chore: avoid sorting on every traversal

To support otel format of diffrent types of attributes

.github/workflows/integrationci.yaml

@@ -51,7 +51,6 @@ jobs:
           - alerts
           - ingestionkeys
           - rootuser
-          - serviceaccount
         sqlstore-provider:
           - postgres
           - sqlite

conf/example.yaml

@@ -354,13 +354,3 @@ identn:
   impersonation:
     # toggle impersonation identN, when enabled, all requests will impersonate the root user
     enabled: false
-
-##################### Service Account #####################
-serviceaccount:
-  email:
-    # email domain for the service account principal
-    domain: signozserviceaccount.com
-
-  analytics:
-    # toggle service account analytics
-    enabled: true

docs/api/openapi.yml

@@ -2447,7 +2447,7 @@ components:
       - start
       - end
       type: object
-    ServiceaccounttypesGettableFactorAPIKey:
+    ServiceaccounttypesFactorAPIKey:
       properties:
         createdAt:
           format: date-time
@@ -2457,6 +2457,8 @@ components:
           type: integer
         id:
           type: string
+        key:
+          type: string
         lastObservedAt:
           format: date-time
           type: string
@@ -2469,6 +2471,7 @@ components:
           type: string
       required:
       - id
+      - key
       - expiresAt
       - lastObservedAt
       - serviceAccountId
@@ -2496,68 +2499,25 @@ components:
       type: object
     ServiceaccounttypesPostableServiceAccount:
       properties:
+        email:
+          type: string
         name:
           type: string
+        roles:
+          items:
+            type: string
+          type: array
       required:
       - name
-      type: object
-    ServiceaccounttypesPostableServiceAccountRole:
-      properties:
-        id:
-          type: string
-      required:
-      - id
+      - email
+      - roles
       type: object
     ServiceaccounttypesServiceAccount:
       properties:
         createdAt:
           format: date-time
           type: string
-        email:
-          type: string
-        id:
-          type: string
-        name:
-          type: string
-        orgId:
-          type: string
-        status:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      required:
-      - id
-      - name
-      - email
-      - status
-      - orgId
-      type: object
-    ServiceaccounttypesServiceAccountRole:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        id:
-          type: string
-        role:
-          $ref: '#/components/schemas/AuthtypesRole'
-        roleId:
-          type: string
-        serviceAccountId:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-      required:
-      - id
-      - serviceAccountId
-      - roleId
-      - role
-      type: object
-    ServiceaccounttypesServiceAccountWithRoles:
-      properties:
-        createdAt:
+        deletedAt:
           format: date-time
           type: string
         email:
@@ -2568,10 +2528,9 @@ components:
           type: string
         orgId:
           type: string
-        serviceAccountRoles:
+        roles:
           items:
-            $ref: '#/components/schemas/ServiceaccounttypesServiceAccountRole'
-          nullable: true
+            type: string
           type: array
         status:
           type: string
@@ -2582,9 +2541,10 @@ components:
       - id
       - name
       - email
+      - roles
       - status
       - orgId
-      - serviceAccountRoles
+      - deletedAt
       type: object
     ServiceaccounttypesUpdatableFactorAPIKey:
       properties:
@@ -2597,6 +2557,28 @@ components:
       - name
       - expiresAt
       type: object
+    ServiceaccounttypesUpdatableServiceAccount:
+      properties:
+        email:
+          type: string
+        name:
+          type: string
+        roles:
+          items:
+            type: string
+          type: array
+      required:
+      - name
+      - email
+      - roles
+      type: object
+    ServiceaccounttypesUpdatableServiceAccountStatus:
+      properties:
+        status:
+          type: string
+      required:
+      - status
+      type: object
     TelemetrytypesFieldContext:
       enum:
       - metric
@@ -2720,6 +2702,43 @@ components:
       required:
       - id
       type: object
+    TypesGettableAPIKey:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        createdBy:
+          type: string
+        createdByUser:
+          $ref: '#/components/schemas/TypesUser'
+        expiresAt:
+          format: int64
+          type: integer
+        id:
+          type: string
+        lastUsed:
+          format: int64
+          type: integer
+        name:
+          type: string
+        revoked:
+          type: boolean
+        role:
+          type: string
+        token:
+          type: string
+        updatedAt:
+          format: date-time
+          type: string
+        updatedBy:
+          type: string
+        updatedByUser:
+          $ref: '#/components/schemas/TypesUser'
+        userId:
+          type: string
+      required:
+      - id
+      type: object
     TypesIdentifiable:
       properties:
         id:
@@ -2774,6 +2793,16 @@ components:
       required:
       - id
       type: object
+    TypesPostableAPIKey:
+      properties:
+        expiresInDays:
+          format: int64
+          type: integer
+        name:
+          type: string
+        role:
+          type: string
+      type: object
     TypesPostableBulkInviteRequest:
       properties:
         invites:
@@ -2834,6 +2863,33 @@ components:
       required:
       - id
       type: object
+    TypesStorableAPIKey:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        createdBy:
+          type: string
+        id:
+          type: string
+        name:
+          type: string
+        revoked:
+          type: boolean
+        role:
+          type: string
+        token:
+          type: string
+        updatedAt:
+          format: date-time
+          type: string
+        updatedBy:
+          type: string
+        userId:
+          type: string
+      required:
+      - id
+      type: object
     TypesUpdatableUser:
       properties:
         displayName:
@@ -4910,6 +4966,222 @@ paths:
       summary: Update org preference
       tags:
       - preferences
+  /api/v1/pats:
+    get:
+      deprecated: false
+      description: This endpoint lists all api keys
+      operationId: ListAPIKeys
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/TypesGettableAPIKey'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: List api keys
+      tags:
+      - users
+    post:
+      deprecated: false
+      description: This endpoint creates an api key
+      operationId: CreateAPIKey
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesPostableAPIKey'
+      responses:
+        "201":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesGettableAPIKey'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Create api key
+      tags:
+      - users
+  /api/v1/pats/{id}:
+    delete:
+      deprecated: false
+      description: This endpoint revokes an api key
+      operationId: RevokeAPIKey
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "204":
+          description: No Content
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Revoke api key
+      tags:
+      - users
+    put:
+      deprecated: false
+      description: This endpoint updates an api key
+      operationId: UpdateAPIKey
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesStorableAPIKey'
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Update api key
+      tags:
+      - users
   /api/v1/public/dashboards/{id}:
     get:
       deprecated: false
@@ -5684,7 +5956,7 @@ paths:
               schema:
                 properties:
                   data:
-                    $ref: '#/components/schemas/ServiceaccounttypesServiceAccountWithRoles'
+                    $ref: '#/components/schemas/ServiceaccounttypesServiceAccount'
                   status:
                     type: string
                 required:
@@ -5738,7 +6010,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: '#/components/schemas/ServiceaccounttypesPostableServiceAccount'
+              $ref: '#/components/schemas/ServiceaccounttypesUpdatableServiceAccount'
       responses:
         "204":
           content:
@@ -5803,7 +6075,7 @@ paths:
                 properties:
                   data:
                     items:
-                      $ref: '#/components/schemas/ServiceaccounttypesGettableFactorAPIKey'
+                      $ref: '#/components/schemas/ServiceaccounttypesFactorAPIKey'
                     type: array
                   status:
                     type: string
@@ -6026,71 +6298,11 @@ paths:
       summary: Updates a service account key
       tags:
       - serviceaccount
-  /api/v1/service_accounts/{id}/roles:
-    get:
+  /api/v1/service_accounts/{id}/status:
+    put:
       deprecated: false
-      description: This endpoint gets all the roles for the existing service account
-      operationId: GetServiceAccountRoles
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    items:
-                      $ref: '#/components/schemas/AuthtypesRole'
-                    nullable: true
-                    type: array
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Gets service account roles
-      tags:
-      - serviceaccount
-    post:
-      deprecated: false
-      description: This endpoint assigns a role to a service account
-      operationId: CreateServiceAccountRole
+      description: This endpoint updates an existing service account status
+      operationId: UpdateServiceAccountStatus
       parameters:
       - in: path
         name: id
@@ -6101,22 +6313,14 @@ paths:
         content:
           application/json:
             schema:
-              $ref: '#/components/schemas/ServiceaccounttypesPostableServiceAccountRole'
+              $ref: '#/components/schemas/ServiceaccounttypesUpdatableServiceAccountStatus'
       responses:
-        "201":
+        "204":
           content:
             application/json:
               schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/TypesIdentifiable'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: Created
+                type: string
+          description: No Content
         "400":
           content:
             application/json:
@@ -6135,89 +6339,6 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Create service account role
-      tags:
-      - serviceaccount
-  /api/v1/service_accounts/{id}/roles/{rid}:
-    delete:
-      deprecated: false
-      description: This endpoint revokes a role from service account
-      operationId: DeleteServiceAccountRole
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      - in: path
-        name: rid
-        required: true
-        schema:
-          type: string
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Delete service account role
-      tags:
-      - serviceaccount
-  /api/v1/service_accounts/me:
-    get:
-      deprecated: false
-      description: This endpoint gets my service account
-      operationId: GetMyServiceAccount
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/ServiceaccounttypesServiceAccountWithRoles'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
         "404":
           content:
             application/json:
@@ -6230,38 +6351,12 @@ paths:
               schema:
                 $ref: '#/components/schemas/RenderErrorResponse'
           description: Internal Server Error
-      summary: Gets my service account
-      tags:
-      - serviceaccount
-    put:
-      deprecated: false
-      description: This endpoint gets my service account
-      operationId: UpdateMyServiceAccount
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ServiceaccounttypesPostableServiceAccount'
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      summary: Updates my service account
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Updates a service account status
       tags:
       - serviceaccount
   /api/v1/user:

