected nil key when no key exists in database")
 	})
 	t.Run("LoadKey with existing key", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		kek := generateTestKEK(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Save a key
 		err = provider.SaveKey(key)
 		require.NoError(t, err)
 		// Load the key
 		loadedKey, err := provider.LoadKey()
 		require.NoError(t, err)
 		assert.NotNil(t, loadedKey, "Expected non-nil key when key exists in database")
 		// Verify the loaded key is the same as the original
 		keyBytes, err := EncodeJWKBytes(key)
 		require.NoError(t, err)
 		loadedKeyBytes, err := EncodeJWKBytes(loadedKey)
 		require.NoError(t, err)
 		assert.Equal(t, keyBytes, loadedKeyBytes, "Expected loaded key to match original key")
 	})
 	t.Run("LoadKey with invalid base64", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		kek := generateTestKEK(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Insert invalid base64 data
 		invalidBase64 := "not-valid-base64"
 		err = db.Create(&model.KV{
 			Key:   PrivateKeyDBKey,
 			Value: &invalidBase64,
 		}).Error
 		require.NoError(t, err)
 		// Attempt to load the key
 		loadedKey, err := provider.LoadKey()
 		require.Error(t, err, "Expected error when loading key with invalid base64")
 		require.ErrorContains(t, err, "not a valid base64-encoded value")
 		assert.Nil(t, loadedKey, "Expected nil key when loading fails")
 	})
 	t.Run("LoadKey with invalid encrypted data", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		kek := generateTestKEK(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Insert valid base64 but invalid encrypted data
 		invalidData := base64.StdEncoding.EncodeToString([]byte("not-valid-encrypted-data"))
 		err = db.Create(&model.KV{
 			Key:   PrivateKeyDBKey,
 			Value: &invalidData,
 		}).Error
 		require.NoError(t, err)
 		// Attempt to load the key
 		loadedKey, err := provider.LoadKey()
 		require.Error(t, err, "Expected error when loading key with invalid encrypted data")
 		require.ErrorContains(t, err, "failed to decrypt")
 		assert.Nil(t, loadedKey, "Expected nil key when loading fails")
 	})
 	t.Run("LoadKey with valid encrypted data but wrong KEK", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		originalKek := generateTestKEK(t)
 		// Save a key with the original KEK
 		originalProvider := &KeyProviderDatabase{}
 		err := originalProvider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: originalKek,
 		})
 		require.NoError(t, err)
 		err = originalProvider.SaveKey(key)
 		require.NoError(t, err)
 		// Now try to load with a different KEK
 		differentKek := generateTestKEK(t)
 		differentProvider := &KeyProviderDatabase{}
 		err = differentProvider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: differentKek,
 		})
 		require.NoError(t, err)
 		// Attempt to load the key with the wrong KEK
 		loadedKey, err := differentProvider.LoadKey()
 		require.Error(t, err, "Expected error when loading key with wrong KEK")
 		require.ErrorContains(t, err, "failed to decrypt")
 		assert.Nil(t, loadedKey, "Expected nil key when loading fails")
 	})
 	t.Run("LoadKey with invalid key data", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		kek := generateTestKEK(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Create invalid key data (valid JSON but not a valid JWK)
 		invalidKeyData := []byte(`{"not": "a valid jwk"}`)
 		// Encrypt the invalid key data
 		encryptedData, err := cryptoutils.Encrypt(kek, invalidKeyData, nil)
 		require.NoError(t, err)
 		// Base64 encode the encrypted data
 		encodedData := base64.StdEncoding.EncodeToString(encryptedData)
 		// Save to database
 		err = db.Create(&model.KV{
 			Key:   PrivateKeyDBKey,
 			Value: &encodedData,
 		}).Error
 		require.NoError(t, err)
 		// Attempt to load the key