ee/authz/openfgaserver/server.go

@@ -34,22 +34,9 @@ func (server *Server) Stop(ctx context.Context) error {
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
-	subject := ""
-	switch claims.Principal {
-	case authtypes.PrincipalUser:
-		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = user
-	case authtypes.PrincipalServiceAccount:
-		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = serviceAccount
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+	if err != nil {
+		return err
 	}
 
 	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)

ee/modules/dashboard/impldashboard/module.go

@@ -213,8 +213,8 @@ func (module *module) Update(ctx context.Context, orgID valuer.UUID, id valuer.U
 	return module.pkgDashboardModule.Update(ctx, orgID, id, updatedBy, data, diff)
 }
 
-func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, isAdmin bool, lock bool) error {
-	return module.pkgDashboardModule.LockUnlock(ctx, orgID, id, updatedBy, isAdmin, lock)
+func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error {
+	return module.pkgDashboardModule.LockUnlock(ctx, orgID, id, updatedBy, role, lock)
 }
 
 func (module *module) MustGetTypeables() []authtypes.Typeable {

ee/query-service/app/api/cloudIntegrations.go

@@ -14,9 +14,10 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
+	"github.com/SigNoz/signoz/pkg/modules/user"
 	basemodel "github.com/SigNoz/signoz/pkg/query-service/model"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -49,7 +50,7 @@ func (ah *APIHandler) CloudIntegrationsGenerateConnectionParams(w http.ResponseW
 		return
 	}
 
-	apiKey, apiErr := ah.getOrCreateCloudIntegrationFactorAPIKey(r.Context(), valuer.MustNewUUID(claims.OrgID), cloudProvider)
+	apiKey, apiErr := ah.getOrCreateCloudIntegrationPAT(r.Context(), claims.OrgID, cloudProvider)
 	if apiErr != nil {
 		RespondError(w, basemodel.WrapApiError(
 			apiErr, "couldn't provision PAT for cloud integration:",
@@ -109,44 +110,84 @@ func (ah *APIHandler) CloudIntegrationsGenerateConnectionParams(w http.ResponseW
 	ah.Respond(w, result)
 }
 
-func (ah *APIHandler) getOrCreateCloudIntegrationFactorAPIKey(ctx context.Context, orgID valuer.UUID, cloudProvider string) (
+func (ah *APIHandler) getOrCreateCloudIntegrationPAT(ctx context.Context, orgId string, cloudProvider string) (
 	string, *basemodel.ApiError,
 ) {
-	integrationPATName := fmt.Sprintf("%s", cloudProvider)
-	serviceAccount, apiErr := ah.getOrCreateCloudIntegrationServiceAccount(ctx, orgID)
+	integrationPATName := fmt.Sprintf("%s integration", cloudProvider)
+
+	integrationUser, apiErr := ah.getOrCreateCloudIntegrationUser(ctx, orgId, cloudProvider)
 	if apiErr != nil {
 		return "", apiErr
 	}
 
-	factorAPIKey, err := serviceAccount.NewFactorAPIKey(integrationPATName, 0)
+	orgIdUUID, err := valuer.NewUUID(orgId)
+	if err != nil {
+		return "", basemodel.InternalError(fmt.Errorf(
+			"couldn't parse orgId: %w", err,
+		))
+	}
+
+	allPats, err := ah.Signoz.Modules.UserSetter.ListAPIKeys(ctx, orgIdUUID)
+	if err != nil {
+		return "", basemodel.InternalError(fmt.Errorf(
+			"couldn't list PATs: %w", err,
+		))
+	}
+	for _, p := range allPats {
+		if p.UserID == integrationUser.ID && p.Name == integrationPATName {
+			return p.Token, nil
+		}
+	}
+
+	slog.InfoContext(ctx, "no PAT found for cloud integration, creating a new one",
+		"cloud_provider", cloudProvider,
+	)
+
+	newPAT, err := types.NewStorableAPIKey(
+		integrationPATName,
+		integrationUser.ID,
+		types.RoleViewer,
+		0,
+	)
 	if err != nil {
 		return "", basemodel.InternalError(fmt.Errorf(
 			"couldn't create cloud integration PAT: %w", err,
 		))
 	}
 
-	factorAPIKey, err = ah.Signoz.Modules.ServiceAccount.GetOrCreateFactorAPIKey(ctx, factorAPIKey)
+	err = ah.Signoz.Modules.UserSetter.CreateAPIKey(ctx, newPAT)
 	if err != nil {
 		return "", basemodel.InternalError(fmt.Errorf(
 			"couldn't create cloud integration PAT: %w", err,
 		))
 	}
-	return factorAPIKey.Key, nil
+	return newPAT.Token, nil
 }
 
-func (ah *APIHandler) getOrCreateCloudIntegrationServiceAccount(ctx context.Context, orgId valuer.UUID) (*serviceaccounttypes.ServiceAccount, *basemodel.ApiError) {
-	domain := ah.Signoz.Modules.ServiceAccount.Config().Email.Domain
-	cloudIntegrationServiceAccount := serviceaccounttypes.NewServiceAccount("integration", domain, serviceaccounttypes.ServiceAccountStatusActive, orgId)
-	cloudIntegrationServiceAccount, err := ah.Signoz.Modules.ServiceAccount.GetOrCreate(ctx, orgId, cloudIntegrationServiceAccount)
+func (ah *APIHandler) getOrCreateCloudIntegrationUser(
+	ctx context.Context, orgId string, cloudProvider string,
+) (*types.User, *basemodel.ApiError) {
+	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
+	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))
+
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
-		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration service account: %w", err))
-	}
-	err = ah.Signoz.Modules.ServiceAccount.SetRoleByName(ctx, orgId, cloudIntegrationServiceAccount.ID, authtypes.SigNozViewerRoleName)
-	if err != nil {
-		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration service account: %w", err))
+		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}
 
-	return cloudIntegrationServiceAccount, nil
+	password := types.MustGenerateFactorPassword(cloudIntegrationUser.ID.StringValue())
+
+	cloudIntegrationUser, err = ah.Signoz.Modules.UserSetter.GetOrCreateUser(
+		ctx,
+		cloudIntegrationUser,
+		user.WithFactorPassword(password),
+		user.WithRoleNames([]string{authtypes.SigNozViewerRoleName}),
+	)
+	if err != nil {
+		return nil, basemodel.InternalError(fmt.Errorf("couldn't look for integration user: %w", err))
+	}
+
+	return cloudIntegrationUser, nil
 }
 
 func (ah *APIHandler) getIngestionUrlAndSigNozAPIUrl(ctx context.Context, licenseKey string) (

frontend/src/AppRoutes/__tests__/Private.test.tsx

@@ -306,19 +306,11 @@ describe('PrivateRoute', () => {
 			);
 		});
 
-		it('should redirect /settings/access-tokens to /settings/service-accounts', () => {
+		it('should redirect /settings/access-tokens to /settings/api-keys', () => {
 			renderPrivateRoute({ initialRoute: '/settings/access-tokens' });
 
 			expect(screen.getByTestId('location-display')).toHaveTextContent(
-				'/settings/service-accounts',
-			);
-		});
-
-		it('should redirect /settings/api-keys to /settings/service-accounts', () => {
-			renderPrivateRoute({ initialRoute: '/settings/api-keys' });
-
-			expect(screen.getByTestId('location-display')).toHaveTextContent(
-				'/settings/service-accounts',
+				'/settings/api-keys',
 			);
 		});
 

frontend/src/AppRoutes/pageComponents.ts

@@ -157,6 +157,10 @@ export const IngestionSettings = Loadable(
 	() => import(/* webpackChunkName: "Ingestion Settings" */ 'pages/Settings'),
 );
 
+export const APIKeys = Loadable(
+	() => import(/* webpackChunkName: "All Settings" */ 'pages/Settings'),
+);
+
 export const MySettings = Loadable(
 	() => import(/* webpackChunkName: "All MySettings" */ 'pages/Settings'),
 );

frontend/src/AppRoutes/routes.ts

@@ -513,7 +513,6 @@ export const oldRoutes = [
 	'/logs-save-views',
 	'/traces-save-views',
 	'/settings/access-tokens',
-	'/settings/api-keys',
 	'/messaging-queues',
 	'/alerts/edit',
 ];
@@ -524,8 +523,7 @@ export const oldNewRoutesMapping: Record<string, string> = {
 	'/logs-explorer/live': '/logs/logs-explorer/live',
 	'/logs-save-views': '/logs/saved-views',
 	'/traces-save-views': '/traces/saved-views',
-	'/settings/access-tokens': '/settings/service-accounts',
-	'/settings/api-keys': '/settings/service-accounts',
+	'/settings/access-tokens': '/settings/api-keys',
 	'/messaging-queues': '/messaging-queues/overview',
 	'/alerts/edit': '/alerts/overview',
 };

frontend/src/api/generated/services/serviceaccount/index.ts

@@ -23,15 +23,9 @@ import type {
 	CreateServiceAccount201,
 	CreateServiceAccountKey201,
 	CreateServiceAccountKeyPathParameters,
-	CreateServiceAccountRole201,
-	CreateServiceAccountRolePathParameters,
 	DeleteServiceAccountPathParameters,
-	DeleteServiceAccountRolePathParameters,
-	GetMyServiceAccount200,
 	GetServiceAccount200,
 	GetServiceAccountPathParameters,
-	GetServiceAccountRoles200,
-	GetServiceAccountRolesPathParameters,
 	ListServiceAccountKeys200,
 	ListServiceAccountKeysPathParameters,
 	ListServiceAccounts200,
@@ -39,10 +33,12 @@ import type {
 	RevokeServiceAccountKeyPathParameters,
 	ServiceaccounttypesPostableFactorAPIKeyDTO,
 	ServiceaccounttypesPostableServiceAccountDTO,
-	ServiceaccounttypesPostableServiceAccountRoleDTO,
 	ServiceaccounttypesUpdatableFactorAPIKeyDTO,
+	ServiceaccounttypesUpdatableServiceAccountDTO,
+	ServiceaccounttypesUpdatableServiceAccountStatusDTO,
 	UpdateServiceAccountKeyPathParameters,
 	UpdateServiceAccountPathParameters,
+	UpdateServiceAccountStatusPathParameters,
 } from '../sigNoz.schemas';
 
 /**
@@ -403,13 +399,13 @@ export const invalidateGetServiceAccount = async (
  */
 export const updateServiceAccount = (
 	{ id }: UpdateServiceAccountPathParameters,
-	serviceaccounttypesPostableServiceAccountDTO: BodyType<ServiceaccounttypesPostableServiceAccountDTO>,
+	serviceaccounttypesUpdatableServiceAccountDTO: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>,
 ) => {
 	return GeneratedAPIInstance<string>({
 		url: `/api/v1/service_accounts/${id}`,
 		method: 'PUT',
 		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesPostableServiceAccountDTO,
+		data: serviceaccounttypesUpdatableServiceAccountDTO,
 	});
 };
 
@@ -422,7 +418,7 @@ export const getUpdateServiceAccountMutationOptions = <
 		TError,
 		{
 			pathParams: UpdateServiceAccountPathParameters;
-			data: BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
 		},
 		TContext
 	>;
@@ -431,7 +427,7 @@ export const getUpdateServiceAccountMutationOptions = <
 	TError,
 	{
 		pathParams: UpdateServiceAccountPathParameters;
-		data: BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
 	},
 	TContext
 > => {
@@ -448,7 +444,7 @@ export const getUpdateServiceAccountMutationOptions = <
 		Awaited<ReturnType<typeof updateServiceAccount>>,
 		{
 			pathParams: UpdateServiceAccountPathParameters;
-			data: BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
 		}
 	> = (props) => {
 		const { pathParams, data } = props ?? {};
@@ -462,7 +458,7 @@ export const getUpdateServiceAccountMutationOptions = <
 export type UpdateServiceAccountMutationResult = NonNullable<
 	Awaited<ReturnType<typeof updateServiceAccount>>
 >;
-export type UpdateServiceAccountMutationBody = BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
+export type UpdateServiceAccountMutationBody = BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
 export type UpdateServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
@@ -477,7 +473,7 @@ export const useUpdateServiceAccount = <
 		TError,
 		{
 			pathParams: UpdateServiceAccountPathParameters;
-			data: BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
 		},
 		TContext
 	>;
@@ -486,7 +482,7 @@ export const useUpdateServiceAccount = <
 	TError,
 	{
 		pathParams: UpdateServiceAccountPathParameters;
-		data: BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
 	},
 	TContext
 > => {
@@ -875,150 +871,44 @@ export const useUpdateServiceAccountKey = <
 	return useMutation(mutationOptions);
 };
 /**
- * This endpoint gets all the roles for the existing service account
- * @summary Gets service account roles
+ * This endpoint updates an existing service account status
+ * @summary Updates a service account status
  */
-export const getServiceAccountRoles = (
-	{ id }: GetServiceAccountRolesPathParameters,
-	signal?: AbortSignal,
+export const updateServiceAccountStatus = (
+	{ id }: UpdateServiceAccountStatusPathParameters,
+	serviceaccounttypesUpdatableServiceAccountStatusDTO: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>,
 ) => {
-	return GeneratedAPIInstance<GetServiceAccountRoles200>({
-		url: `/api/v1/service_accounts/${id}/roles`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getGetServiceAccountRolesQueryKey = ({
-	id,
-}: GetServiceAccountRolesPathParameters) => {
-	return [`/api/v1/service_accounts/${id}/roles`] as const;
-};
-
-export const getGetServiceAccountRolesQueryOptions = <
-	TData = Awaited<ReturnType<typeof getServiceAccountRoles>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: GetServiceAccountRolesPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getServiceAccountRoles>>,
-			TError,
-			TData
-		>;
-	},
-) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey =
-		queryOptions?.queryKey ?? getGetServiceAccountRolesQueryKey({ id });
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof getServiceAccountRoles>>
-	> = ({ signal }) => getServiceAccountRoles({ id }, signal);
-
-	return {
-		queryKey,
-		queryFn,
-		enabled: !!id,
-		...queryOptions,
-	} as UseQueryOptions<
-		Awaited<ReturnType<typeof getServiceAccountRoles>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type GetServiceAccountRolesQueryResult = NonNullable<
-	Awaited<ReturnType<typeof getServiceAccountRoles>>
->;
-export type GetServiceAccountRolesQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Gets service account roles
- */
-
-export function useGetServiceAccountRoles<
-	TData = Awaited<ReturnType<typeof getServiceAccountRoles>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(
-	{ id }: GetServiceAccountRolesPathParameters,
-	options?: {
-		query?: UseQueryOptions<
-			Awaited<ReturnType<typeof getServiceAccountRoles>>,
-			TError,
-			TData
-		>;
-	},
-): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getGetServiceAccountRolesQueryOptions({ id }, options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary Gets service account roles
- */
-export const invalidateGetServiceAccountRoles = async (
-	queryClient: QueryClient,
-	{ id }: GetServiceAccountRolesPathParameters,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getGetServiceAccountRolesQueryKey({ id }) },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * This endpoint assigns a role to a service account
- * @summary Create service account role
- */
-export const createServiceAccountRole = (
-	{ id }: CreateServiceAccountRolePathParameters,
-	serviceaccounttypesPostableServiceAccountRoleDTO: BodyType<ServiceaccounttypesPostableServiceAccountRoleDTO>,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<CreateServiceAccountRole201>({
-		url: `/api/v1/service_accounts/${id}/roles`,
-		method: 'POST',
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/service_accounts/${id}/status`,
+		method: 'PUT',
 		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesPostableServiceAccountRoleDTO,
-		signal,
+		data: serviceaccounttypesUpdatableServiceAccountStatusDTO,
 	});
 };
 