 		loadedKey, err := provider.LoadKey()
 		require.Error(t, err, "Expected error when loading invalid key data")
 		require.ErrorContains(t, err, "failed to parse")
 		assert.Nil(t, loadedKey, "Expected nil key when loading fails")
 	})
 }
 func TestKeyProviderDatabase_SaveKey(t *testing.T) {
 	// Generate a test key to use in our tests
 	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	require.NoError(t, err)
 	key, err := jwk.Import(pk)
 	require.NoError(t, err)
 	t.Run("SaveKey and verify database record", func(t *testing.T) {
 		db := testutils.NewDatabaseForTest(t)
 		kek := generateTestKEK(t)
 		provider := &KeyProviderDatabase{}
 		err := provider.Init(KeyProviderOpts{
 			DB:  db,
 			Kek: kek,
 		})
 		require.NoError(t, err)
 		// Save the key
 		err = provider.SaveKey(key)
 		require.NoError(t, err, "Expected no error when saving key")
 		// Verify record exists in database
 		var kv model.KV
 		err = db.Where("key = ?", PrivateKeyDBKey).First(&kv).Error
 		require.NoError(t, err, "Expected to find key in database")
 		require.NotNil(t, kv.Value, "Expected non-nil value in database")
 		assert.NotEmpty(t, *kv.Value, "Expected non-empty value in database")
 		// Decode and decrypt to verify content
 		encBytes, err := base64.StdEncoding.DecodeString(*kv.Value)
 		require.NoError(t, err, "Expected valid base64 encoding")
 		decBytes, err := cryptoutils.Decrypt(kek, encBytes, nil)
 		require.NoError(t, err, "Expected valid encrypted data")
 		parsedKey, err := jwk.ParseKey(decBytes)
 		require.NoError(t, err, "Expected valid JWK data")
 		// Compare keys
 		keyBytes, err := EncodeJWKBytes(key)
 		require.NoError(t, err)
 		parsedKeyBytes, err := EncodeJWKBytes(parsedKey)
 		require.NoError(t, err)
 		assert.Equal(t, keyBytes, parsedKeyBytes, "Expected saved key to match original key")
 	})
 }
 func generateTestKEK(t *testing.T) []byte {
 	t.Helper()
 	// Generate a 32-byte kek
 	kek := make([]byte, 32)
 	_, err := rand.Read(kek)
 	require.NoError(t, err)
 	return kek
 }
--- a/backend/internal/utils/jwk/key_provider_file.go
+++ b/backend/internal/utils/jwk/key_provider_file.go
@@ -0,0 +1,202 @@
 package jwk
 import (
 	"encoding/base64"
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	cryptoutils "github.com/pocket-id/pocket-id/backend/internal/utils/crypto"
 )
 const (
 	// PrivateKeyFile is the path in the data/keys folder where the key is stored
 	// This is a JSON file containing a key encoded as JWK
 	PrivateKeyFile = "jwt_private_key.json"
 	// PrivateKeyFileEncrypted is the path in the data/keys folder where the encrypted key is stored
 	// This is a encrypted JSON file containing a key encoded as JWK
 	PrivateKeyFileEncrypted = "jwt_private_key.json.enc"
 )
 type KeyProviderFile struct {
 	envConfig *common.EnvConfigSchema
 	kek       []byte
 }
 func (f *KeyProviderFile) Init(opts KeyProviderOpts) error {
 	f.envConfig = opts.EnvConfig
 	f.kek = opts.Kek
 	return nil
 }
 func (f *KeyProviderFile) LoadKey() (jwk.Key, error) {
 	if len(f.kek) > 0 {
 		return f.loadEncryptedKey()
 	}
 	return f.loadKey()
 }
 func (f *KeyProviderFile) SaveKey(key jwk.Key) error {
 	if len(f.kek) > 0 {
 		return f.saveKeyEncrypted(key)
 	}
 	return f.saveKey(key)
 }
 func (f *KeyProviderFile) loadKey() (jwk.Key, error) {
 	var key jwk.Key
 	// First, check if we have a JWK file
 	// If we do, then we just load that
 	jwkPath := f.jwkPath()
 	ok, err := utils.FileExists(jwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if private key file exists at path '%s': %w", jwkPath, err)
 	}
 	if !ok {
 		// File doesn't exist, no key was loaded
 		return nil, nil
 	}
 	data, err := os.ReadFile(jwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read private key file at path '%s': %w", jwkPath, err)
 	}