-export const getCreateServiceAccountRoleMutationOptions = <
+export const getUpdateServiceAccountStatusMutationOptions = <
 	TError = ErrorType<RenderErrorResponseDTO>,
 	TContext = unknown
 >(options?: {
 	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createServiceAccountRole>>,
+		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
 		TError,
 		{
-			pathParams: CreateServiceAccountRolePathParameters;
-			data: BodyType<ServiceaccounttypesPostableServiceAccountRoleDTO>;
+			pathParams: UpdateServiceAccountStatusPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
 		},
 		TContext
 	>;
 }): UseMutationOptions<
-	Awaited<ReturnType<typeof createServiceAccountRole>>,
+	Awaited<ReturnType<typeof updateServiceAccountStatus>>,
 	TError,
 	{
-		pathParams: CreateServiceAccountRolePathParameters;
-		data: BodyType<ServiceaccounttypesPostableServiceAccountRoleDTO>;
+		pathParams: UpdateServiceAccountStatusPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
 	},
 	TContext
 > => {
-	const mutationKey = ['createServiceAccountRole'];
+	const mutationKey = ['updateServiceAccountStatus'];
 	const { mutation: mutationOptions } = options
 		? options.mutation &&
 		  'mutationKey' in options.mutation &&
@@ -1028,299 +918,52 @@ export const getCreateServiceAccountRoleMutationOptions = <
 		: { mutation: { mutationKey } };
 
 	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof createServiceAccountRole>>,
+		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
 		{
-			pathParams: CreateServiceAccountRolePathParameters;
-			data: BodyType<ServiceaccounttypesPostableServiceAccountRoleDTO>;
+			pathParams: UpdateServiceAccountStatusPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
 		}
 	> = (props) => {
 		const { pathParams, data } = props ?? {};
 
-		return createServiceAccountRole(pathParams, data);
+		return updateServiceAccountStatus(pathParams, data);
 	};
 
 	return { mutationFn, ...mutationOptions };
 };
 
-export type CreateServiceAccountRoleMutationResult = NonNullable<
-	Awaited<ReturnType<typeof createServiceAccountRole>>
+export type UpdateServiceAccountStatusMutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateServiceAccountStatus>>
 >;
-export type CreateServiceAccountRoleMutationBody = BodyType<ServiceaccounttypesPostableServiceAccountRoleDTO>;
-export type CreateServiceAccountRoleMutationError = ErrorType<RenderErrorResponseDTO>;
+export type UpdateServiceAccountStatusMutationBody = BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
+export type UpdateServiceAccountStatusMutationError = ErrorType<RenderErrorResponseDTO>;
 
 /**
- * @summary Create service account role
+ * @summary Updates a service account status
  */
-export const useCreateServiceAccountRole = <
+export const useUpdateServiceAccountStatus = <
 	TError = ErrorType<RenderErrorResponseDTO>,
 	TContext = unknown
 >(options?: {
 	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createServiceAccountRole>>,
+		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
 		TError,
 		{
-			pathParams: CreateServiceAccountRolePathParameters;
-			data: BodyType<ServiceaccounttypesPostableServiceAccountRoleDTO>;
+			pathParams: UpdateServiceAccountStatusPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
 		},
 		TContext
 	>;
 }): UseMutationResult<
-	Awaited<ReturnType<typeof createServiceAccountRole>>,
+	Awaited<ReturnType<typeof updateServiceAccountStatus>>,
 	TError,
 	{
-		pathParams: CreateServiceAccountRolePathParameters;
-		data: BodyType<ServiceaccounttypesPostableServiceAccountRoleDTO>;
+		pathParams: UpdateServiceAccountStatusPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
 	},
 	TContext
 > => {
-	const mutationOptions = getCreateServiceAccountRoleMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint revokes a role from service account
- * @summary Delete service account role
- */
-export const deleteServiceAccountRole = ({
-	id,
-	rid,
-}: DeleteServiceAccountRolePathParameters) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/service_accounts/${id}/roles/${rid}`,
-		method: 'DELETE',
-	});
-};
-
-export const getDeleteServiceAccountRoleMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof deleteServiceAccountRole>>,
-		TError,
-		{ pathParams: DeleteServiceAccountRolePathParameters },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof deleteServiceAccountRole>>,
-	TError,
-	{ pathParams: DeleteServiceAccountRolePathParameters },
-	TContext
-> => {
-	const mutationKey = ['deleteServiceAccountRole'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof deleteServiceAccountRole>>,
-		{ pathParams: DeleteServiceAccountRolePathParameters }
-	> = (props) => {
-		const { pathParams } = props ?? {};
-
-		return deleteServiceAccountRole(pathParams);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type DeleteServiceAccountRoleMutationResult = NonNullable<
-	Awaited<ReturnType<typeof deleteServiceAccountRole>>
->;
-
-export type DeleteServiceAccountRoleMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Delete service account role
- */
-export const useDeleteServiceAccountRole = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof deleteServiceAccountRole>>,
-		TError,
-		{ pathParams: DeleteServiceAccountRolePathParameters },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof deleteServiceAccountRole>>,
-	TError,
-	{ pathParams: DeleteServiceAccountRolePathParameters },
-	TContext
-> => {
-	const mutationOptions = getDeleteServiceAccountRoleMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint gets my service account
- * @summary Gets my service account
- */
-export const getMyServiceAccount = (signal?: AbortSignal) => {
-	return GeneratedAPIInstance<GetMyServiceAccount200>({
-		url: `/api/v1/service_accounts/me`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getGetMyServiceAccountQueryKey = () => {
-	return [`/api/v1/service_accounts/me`] as const;
-};
-
-export const getGetMyServiceAccountQueryOptions = <
-	TData = Awaited<ReturnType<typeof getMyServiceAccount>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(options?: {
-	query?: UseQueryOptions<
-		Awaited<ReturnType<typeof getMyServiceAccount>>,
-		TError,
-		TData
-	>;
-}) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey = queryOptions?.queryKey ?? getGetMyServiceAccountQueryKey();
-
-	const queryFn: QueryFunction<
-		Awaited<ReturnType<typeof getMyServiceAccount>>
-	> = ({ signal }) => getMyServiceAccount(signal);
-
-	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
-		Awaited<ReturnType<typeof getMyServiceAccount>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type GetMyServiceAccountQueryResult = NonNullable<
-	Awaited<ReturnType<typeof getMyServiceAccount>>
->;
-export type GetMyServiceAccountQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Gets my service account
- */
-
-export function useGetMyServiceAccount<
-	TData = Awaited<ReturnType<typeof getMyServiceAccount>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(options?: {
-	query?: UseQueryOptions<
-		Awaited<ReturnType<typeof getMyServiceAccount>>,
-		TError,
-		TData
-	>;
-}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getGetMyServiceAccountQueryOptions(options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary Gets my service account
- */
-export const invalidateGetMyServiceAccount = async (
-	queryClient: QueryClient,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getGetMyServiceAccountQueryKey() },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * This endpoint gets my service account
- * @summary Updates my service account
- */
-export const updateMyServiceAccount = (
-	serviceaccounttypesPostableServiceAccountDTO: BodyType<ServiceaccounttypesPostableServiceAccountDTO>,
-) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/service_accounts/me`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: serviceaccounttypesPostableServiceAccountDTO,
-	});
-};
-
-export const getUpdateMyServiceAccountMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateMyServiceAccount>>,
-		TError,
-		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateMyServiceAccount>>,
-	TError,
-	{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-	TContext
-> => {
-	const mutationKey = ['updateMyServiceAccount'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateMyServiceAccount>>,
-		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> }
-	> = (props) => {
-		const { data } = props ?? {};
-
-		return updateMyServiceAccount(data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateMyServiceAccountMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateMyServiceAccount>>
->;
-export type UpdateMyServiceAccountMutationBody = BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
-export type UpdateMyServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Updates my service account
- */
-export const useUpdateMyServiceAccount = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateMyServiceAccount>>,
-		TError,
-		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateMyServiceAccount>>,
-	TError,
-	{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
-	TContext
-> => {
-	const mutationOptions = getUpdateMyServiceAccountMutationOptions(options);
+	const mutationOptions = getUpdateServiceAccountStatusMutationOptions(options);
 
 	return useMutation(mutationOptions);
 };

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2843,7 +2843,7 @@ export interface RulestatehistorytypesGettableRuleStateWindowDTO {
 	state: RulestatehistorytypesAlertStateDTO;
 }
 
-export interface ServiceaccounttypesGettableFactorAPIKeyDTO {
+export interface ServiceaccounttypesFactorAPIKeyDTO {
 	/**
 	 * @type string
 	 * @format date-time
@@ -2858,6 +2858,10 @@ export interface ServiceaccounttypesGettableFactorAPIKeyDTO {
 	 * @type string
 	 */
 	id: string;
+	/**
+	 * @type string
+	 */
+	key: string;
 	/**
 	 * @type string
 	 * @format date-time
@@ -2905,14 +2909,15 @@ export interface ServiceaccounttypesPostableServiceAccountDTO {
 	/**
 	 * @type string
 	 */
-	name: string;
-}
-
-export interface ServiceaccounttypesPostableServiceAccountRoleDTO {
+	email: string;
 	/**
 	 * @type string
 	 */
-	id: string;
+	name: string;
+	/**
+	 * @type array
+	 */
+	roles: string[];
 }
 
 export interface ServiceaccounttypesServiceAccountDTO {
@@ -2921,65 +2926,11 @@ export interface ServiceaccounttypesServiceAccountDTO {
 	 * @format date-time
 	 */
 	createdAt?: Date;
-	/**
-	 * @type string
-	 */
-	email: string;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	name: string;
-	/**
-	 * @type string
-	 */
-	orgId: string;
-	/**
-	 * @type string
-	 */
-	status: string;
 	/**
 	 * @type string
 	 * @format date-time
 	 */
-	updatedAt?: Date;
-}
-
-export interface ServiceaccounttypesServiceAccountRoleDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
-	/**
-	 * @type string
-	 */
-	id: string;
-	role: AuthtypesRoleDTO;
-	/**
-	 * @type string
-	 */
-	roleId: string;
-	/**
-	 * @type string
-	 */
-	serviceAccountId: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: Date;
-}
-
-export interface ServiceaccounttypesServiceAccountWithRolesDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
+	deletedAt: Date;
 	/**
 	 * @type string
 	 */
@@ -2998,9 +2949,8 @@ export interface ServiceaccounttypesServiceAccountWithRolesDTO {
 	orgId: string;
 	/**
 	 * @type array
-	 * @nullable true
 	 */
-	serviceAccountRoles: ServiceaccounttypesServiceAccountRoleDTO[] | null;
+	roles: string[];
 	/**
 	 * @type string
 	 */
@@ -3024,6 +2974,28 @@ export interface ServiceaccounttypesUpdatableFactorAPIKeyDTO {
 	name: string;
 }
 
+export interface ServiceaccounttypesUpdatableServiceAccountDTO {
+	/**
+	 * @type string
+	 */
+	email: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type array
+	 */
+	roles: string[];
+}
+
+export interface ServiceaccounttypesUpdatableServiceAccountStatusDTO {
+	/**
+	 * @type string
+	 */
+	status: string;
+}
+
 export enum TelemetrytypesFieldContextDTO {
 	metric = 'metric',
 	log = 'log',
@@ -3167,6 +3139,63 @@ export interface TypesDeprecatedUserDTO {
 	updatedAt?: Date;
 }
 
+export interface TypesGettableAPIKeyDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type string
+	 */
+	createdBy?: string;
+	createdByUser?: TypesUserDTO;
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	expiresAt?: number;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	lastUsed?: number;
+	/**
+	 * @type string
+	 */
+	name?: string;
+	/**
+	 * @type boolean
+	 */
+	revoked?: boolean;
+	/**
+	 * @type string
+	 */
+	role?: string;
+	/**
+	 * @type string
+	 */
+	token?: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+	/**
+	 * @type string
+	 */
+	updatedBy?: string;
+	updatedByUser?: TypesUserDTO;
+	/**
+	 * @type string
+	 */
+	userId?: string;
+}
+
 export interface TypesIdentifiableDTO {
 	/**
 	 * @type string
@@ -3249,6 +3278,22 @@ export interface TypesOrganizationDTO {
 	updatedAt?: Date;
 }
 
+export interface TypesPostableAPIKeyDTO {
+	/**
+	 * @type integer
+	 * @format int64
+	 */
+	expiresInDays?: number;
+	/**
+	 * @type string
+	 */
+	name?: string;
+	/**
+	 * @type string
+	 */
+	role?: string;
+}
+
 export interface TypesPostableBulkInviteRequestDTO {
 	/**
 	 * @type array
@@ -3328,6 +3373,51 @@ export interface TypesResetPasswordTokenDTO {
 	token?: string;
 }
 
+export interface TypesStorableAPIKeyDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type string
+	 */
+	createdBy?: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type string
+	 */
+	name?: string;
+	/**
+	 * @type boolean
+	 */
+	revoked?: boolean;
+	/**
+	 * @type string
+	 */
+	role?: string;
+	/**
+	 * @type string
+	 */
+	token?: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+	/**
+	 * @type string
+	 */
+	updatedBy?: string;
+	/**
+	 * @type string
+	 */
+	userId?: string;
+}
+
 export interface TypesUpdatableUserDTO {
 	/**
 	 * @type string
@@ -3866,6 +3956,31 @@ export type GetOrgPreference200 = {
 export type UpdateOrgPreferencePathParameters = {
 	name: string;
 };
+export type ListAPIKeys200 = {
+	/**
+	 * @type array
+	 */
+	data: TypesGettableAPIKeyDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type CreateAPIKey201 = {
+	data: TypesGettableAPIKeyDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type RevokeAPIKeyPathParameters = {
+	id: string;
+};
+export type UpdateAPIKeyPathParameters = {
+	id: string;
+};
 export type GetPublicDashboardDataPathParameters = {
 	id: string;
 };
@@ -3970,7 +4085,7 @@ export type GetServiceAccountPathParameters = {
 	id: string;
 };
 export type GetServiceAccount200 = {
-	data: ServiceaccounttypesServiceAccountWithRolesDTO;
+	data: ServiceaccounttypesServiceAccountDTO;
 	/**
 	 * @type string
 	 */
@@ -3987,7 +4102,7 @@ export type ListServiceAccountKeys200 = {
 	/**
 	 * @type array
 	 */
-	data: ServiceaccounttypesGettableFactorAPIKeyDTO[];
+	data: ServiceaccounttypesFactorAPIKeyDTO[];
 	/**
 	 * @type string
 	 */
@@ -4013,44 +4128,9 @@ export type UpdateServiceAccountKeyPathParameters = {
 	id: string;
 	fid: string;
 };
-export type GetServiceAccountRolesPathParameters = {
+export type UpdateServiceAccountStatusPathParameters = {
 	id: string;
 };
-export type GetServiceAccountRoles200 = {
-	/**
-	 * @type array
-	 * @nullable true
-	 */
-	data: AuthtypesRoleDTO[] | null;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type CreateServiceAccountRolePathParameters = {
-	id: string;
-};
-export type CreateServiceAccountRole201 = {
-	data: TypesIdentifiableDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type DeleteServiceAccountRolePathParameters = {
-	id: string;
-	rid: string;
-};
-export type GetMyServiceAccount200 = {
-	data: ServiceaccounttypesServiceAccountWithRolesDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
 export type ListUsersDeprecated200 = {
 	/**
 	 * @type array

frontend/src/api/generated/services/users/index.ts

@@ -21,6 +21,7 @@ import type { BodyType, ErrorType } from '../../../generatedAPIInstance';
 import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
 import type {
 	ChangePasswordPathParameters,
+	CreateAPIKey201,
 	CreateInvite201,
 	DeleteUserPathParameters,
 	GetMyUser200,
@@ -35,19 +36,24 @@ import type {
 	GetUserPathParameters,
 	GetUsersByRoleID200,
 	GetUsersByRoleIDPathParameters,
+	ListAPIKeys200,
 	ListUsers200,
 	ListUsersDeprecated200,
 	RemoveUserRoleByUserIDAndRoleIDPathParameters,
 	RenderErrorResponseDTO,
+	RevokeAPIKeyPathParameters,
 	SetRoleByUserIDPathParameters,
 	TypesChangePasswordRequestDTO,
 	TypesDeprecatedUserDTO,
+	TypesPostableAPIKeyDTO,
 	TypesPostableBulkInviteRequestDTO,
 	TypesPostableForgotPasswordDTO,
 	TypesPostableInviteDTO,
 	TypesPostableResetPasswordDTO,
 	TypesPostableRoleDTO,
+	TypesStorableAPIKeyDTO,
 	TypesUpdatableUserDTO,
+	UpdateAPIKeyPathParameters,
 	UpdateUserDeprecated200,
 	UpdateUserDeprecatedPathParameters,
 	UpdateUserPathParameters,
@@ -422,6 +428,349 @@ export const useCreateBulkInvite = <
 