 	key, err = jwk.ParseKey(data)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse private key file at path '%s': %w", jwkPath, err)
 	}
 	return key, nil
 }
 func (f *KeyProviderFile) loadEncryptedKey() (key jwk.Key, err error) {
 	// First, check if we have an encrypted JWK file
 	// If we do, then we just load that
 	encJwkPath := f.encJwkPath()
 	ok, err := utils.FileExists(encJwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if encrypted private key file exists at path '%s': %w", encJwkPath, err)
 	}
 	if ok {
 		encB64, err := os.ReadFile(encJwkPath)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encrypted private key file at path '%s': %w", encJwkPath, err)
 		}
 		// Decode from base64
 		enc := make([]byte, base64.StdEncoding.DecodedLen(len(encB64)))
 		n, err := base64.StdEncoding.Decode(enc, encB64)
 		if err != nil {
 			return nil, fmt.Errorf("failed to read encrypted private key file at path '%s': not a valid base64-encoded file: %w", encJwkPath, err)
 		}
 		// Decrypt the data
 		data, err := cryptoutils.Decrypt(f.kek, enc[:n], nil)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt private key file at path '%s': %w", encJwkPath, err)
 		}
 		// Parse the key
 		key, err = jwk.ParseKey(data)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse encrypted private key file at path '%s': %w", encJwkPath, err)
 		}
 		return key, nil
 	}
 	// Check if we have an un-encrypted JWK file
 	key, err = f.loadKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to load un-encrypted key file: %w", err)
 	}
 	if key == nil {
 		// No key exists, encrypted or un-encrypted
 		return nil, nil
 	}
 	// If we are here, we have loaded a key that was un-encrypted
 	// We need to replace the plaintext key with the encrypted one before we return
 	err = f.saveKeyEncrypted(key)
 	if err != nil {
 		return nil, fmt.Errorf("failed to save encrypted key file: %w", err)
 	}
 	jwkPath := f.jwkPath()
 	err = os.Remove(jwkPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to remove un-encrypted key file at path '%s': %w", jwkPath, err)
 	}
 	return key, nil
 }
 func (f *KeyProviderFile) saveKey(key jwk.Key) error {
 	err := os.MkdirAll(f.envConfig.KeysPath, 0700)
 	if err != nil {
 		return fmt.Errorf("failed to create directory '%s' for key file: %w", f.envConfig.KeysPath, err)
 	}
 	jwkPath := f.jwkPath()
 	keyFile, err := os.OpenFile(jwkPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to create key file at path '%s': %w", jwkPath, err)
 	}
 	defer keyFile.Close()
 	// Write the JSON file to disk
 	err = EncodeJWK(keyFile, key)
 	if err != nil {
 		return fmt.Errorf("failed to write key file at path '%s': %w", jwkPath, err)
 	}
 	return nil
 }
 func (f *KeyProviderFile) saveKeyEncrypted(key jwk.Key) error {
 	err := os.MkdirAll(f.envConfig.KeysPath, 0700)
 	if err != nil {
 		return fmt.Errorf("failed to create directory '%s' for encrypted key file: %w", f.envConfig.KeysPath, err)
 	}
 	// Encode the key to JSON
 	data, err := EncodeJWKBytes(key)
 	if err != nil {
 		return fmt.Errorf("failed to encode key to JSON: %w", err)
 	}
 	// Encrypt the key then encode to Base64
 	enc, err := cryptoutils.Encrypt(f.kek, data, nil)
 	if err != nil {
 		return fmt.Errorf("failed to encrypt key: %w", err)
 	}
 	encB64 := make([]byte, base64.StdEncoding.EncodedLen(len(enc)))
 	base64.StdEncoding.Encode(encB64, enc)
 	// Write to disk
 	encJwkPath := f.encJwkPath()
 	err = os.WriteFile(encJwkPath, encB64, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write encrypted key file at path '%s': %w", encJwkPath, err)
 	}
 	return nil
 }
 func (f *KeyProviderFile) jwkPath() string {
 	return filepath.Join(f.envConfig.KeysPath, PrivateKeyFile)
 }
 func (f *KeyProviderFile) encJwkPath() string {