 	return useMutation(mutationOptions);
 };
+/**
+ * This endpoint lists all api keys
+ * @summary List api keys
+ */
+export const listAPIKeys = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<ListAPIKeys200>({
+		url: `/api/v1/pats`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getListAPIKeysQueryKey = () => {
+	return [`/api/v1/pats`] as const;
+};
+
+export const getListAPIKeysQueryOptions = <
+	TData = Awaited<ReturnType<typeof listAPIKeys>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listAPIKeys>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getListAPIKeysQueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof listAPIKeys>>> = ({
+		signal,
+	}) => listAPIKeys(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof listAPIKeys>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListAPIKeysQueryResult = NonNullable<
+	Awaited<ReturnType<typeof listAPIKeys>>
+>;
+export type ListAPIKeysQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List api keys
+ */
+
+export function useListAPIKeys<
+	TData = Awaited<ReturnType<typeof listAPIKeys>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listAPIKeys>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListAPIKeysQueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary List api keys
+ */
+export const invalidateListAPIKeys = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListAPIKeysQueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint creates an api key
+ * @summary Create api key
+ */
+export const createAPIKey = (
+	typesPostableAPIKeyDTO: BodyType<TypesPostableAPIKeyDTO>,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<CreateAPIKey201>({
+		url: `/api/v1/pats`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesPostableAPIKeyDTO,
+		signal,
+	});
+};
+
+export const getCreateAPIKeyMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createAPIKey>>,
+		TError,
+		{ data: BodyType<TypesPostableAPIKeyDTO> },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof createAPIKey>>,
+	TError,
+	{ data: BodyType<TypesPostableAPIKeyDTO> },
+	TContext
+> => {
+	const mutationKey = ['createAPIKey'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof createAPIKey>>,
+		{ data: BodyType<TypesPostableAPIKeyDTO> }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return createAPIKey(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type CreateAPIKeyMutationResult = NonNullable<
+	Awaited<ReturnType<typeof createAPIKey>>
+>;
+export type CreateAPIKeyMutationBody = BodyType<TypesPostableAPIKeyDTO>;
+export type CreateAPIKeyMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Create api key
+ */
+export const useCreateAPIKey = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createAPIKey>>,
+		TError,
+		{ data: BodyType<TypesPostableAPIKeyDTO> },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof createAPIKey>>,
+	TError,
+	{ data: BodyType<TypesPostableAPIKeyDTO> },
+	TContext
+> => {
+	const mutationOptions = getCreateAPIKeyMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint revokes an api key
+ * @summary Revoke api key
+ */
+export const revokeAPIKey = ({ id }: RevokeAPIKeyPathParameters) => {
+	return GeneratedAPIInstance<void>({
+		url: `/api/v1/pats/${id}`,
+		method: 'DELETE',
+	});
+};
+
+export const getRevokeAPIKeyMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof revokeAPIKey>>,
+		TError,
+		{ pathParams: RevokeAPIKeyPathParameters },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof revokeAPIKey>>,
+	TError,
+	{ pathParams: RevokeAPIKeyPathParameters },
+	TContext
+> => {
+	const mutationKey = ['revokeAPIKey'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof revokeAPIKey>>,
+		{ pathParams: RevokeAPIKeyPathParameters }
+	> = (props) => {
+		const { pathParams } = props ?? {};
+
+		return revokeAPIKey(pathParams);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type RevokeAPIKeyMutationResult = NonNullable<
+	Awaited<ReturnType<typeof revokeAPIKey>>
+>;
+
+export type RevokeAPIKeyMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Revoke api key
+ */
+export const useRevokeAPIKey = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof revokeAPIKey>>,
+		TError,
+		{ pathParams: RevokeAPIKeyPathParameters },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof revokeAPIKey>>,
+	TError,
+	{ pathParams: RevokeAPIKeyPathParameters },
+	TContext
+> => {
+	const mutationOptions = getRevokeAPIKeyMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint updates an api key
+ * @summary Update api key
+ */
+export const updateAPIKey = (
+	{ id }: UpdateAPIKeyPathParameters,
+	typesStorableAPIKeyDTO: BodyType<TypesStorableAPIKeyDTO>,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/pats/${id}`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesStorableAPIKeyDTO,
+	});
+};
+
+export const getUpdateAPIKeyMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateAPIKey>>,
+		TError,
+		{
+			pathParams: UpdateAPIKeyPathParameters;
+			data: BodyType<TypesStorableAPIKeyDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateAPIKey>>,
+	TError,
+	{
+		pathParams: UpdateAPIKeyPathParameters;
+		data: BodyType<TypesStorableAPIKeyDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['updateAPIKey'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateAPIKey>>,
+		{
+			pathParams: UpdateAPIKeyPathParameters;
+			data: BodyType<TypesStorableAPIKeyDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return updateAPIKey(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateAPIKeyMutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateAPIKey>>
+>;
+export type UpdateAPIKeyMutationBody = BodyType<TypesStorableAPIKeyDTO>;
+export type UpdateAPIKeyMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Update api key
+ */
+export const useUpdateAPIKey = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateAPIKey>>,
+		TError,
+		{
+			pathParams: UpdateAPIKeyPathParameters;
+			data: BodyType<TypesStorableAPIKeyDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateAPIKey>>,
+	TError,
+	{
+		pathParams: UpdateAPIKeyPathParameters;
+		data: BodyType<TypesStorableAPIKeyDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getUpdateAPIKeyMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
 /**
  * This endpoint resets the password by token
  * @summary Reset password

frontend/src/api/v1/pats/create.ts

@@ -0,0 +1,28 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import {
+	APIKeyProps,
+	CreateAPIKeyProps,
+	CreatePayloadProps,
+} from 'types/api/pat/types';
+
+const create = async (
+	props: CreateAPIKeyProps,
+): Promise<SuccessResponseV2<APIKeyProps>> => {
+	try {
+		const response = await axios.post<CreatePayloadProps>('/pats', {
+			...props,
+		});
+
+		return {
+			httpStatusCode: response.status,
+			data: response.data.data,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default create;

frontend/src/api/v1/pats/delete.ts

@@ -0,0 +1,19 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+
+const deleteAPIKey = async (id: string): Promise<SuccessResponseV2<null>> => {
+	try {
+		const response = await axios.delete(`/pats/${id}`);
+
+		return {
+			httpStatusCode: response.status,
+			data: null,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default deleteAPIKey;

frontend/src/api/v1/pats/list.ts

@@ -0,0 +1,20 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import { AllAPIKeyProps, APIKeyProps } from 'types/api/pat/types';
+
+const list = async (): Promise<SuccessResponseV2<APIKeyProps[]>> => {
+	try {
+		const response = await axios.get<AllAPIKeyProps>('/pats');
+
+		return {
+			httpStatusCode: response.status,
+			data: response.data.data,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default list;

frontend/src/api/v1/pats/update.ts

@@ -0,0 +1,24 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import { UpdateAPIKeyProps } from 'types/api/pat/types';
+
+const updateAPIKey = async (
+	props: UpdateAPIKeyProps,
+): Promise<SuccessResponseV2<null>> => {
+	try {
+		const response = await axios.put(`/pats/${props.id}`, {
+			...props.data,
+		});
+
+		return {
+			httpStatusCode: response.status,
+			data: null,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default updateAPIKey;

frontend/src/components/CreateServiceAccountModal/CreateServiceAccountModal.tsx

@@ -12,13 +12,17 @@ import {
 } from 'api/generated/services/serviceaccount';
 import type { RenderErrorResponseDTO } from 'api/generated/services/sigNoz.schemas';
 import { AxiosError } from 'axios';
+import RolesSelect, { useRoles } from 'components/RolesSelect';
 import { SA_QUERY_PARAMS } from 'container/ServiceAccountsSettings/constants';
 import { parseAsBoolean, useQueryState } from 'nuqs';
+import { EMAIL_REGEX } from 'utils/app';
 
 import './CreateServiceAccountModal.styles.scss';
 
 interface FormValues {
 	name: string;
+	email: string;
+	roles: string[];
 }
 
 function CreateServiceAccountModal(): JSX.Element {
@@ -37,6 +41,8 @@ function CreateServiceAccountModal(): JSX.Element {
 		mode: 'onChange',
 		defaultValues: {
 			name: '',
+			email: '',
+			roles: [],
 		},
 	});
 
@@ -64,6 +70,13 @@ function CreateServiceAccountModal(): JSX.Element {
 			},
 		},
 	});
+	const {
+		roles,
+		isLoading: rolesLoading,
+		isError: rolesError,
+		error: rolesErrorObj,
+		refetch: refetchRoles,
+	} = useRoles();
 
 	function handleClose(): void {
 		reset();
@@ -74,6 +87,8 @@ function CreateServiceAccountModal(): JSX.Element {
 		createServiceAccount({
 			data: {
 				name: values.name.trim(),
+				email: values.email.trim(),
+				roles: values.roles,
 			},
 		});
 	}
@@ -119,6 +134,68 @@ function CreateServiceAccountModal(): JSX.Element {
 							<p className="create-sa-form__error">{errors.name.message}</p>
 						)}
 					</div>
+
+					<div className="create-sa-form__item">
+						<label htmlFor="sa-email">Email Address</label>
+						<Controller
+							name="email"
+							control={control}
+							rules={{
+								required: 'Email Address is required',
+								pattern: {
+									value: EMAIL_REGEX,
+									message: 'Please enter a valid email address',
+								},
+							}}
+							render={({ field }): JSX.Element => (
+								<Input
+									id="sa-email"
+									type="email"
+									placeholder="email@example.com"
+									className="create-sa-form__input"
+									value={field.value}
+									onChange={field.onChange}
+									onBlur={field.onBlur}
+								/>
+							)}
+						/>
+						{errors.email && (
+							<p className="create-sa-form__error">{errors.email.message}</p>
+						)}
+					</div>
+					<p className="create-sa-form__helper">
+						Used only for notifications about this service account. It is not used for
+						authentication.
+					</p>
+
+					<div className="create-sa-form__item">
+						<label htmlFor="sa-roles">Roles</label>
+						<Controller
+							name="roles"
+							control={control}
+							rules={{
+								validate: (value): string | true =>
+									value.length > 0 || 'At least one role is required',
+							}}
+							render={({ field }): JSX.Element => (
+								<RolesSelect
+									id="sa-roles"
+									mode="multiple"
+									roles={roles}
+									loading={rolesLoading}
+									isError={rolesError}
+									error={rolesErrorObj}
+									onRefetch={refetchRoles}
+									placeholder="Select roles"
+									value={field.value}
+									onChange={field.onChange}
+								/>
+							)}
+						/>
+						{errors.roles && (
+							<p className="create-sa-form__error">{errors.roles.message}</p>
+						)}
+					</div>
 				</form>
 			</div>
 

frontend/src/components/CreateServiceAccountModal/__tests__/CreateServiceAccountModal.test.tsx

@@ -1,4 +1,5 @@
 import { toast } from '@signozhq/sonner';
+import { listRolesSuccessResponse } from 'mocks-server/__mockdata__/roles';
 import { rest, server } from 'mocks-server/server';
 import { NuqsTestingAdapter } from 'nuqs/adapters/testing';
 import { render, screen, userEvent, waitFor } from 'tests/test-utils';
@@ -11,6 +12,7 @@ jest.mock('@signozhq/sonner', () => ({
 
 const mockToast = jest.mocked(toast);
 
+const ROLES_ENDPOINT = '*/api/v1/roles';
 const SERVICE_ACCOUNTS_ENDPOINT = '*/api/v1/service_accounts';
 
 function renderModal(): ReturnType<typeof render> {
@@ -25,6 +27,9 @@ describe('CreateServiceAccountModal', () => {
 	beforeEach(() => {
 		jest.clearAllMocks();
 		server.use(
+			rest.get(ROLES_ENDPOINT, (_, res, ctx) =>
+				res(ctx.status(200), ctx.json(listRolesSuccessResponse)),
+			),
 			rest.post(SERVICE_ACCOUNTS_ENDPOINT, (_, res, ctx) =>
 				res(ctx.status(201), ctx.json({ status: 'success', data: {} })),
 			),
@@ -43,11 +48,38 @@ describe('CreateServiceAccountModal', () => {
 		).toBeDisabled();
 	});
 
+	it('submit button remains disabled when email is invalid', async () => {
+		const user = userEvent.setup({ pointerEventsCheck: 0 });
+		renderModal();
+
+		await user.type(screen.getByPlaceholderText('Enter a name'), 'My Bot');
+		await user.type(
+			screen.getByPlaceholderText('email@example.com'),
+			'not-an-email',
+		);
+
+		await user.click(screen.getByText('Select roles'));
+		await user.click(await screen.findByTitle('signoz-admin'));
+
+		await waitFor(() =>
+			expect(
+				screen.getByRole('button', { name: /Create Service Account/i }),
+			).toBeDisabled(),
+		);
+	});
+
 	it('successful submit shows toast.success and closes modal', async () => {
 		const user = userEvent.setup({ pointerEventsCheck: 0 });
 		renderModal();
 
 		await user.type(screen.getByPlaceholderText('Enter a name'), 'Deploy Bot');
+		await user.type(
+			screen.getByPlaceholderText('email@example.com'),
+			'deploy@acme.io',
+		);
+
+		await user.click(screen.getByText('Select roles'));
+		await user.click(await screen.findByTitle('signoz-admin'));
 
 		const submitBtn = screen.getByRole('button', {
 			name: /Create Service Account/i,
@@ -84,6 +116,13 @@ describe('CreateServiceAccountModal', () => {
 		renderModal();
 
 		await user.type(screen.getByPlaceholderText('Enter a name'), 'Dupe Bot');
+		await user.type(
+			screen.getByPlaceholderText('email@example.com'),
+			'dupe@acme.io',
+		);
+
+		await user.click(screen.getByText('Select roles'));
+		await user.click(await screen.findByTitle('signoz-admin'));
 
 		const submitBtn = screen.getByRole('button', {
 			name: /Create Service Account/i,
@@ -125,4 +164,16 @@ describe('CreateServiceAccountModal', () => {
 
 		await screen.findByText('Name is required');
 	});
+
+	it('shows "Please enter a valid email address" for a malformed email', async () => {
+		const user = userEvent.setup({ pointerEventsCheck: 0 });
+		renderModal();
+
+		await user.type(
+			screen.getByPlaceholderText('email@example.com'),
+			'not-an-email',
+		);
+
+		await screen.findByText('Please enter a valid email address');
+	});
 });

frontend/src/components/RolesSelect/RolesSelect.tsx

@@ -34,7 +34,7 @@ export function useRoles(): {
 export function getRoleOptions(roles: AuthtypesRoleDTO[]): RoleOption[] {
 	return roles.map((role) => ({
 		label: role.name ?? '',
-		value: role.id ?? '',
+		value: role.name ?? '',
 	}));
 }
 

frontend/src/components/ServiceAccountDrawer/DisableAccountModal.tsx

@@ -1,13 +1,13 @@
 import { useQueryClient } from 'react-query';
 import { Button } from '@signozhq/button';
 import { DialogFooter, DialogWrapper } from '@signozhq/dialog';
-import { Trash2, X } from '@signozhq/icons';
+import { PowerOff, X } from '@signozhq/icons';
 import { toast } from '@signozhq/sonner';
 import { convertToApiError } from 'api/ErrorResponseHandlerForGeneratedAPIs';
 import {
 	getGetServiceAccountQueryKey,
 	invalidateListServiceAccounts,
-	useDeleteServiceAccount,
+	useUpdateServiceAccountStatus,
 } from 'api/generated/services/serviceaccount';
 import type {
 	RenderErrorResponseDTO,
@@ -17,14 +17,14 @@ import { AxiosError } from 'axios';
 import { SA_QUERY_PARAMS } from 'container/ServiceAccountsSettings/constants';
 import { parseAsBoolean, useQueryState } from 'nuqs';
 
-function DeleteAccountModal(): JSX.Element {
+function DisableAccountModal(): JSX.Element {
 	const queryClient = useQueryClient();
 	const [accountId, setAccountId] = useQueryState(SA_QUERY_PARAMS.ACCOUNT);
-	const [isDeleteOpen, setIsDeleteOpen] = useQueryState(
-		SA_QUERY_PARAMS.DELETE_SA,
+	const [isDisableOpen, setIsDisableOpen] = useQueryState(
+		SA_QUERY_PARAMS.DISABLE_SA,
 		parseAsBoolean.withDefault(false),
 	);
-	const open = !!isDeleteOpen && !!accountId;
+	const open = !!isDisableOpen && !!accountId;
 
 	const cachedAccount = accountId
 		? queryClient.getQueryData<{
@@ -34,13 +34,13 @@ function DeleteAccountModal(): JSX.Element {
 	const accountName = cachedAccount?.data?.name;
 