 	return filepath.Join(f.envConfig.KeysPath, PrivateKeyFileEncrypted)
 }
 // Compile-time interface check
 var _ KeyProvider = (*KeyProviderFile)(nil)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Elias Schneider	d8c73ed472	release: 1.8.1	2025-08-24 15:12:14 +02:00
Elias Schneider	5971bfbfa6	fix: migration clears allowed users groups	2025-08-24 15:05:45 +02:00
Alessandro (Ale) Segala	29eacd6424	chore: update issue template (#870 )	2025-08-24 14:35:39 +02:00
Elias Schneider	21ca87be38	chore(translations): update translations via Crowdin (#860 )	2025-08-24 14:34:44 +02:00
Alessandro (Ale) Segala	1283314f77	fix: wrong column type for reauthentication tokens in Postgres (#869 )	2025-08-24 14:34:29 +02:00
Elias Schneider	9c54e2e6b0	release: 1.8.0	2025-08-23 18:57:19 +02:00
Elias Schneider	a5efb95065	feat: allow custom client IDs (#864 )	2025-08-23 18:41:05 +02:00
Elias Schneider	625f235740	fix: enable foreign key check for sqlite (#863 ) Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>	2025-08-23 17:54:51 +02:00
Elias Schneider	2c122d413d	refactor: run formatter	2025-08-23 17:46:59 +02:00
Elias Schneider	fc0c99a232	fix: oidc client advanced options color	2025-08-23 17:40:58 +02:00
Elias Schneider	24e274200f	fix: ferated identities can't be cleared	2025-08-23 17:40:06 +02:00
Elias Schneider	0aab3f3c7a	fix: authorization can't be revoked	2025-08-23 17:28:27 +02:00
Zeedif	182d809028	feat(signup): add default user groups and claims for new users (#812 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-08-22 14:25:02 +02:00
Elias Schneider	c51265dafb	chore(translations): change alternative sign in methods text	2025-08-22 13:06:38 +02:00
Robert Mang	0cb039d35d	feat: add option to OIDC client to require re-authentication (#747 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-08-22 08:56:40 +02:00
Alessandro (Ale) Segala	7ab0fd3028	fix: for one-time access tokens and signup tokens, pass TTLs instead of absolute expiration date (#855 )	2025-08-22 08:02:56 +02:00
Maxime R	49f0fa423c	chore: strip debug symbol from backend binary (#856 )	2025-08-21 15:46:45 +00:00
Elias Schneider	61e63e411d	chore(translations): update translations via Crowdin (#850 )	2025-08-20 17:07:08 -05:00
Alessandro (Ale) Segala	9339e88a5a	fix: move audit log call before TX is committed (#854 )	2025-08-20 17:01:53 -05:00
Elias Schneider	fe003b927c	fix: delete webauthn session after login to prevent replay attacks	2025-08-20 15:49:19 +02:00
Kyle Mendell	f5b5b1bd85	tests: use proper async calls for cleanupBackend function (#846 )	2025-08-20 10:38:03 +02:00
James18232	d28bfac81f	feat: login code font change (#851 ) Co-authored-by: James18232 <80368042+James18232@users.noreply.github.com> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-08-19 14:10:57 +00:00
Elias Schneider	b04e3e8ecf	chore(translations): update translations via Crowdin (#848 )	2025-08-19 12:03:51 +02:00
Kyle Mendell	d77d8eb068	chore(translations): add Korean files	2025-08-18 14:53:19 -05:00
Elias Schneider	7cd88aca25	chore(translations): update translations via Crowdin (#841 )	2025-08-18 11:21:27 -05:00
Gergő Gutyina	b5e6371eaa	fix(deps): bump rollup from 4.45.3 to 4.46.3 (#845 )	2025-08-18 07:44:42 -05:00
github-actions[bot]	544b98c1d0	chore: update AAGUIDs (#844 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-08-17 22:52:58 -05:00
Elias Schneider	3188e92257	feat: display all accessible oidc clients in the dashboard (#832 ) Co-authored-by: Kyle Mendell <ksm@ofkm.us>	2025-08-17 22:47:34 +02:00
Elias Schneider	3fa2f9a162	chore(translations): update translations via Crowdin (#821 )	2025-08-16 22:50:21 -05:00
James18232	7b1f6b8857	fix: ignore client secret if client is public (#836 ) Co-authored-by: James18232 <80368042+James18232@users.noreply.github.com>	2025-08-16 17:55:32 +02:00
Alessandro (Ale) Segala	17d8893bdb	chore: update deps and Go 1.25 (#833 )	2025-08-14 22:33:27 -05:00
Elias Schneider	0e44f245af	fix: non admin users can't revoke oidc client but see edit link	2025-08-12 09:46:15 +02:00
github-actions[bot]	824e8f1a0f	chore: update AAGUIDs (#826 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-08-10 21:33:29 -05:00
Elias Schneider	6e4d2a4a33	release: 1.7.0	2025-08-10 20:01:03 +02:00
Elias Schneider	6c65bd34cd	chore(translations): update translations via Crowdin (#820 )	2025-08-10 19:50:36 +02:00
Kyle Mendell	7bfe4834d0	chore: switch from npm to pnpm (#786 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-08-10 12:16:30 -05:00
Kyle Mendell	484c2f6ef2	feat: user application dashboard (#727 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-08-10 15:56:03 +00:00
Elias Schneider	87956ea725	chore(translations): update translations via Crowdin (#819 )	2025-08-10 10:18:30 -05:00
Elias Schneider	32dd403038	chore(translations): update translations via Crowdin (#817 )	2025-08-10 14:49:24 +02:00
Elias Schneider	4d59e72866	fix: custom claims input suggestions instantly close after opening	2025-08-08 15:11:44 +02:00
Elias Schneider	9ac5d51187	fix: authorization animation not working	2025-08-08 12:23:32 +02:00
Elias Schneider	5a031f5d1b	refactor: use reflection to mark file based env variables (#815 )	2025-08-07 20:41:00 +02:00
Alessandro (Ale) Segala	535bc9f46b	chore: additional logs for database connections (#813 )	2025-08-06 18:04:25 +02:00
Kyle Mendell	f0c144c51c	fix: admins can not delete or disable their own account	2025-08-05 16:14:25 -05:00
Elias Schneider	61e4ea45fb	chore(translations): update translations via Crowdin (#811 )	2025-08-05 15:56:45 -05:00
Etienne	06e1656923	feat: add robots.txt to block indexing (#806 )	2025-08-02 18:30:50 +00:00
Alessandro (Ale) Segala	0a3b1c6530	feat: support reading secret env vars from _FILE (#799 ) Co-authored-by: Kyle Mendell <ksm@ofkm.us>	2025-07-30 11:59:25 -05:00
Kyle Mendell	d479817b6a	feat: add support for `code_challenge_methods_supported` (#794 )	2025-07-29 17:34:49 -05:00
Elias Schneider	01bf31d23d	chore(translations): update translations via Crowdin (#791 )	2025-07-27 20:21:37 -05:00
Alessandro (Ale) Segala	42a861d206	refactor: complete conversion of log calls to slog (#787 )	2025-07-27 04:34:23 +00:00
Alessandro (Ale) Segala	78266e3e4c	feat: Support OTel and JSON for logs (via log/slog) (#760 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-07-27 01:03:52 +00:00
Alessandro (Ale) Segala	c8478d75be	fix: delete WebAuthn registration session after use (#783 )	2025-07-26 18:45:54 -05:00
Elias Schneider	28d93b00a3	chore(translations): update translations via Crowdin (#785 )	2025-07-26 16:37:42 -05:00
Kyle Mendell	12a7a6a5c5	chore: update Vietnamese display name	2025-07-26 15:33:36 -05:00
Elias Schneider	a6d5071724	chore(translations): update translations via Crowdin (#782 )	2025-07-25 15:48:52 -05:00
Elias Schneider	cebe2242b9	chore(translations): update translations via Crowdin (#779 )	2025-07-24 20:28:07 -05:00
Kyle Mendell	56ee7d946f	chore: fix federated credentials type error	2025-07-24 20:22:34 -05:00
Kyle Mendell	f3c6521f2b	chore: update dependencies and fix zod/4 import path	2025-07-24 20:16:17 -05:00
Kyle Mendell	ffed465f09	chore: update dependencies and fix zod/4 import path	2025-07-24 20:14:25 -05:00
Kyle Mendell	c359b5be06	chore: rename glass-row-item to passkey-row	2025-07-24 19:50:27 -05:00
Elias Schneider	e9a023bb71	chore(translations): update translations via Crowdin (#778 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-07-24 19:35:16 -05:00
Kyle Mendell	60f0b28076	chore(transaltions): add Vietnamese files	2025-07-24 10:11:01 -05:00
Alessandro (Ale) Segala	d541c9ab4a	fix: set input type 'email' for email-based login (#776 )	2025-07-23 12:39:50 -05:00
dependabot[bot]	024ed53022	chore(deps): bump axios from 1.10.0 to 1.11.0 in /frontend in the npm_and_yarn group across 1 directory (#777 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-07-23 12:38:00 -05:00
Elias Schneider	2c78bd1b46	chore(translations): update translations via Crowdin (#767 )	2025-07-22 15:08:04 -05:00
dependabot[bot]	5602d79611	chore(deps): bump form-data from 4.0.1 to 4.0.4 in /frontend in the npm_and_yarn group across 1 directory (#771 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-07-22 15:07:43 -05:00
Kyle Mendell	51b73c9c31	chore(translations): add Ukrainian files	2025-07-21 15:56:59 -05:00
Elias Schneider	10f0580a43	chore(translations): update translations via Crowdin (#763 )	2025-07-21 07:32:57 -05:00
ItalyPaleAle	a1488565ea	release: 1.6.4	2025-07-21 07:44:25 +02:00
Alessandro (Ale) Segala	35d5f887ce	fix: migration fails on postgres (#762 )	2025-07-20 22:36:22 -07:00
Kyle Mendell	4c76de45ed	chore: remove labels from issue templates	2025-07-20 22:51:02 -05:00
Kyle Mendell	68fc9c0659	release: 1.6.3	2025-07-20 22:35:35 -05:00
Kyle Mendell	2952b15755	fix: show rename and delete buttons for passkeys without hovering over the row	2025-07-20 19:09:06 -05:00
Kyle Mendell	ef1d599662	fix: use user-agent for identifying known device signins	2025-07-20 19:02:17 -05:00
Kyle Mendell	4e49d3932a	chore: upgrade dependencies (#752 )	2025-07-14 23:36:36 -05:00
Elias Schneider	86d3c08494	chore(translations): update translations via Crowdin (#750 )	2025-07-14 13:15:33 -05:00
Alessandro (Ale) Segala	7b4ccd1f30	fix: ensure user inputs are normalized (#724 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-07-13 16:15:57 +00:00
Kyle Mendell	f145903eb0	chore: use correct svelte 5 syntax for signup token modal	2025-07-11 22:53:01 -05:00
Kyle Mendell	d3bc1797b6	fix: use object-contain for images on oidc-client list	2025-07-11 22:46:40 -05:00
Kyle Mendell	db94f81937	chore: use issue types for new issues	2025-07-11 22:25:11 -05:00
Kyle Mendell	b03e91b653	fix: allow passkey names up to 50 characters	2025-07-11 22:10:59 -05:00
Kyle Mendell	505bdcb8ba	release: 1.6.2	2025-07-09 16:56:34 -05:00
Kyle Mendell	f103a54790	fix: ensure confirmation dialog shows on top of other components	2025-07-09 16:50:01 -05:00
Alessandro (Ale) Segala	e1de593dcd	fix: login failures on Postgres when IP is null (#737 )	2025-07-09 08:45:07 -05:00
Elias Schneider	45f42772b1	chore(translations): update translations via Crowdin (#730 )	2025-07-07 20:06:52 -05:00
XLion	98152640b1	chore(translations): Fix inconsistent punctuation marks for the language name of zh-TW (#731 )	2025-07-07 12:54:45 +00:00
github-actions[bot]	04e235e805	chore: update AAGUIDs (#729 ) Co-authored-by: stonith404 <58886915+stonith404@users.noreply.github.com>	2025-07-06 21:04:32 -05:00
Elias Schneider	ae737dddaa	release: 1.6.1	2025-07-06 22:50:33 +02:00
Elias Schneider	f565c702e5	ci/cd: use `latest-distroless` tag for latest distroless images	2025-07-06 22:48:55 +02:00
Elias Schneider	f945b44bc9	release: 1.6.0	2025-07-06 20:19:45 +02:00
Elias Schneider	857b9cc864	refactor: run formatter	2025-07-06 15:32:19 +02:00
Elias Schneider	bf042563e9	feat: add support for OAuth 2.0 Authorization Server Issuer Identification	2025-07-06 15:29:26 +02:00
Elias Schneider	49f1ab2f75	fix: custom claims input suggestions flickering	2025-07-06 00:23:06 +02:00
Elias Schneider	e46f60ac8d	fix: keep sidebar in settings sticky	2025-07-05 21:59:13 +02:00
Elias Schneider	5c9e504291	fix: show friendly name in user group selection	2025-07-05 21:58:56 +02:00
Alessandro (Ale) Segala	7fe83f8087	fix: actually fix linter issues (#720 )	2025-07-04 21:14:44 -05:00
Alessandro (Ale) Segala	43f0114c57	fix: linter issues (#719 )	2025-07-04 18:29:28 -05:00
Alessandro (Ale) Segala	1a41b05f60	feat: distroless container additional variant + healthcheck command (#716 )	2025-07-04 12:26:01 -07:00
Elias Schneider	81315790a8	fix: support non UTF-8 LDAP IDs (#714 )	2025-07-04 08:42:11 +02:00
Alessandro (Ale) Segala	8c8fc2304d	feat: add "key-rotate" command (#709 )	2025-07-03 22:23:24 +02:00
Elias Schneider	15ece0ab30	chore(translations): update translations via Crowdin (#712 )	2025-07-03 13:47:27 -05:00
Alessandro (Ale) Segala	5550729120	feat: encrypt private keys saved on disk and in database (#682 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-07-03 13:34:34 -05:00
Elias Schneider	9872608d61	fix: allow profile picture update even if "allow own account edit" enabled	2025-07-03 10:57:56 +02:00
Elias Schneider	be52660227	feat: enhance language selection message and add translation contribution link	2025-07-03 09:20:39 +02:00
Elias Schneider	237342e876	chore(translations): update translations via Crowdin (#707 )	2025-07-02 13:45:10 +02:00
Elias Schneider	cfbfbc9753	chore(translations): update translations via Crowdin (#705 )	2025-07-01 17:11:42 -05:00
Elias Schneider	aefb308536	fix: token introspection authentication not handled correctly (#704 ) Co-authored-by: Alessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>	2025-07-01 21:14:07 +00:00
Alessandro (Ale) Segala	031181ad2a	fix: auth fails when client IP is empty on Postgres (#695 )	2025-06-30 14:04:30 +02:00
Elias Schneider	dbf3da41f3	chore(translations): update translations via Crowdin (#699 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-06-29 13:04:15 -05:00
Kyle Mendell	3a2902789e	chore: use correct team name for codeowners	2025-06-29 09:31:32 -05:00
Kyle Mendell	459a4fd727	chore: update CODEOWNERS to be global	2025-06-29 09:30:00 -05:00
Kyle Mendell	2ecc1abbad	chore: add CODEOWNERS file	2025-06-29 09:28:08 -05:00
Kyle Mendell	92c57ada1a	fix: app config forms not updating with latest values (#696 )	2025-06-29 15:13:06 +02:00
Elias Schneider	fceb6fa7b4	fix: add missing error check in initial user setup	2025-06-29 15:10:39 +02:00
Alessandro (Ale) Segala	c290c027fb	refactor: use github.com/jinzhu/copier for MapStruct (#698 )	2025-06-29 15:01:10 +02:00
Elias Schneider	ca205a8c73	chore(translations): update translations via Crowdin (#697 )	2025-06-29 01:01:39 -05:00
Elias Schneider	968cf0b307	chore(translations): update translations via Crowdin (#694 )	2025-06-28 21:25:58 -05:00
Elias Schneider	fd8bee94a4	chore(translations): update translations via Crowdin (#692 )	2025-06-28 15:26:17 +02:00
Manuel Rais	41ac1be082	chore(translations) : translate missing french values (#691 )	2025-06-28 15:26:05 +02:00
Elias Schneider	dd9b1d26ea	release: 1.5.0	2025-06-27 23:56:16 +02:00
Elias Schneider	4b829757b2	tests: fix e2e tests	2025-06-27 23:52:43 +02:00
Elias Schneider	b5b01cb6dd	chore(translations): update translations via Crowdin (#688 )	2025-06-27 23:42:32 +02:00
Elias Schneider	287314f016	feat: improve initial admin creation workflow	2025-06-27 23:41:05 +02:00
Elias Schneider	73e7e0b1c5	refactor: add formatter to Playwright tests	2025-06-27 23:33:26 +02:00
Elias Schneider	d070b9a778	fix: double double full stops for certain error messages	2025-06-27 22:43:31 +02:00
Elias Schneider	d976bf5965	fix: improve accent color picker disabled state	2025-06-27 22:38:21 +02:00
Elias Schneider	052ac008c3	fix: margin of user sign up description	2025-06-27 22:31:55 +02:00
Elias Schneider	57a2b2bc83	chore(translations): update translations via Crowdin (#687 )	2025-06-27 22:24:36 +02:00
ElevenNotes	043f82ad79	fix: less noisy logging for certain GET requests (#681 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-06-27 22:24:22 +02:00
Elias Schneider	ba61cdba4e	feat: redact sensitive app config variables if set with env variable	2025-06-27 22:22:28 +02:00
Kyle Mendell	dcd1ae96e0	feat: self-service user signup (#672 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-06-27 15:01:10 -05:00
Elias Schneider	1fdb058386	docs: clarify confusing user update logic	2025-06-27 17:20:51 +02:00
Elias Schneider	29cb5513a0	fix: users can't be updated by admin if self account editing is disabled	2025-06-27 17:15:26 +02:00
Elias Schneider	6db57d9f27	chore(translations): update translations via Crowdin (#683 )	2025-06-26 19:01:16 +02:00
Elias Schneider	1a77bd9914	fix: error page flickering after sign out	2025-06-24 21:56:40 +02:00
Elias Schneider	350335711b	chore(translations): update translations via Crowdin (#677 )	2025-06-24 09:00:57 -05:00
Ryan Kaskel	988c425150	fix: remove duplicate request logging (#678 )	2025-06-24 13:48:11 +00:00
Elias Schneider	23827ba1d1	release: 1.4.1	2025-06-22 21:30:07 +02:00
Elias Schneider	7d36bda769	fix: app not starting if UI config is disabled and Postgres is used	2025-06-22 21:21:14 +02:00
Manuel Rais	8c559ea067	chore(translations) : typo in french language (#669 )	2025-06-22 18:58:59 +00:00
Elias Schneider	88832d4bc9	chore(translations): update translations via Crowdin (#663 )	2025-06-20 11:11:42 +02:00
Kyle Mendell	f5cece3b0e	release: 1.4.0	2025-06-19 13:21:49 -05:00
Kyle Mendell	d5485238b8	feat: configurable local ipv6 ranges for audit log (#657 )	2025-06-19 19:56:27 +02:00
Kyle Mendell	ac5a121f66	feat: location filter for global audit log (#662 )	2025-06-19 17:12:53 +00:00
Elias Schneider	481df3bcb9	chore: add configuration for backend hot reloading	2025-06-19 18:45:01 +02:00
Mr Snake	7677a3de2c	feat: allow setting unix socket mode (#661 )	2025-06-18 18:41:57 +02:00
Elias Schneider	1f65c01b04	chore(translations): update translations via Crowdin (#659 )	2025-06-18 09:11:36 -05:00
Elias Schneider	d5928f6fea	chore: remove unused crypto util	2025-06-17 17:55:52 +02:00
Elias Schneider	bef77ac8dc	fix: use inline style for dynamic background image URL instead of Tailwind class	2025-06-17 13:10:02 +02:00
Elias Schneider	c8eb034c49	chore: use `v1` tag in example `docker-compose.yml`	2025-06-16 23:31:16 +02:00
Elias Schneider	c77167df46	ci/cd: cancel `build-next` action if new one starts	2025-06-16 16:12:33 +02:00
Elias Schneider	3717a663d9	ci/cd: only build required binaries for `next` image	2025-06-16 16:09:09 +02:00
Elias Schneider	5814549cbe	refactor: run formatter	2025-06-16 16:06:11 +02:00
Elias Schneider	2e5d268798	fix: explicitly cache images to prevent unexpected behavior	2025-06-16 15:59:14 +02:00
Elias Schneider	4ed312251e	chore(translations): update translations via Crowdin (#652 )	2025-06-15 09:57:08 -05:00
Elias Schneider	946c534b08	fix: center oidc client images if they are smaller than the box	2025-06-14 19:33:40 +02:00
Kyle Mendell	883877adec	feat: ui accent colors (#643 ) Co-authored-by: Elias Schneider <login@eliasschneider.com>	2025-06-13 07:06:54 -05:00
Elias Schneider	215531d65c	feat: use icon instead of text on application image update hover state	2025-06-13 12:07:14 +02:00
Elias Schneider	c0f055c3c0	chore(translations): update translations via Crowdin (#649 )	2025-06-10 22:01:50 -05:00
Alessandro (Ale) Segala	d77044882d	fix: reduce duration of animations on login and signin page (#648 )	2025-06-10 21:14:55 +02:00
Alessandro (Ale) Segala	d6795300b1	feat: auto-focus on the login buttons (#647 )	2025-06-10 21:13:36 +02:00
Elias Schneider	fd3c76ffa3	refactor: run formatter	2025-06-10 14:43:56 +02:00
Amazingca	698bc3a35a	chore(translations): Update spelling and grammar in en.json (#650 )	2025-06-10 07:34:49 -05:00
Elias Schneider	1bcb50edc3	fix: allow images with uppercase file extension	2025-06-10 11:11:03 +02:00
Elias Schneider	9700afb9cb	chore(translations): update translations via Crowdin (#644 )	2025-06-10 10:36:52 +02:00