 	const {
-		mutate: deleteAccount,
-		isLoading: isDeleting,
-	} = useDeleteServiceAccount({
+		mutate: updateStatus,
+		isLoading: isDisabling,
+	} = useUpdateServiceAccountStatus({
 		mutation: {
 			onSuccess: async () => {
-				toast.success('Service account deleted', { richColors: true });
-				await setIsDeleteOpen(null);
+				toast.success('Service account disabled', { richColors: true });
+				await setIsDisableOpen(null);
 				await setAccountId(null);
 				await invalidateListServiceAccounts(queryClient);
 			},
@@ -48,7 +48,7 @@ function DeleteAccountModal(): JSX.Element {
 				const errMessage =
 					convertToApiError(
 						error as AxiosError<RenderErrorResponseDTO, unknown> | null,
-					)?.getErrorMessage() || 'Failed to delete service account';
+					)?.getErrorMessage() || 'Failed to disable service account';
 				toast.error(errMessage, { richColors: true });
 			},
 		},
@@ -58,13 +58,14 @@ function DeleteAccountModal(): JSX.Element {
 		if (!accountId) {
 			return;
 		}
-		deleteAccount({
+		updateStatus({
 			pathParams: { id: accountId },
+			data: { status: 'DISABLED' },
 		});
 	}
 
 	function handleCancel(): void {
-		setIsDeleteOpen(null);
+		setIsDisableOpen(null);
 	}
 
 	return (
@@ -75,18 +76,17 @@ function DeleteAccountModal(): JSX.Element {
 					handleCancel();
 				}
 			}}
-			title={`Delete service account ${accountName ?? ''}?`}
+			title={`Disable service account ${accountName ?? ''}?`}
 			width="narrow"
-			className="alert-dialog sa-delete-dialog"
+			className="alert-dialog sa-disable-dialog"
 			showCloseButton={false}
 			disableOutsideClick={false}
 		>
-			<p className="sa-delete-dialog__body">
-				Are you sure you want to delete <strong>{accountName}</strong>? This action
-				cannot be undone. All keys associated with this service account will be
-				permanently removed.
+			<p className="sa-disable-dialog__body">
+				Disabling this service account will revoke access for all its keys. Any
+				systems using this account will lose access immediately.
 			</p>
-			<DialogFooter className="sa-delete-dialog__footer">
+			<DialogFooter className="sa-disable-dialog__footer">
 				<Button variant="solid" color="secondary" size="sm" onClick={handleCancel}>
 					<X size={12} />
 					Cancel
@@ -95,15 +95,15 @@ function DeleteAccountModal(): JSX.Element {
 					variant="solid"
 					color="destructive"
 					size="sm"
-					loading={isDeleting}
+					loading={isDisabling}
 					onClick={handleConfirm}
 				>
-					<Trash2 size={12} />
-					Delete
+					<PowerOff size={12} />
+					Disable
 				</Button>
 			</DialogFooter>
 		</DialogWrapper>
 	);
 }
 
-export default DeleteAccountModal;
+export default DisableAccountModal;

frontend/src/components/ServiceAccountDrawer/EditKeyModal/EditKeyForm.tsx

@@ -6,7 +6,7 @@ import { LockKeyhole, Trash2, X } from '@signozhq/icons';
 import { Input } from '@signozhq/input';
 import { ToggleGroup, ToggleGroupItem } from '@signozhq/toggle-group';
 import { DatePicker } from 'antd';
-import type { ServiceaccounttypesGettableFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
+import type { ServiceaccounttypesFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
 import { popupContainer } from 'utils/selectPopupContainer';
 
 import { disabledDate, formatLastObservedAt } from '../utils';
@@ -17,7 +17,7 @@ export interface EditKeyFormProps {
 	register: UseFormRegister<FormValues>;
 	control: Control<FormValues>;
 	expiryMode: ExpiryMode;
-	keyItem: ServiceaccounttypesGettableFactorAPIKeyDTO | null;
+	keyItem: ServiceaccounttypesFactorAPIKeyDTO | null;
 	isSaving: boolean;
 	isDirty: boolean;
 	onSubmit: () => void;

frontend/src/components/ServiceAccountDrawer/EditKeyModal/index.tsx

@@ -11,7 +11,7 @@ import {
 } from 'api/generated/services/serviceaccount';
 import type {
 	RenderErrorResponseDTO,
-	ServiceaccounttypesGettableFactorAPIKeyDTO,
+	ServiceaccounttypesFactorAPIKeyDTO,
 } from 'api/generated/services/sigNoz.schemas';
 import { AxiosError } from 'axios';
 import { SA_QUERY_PARAMS } from 'container/ServiceAccountsSettings/constants';
@@ -27,7 +27,7 @@ import { DEFAULT_FORM_VALUES, ExpiryMode } from './types';
 import './EditKeyModal.styles.scss';
 
 export interface EditKeyModalProps {
-	keyItem: ServiceaccounttypesGettableFactorAPIKeyDTO | null;
+	keyItem: ServiceaccounttypesFactorAPIKeyDTO | null;
 }
 
 function EditKeyModal({ keyItem }: EditKeyModalProps): JSX.Element {

frontend/src/components/ServiceAccountDrawer/KeysTab.tsx

@@ -3,7 +3,7 @@ import { Button } from '@signozhq/button';
 import { KeyRound, X } from '@signozhq/icons';
 import { Skeleton, Table, Tooltip } from 'antd';
 import type { ColumnsType } from 'antd/es/table/interface';
-import type { ServiceaccounttypesGettableFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
+import type { ServiceaccounttypesFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
 import { DATE_TIME_FORMATS } from 'constants/dateTimeFormats';
 import dayjs from 'dayjs';
 import { parseAsBoolean, parseAsString, useQueryState } from 'nuqs';
@@ -14,7 +14,7 @@ import RevokeKeyModal from './RevokeKeyModal';
 import { formatLastObservedAt } from './utils';
 
 interface KeysTabProps {
-	keys: ServiceaccounttypesGettableFactorAPIKeyDTO[];
+	keys: ServiceaccounttypesFactorAPIKeyDTO[];
 	isLoading: boolean;
 	isDisabled?: boolean;
 	currentPage: number;
@@ -44,7 +44,7 @@ function buildColumns({
 	isDisabled,
 	onRevokeClick,
 	handleformatLastObservedAt,
-}: BuildColumnsParams): ColumnsType<ServiceaccounttypesGettableFactorAPIKeyDTO> {
+}: BuildColumnsParams): ColumnsType<ServiceaccounttypesFactorAPIKeyDTO> {
 	return [
 		{
 			title: 'Name',
@@ -183,7 +183,7 @@ function KeysTab({
 	return (
 		<>
 			{/* Todo: use new table component from periscope when ready */}
-			<Table<ServiceaccounttypesGettableFactorAPIKeyDTO>
+			<Table<ServiceaccounttypesFactorAPIKeyDTO>
 				columns={columns}
 				dataSource={keys}
 				rowKey="id"

frontend/src/components/ServiceAccountDrawer/OverviewTab.tsx

@@ -9,9 +9,6 @@ import { ServiceAccountRow } from 'container/ServiceAccountsSettings/utils';
 import { useTimezone } from 'providers/Timezone';
 import APIError from 'types/api/error';
 
-import SaveErrorItem from './SaveErrorItem';
-import type { SaveError } from './utils';
-
 interface OverviewTabProps {
 	account: ServiceAccountRow;
 	localName: string;
@@ -24,7 +21,6 @@ interface OverviewTabProps {
 	rolesError?: boolean;
 	rolesErrorObj?: APIError | undefined;
 	onRefetchRoles?: () => void;
-	saveErrors?: SaveError[];
 }
 
 function OverviewTab({
@@ -39,7 +35,6 @@ function OverviewTab({
 	rolesError,
 	rolesErrorObj,
 	onRefetchRoles,
-	saveErrors = [],
 }: OverviewTabProps): JSX.Element {
 	const { formatTimezoneAdjustedTimestamp } = useTimezone();
 
@@ -97,14 +92,11 @@ function OverviewTab({
 					<div className="sa-drawer__input-wrapper sa-drawer__input-wrapper--disabled">
 						<div className="sa-drawer__disabled-roles">
 							{localRoles.length > 0 ? (
-								localRoles.map((roleId) => {
-									const role = availableRoles.find((r) => r.id === roleId);
-									return (
-										<Badge key={roleId} color="vanilla">
-											{role?.name ?? roleId}
-										</Badge>
-									);
-								})
+								localRoles.map((r) => (
+									<Badge key={r} color="vanilla">
+										{r}
+									</Badge>
+								))
 							) : (
 								<span className="sa-drawer__input-text">—</span>
 							)}
@@ -134,13 +126,9 @@ function OverviewTab({
 						<Badge color="forest" variant="outline">
 							ACTIVE
 						</Badge>
-					) : account.status?.toUpperCase() === 'DELETED' ? (
-						<Badge color="cherry" variant="outline">
-							DELETED
-						</Badge>
 					) : (
 						<Badge color="vanilla" variant="outline" className="sa-status-badge">
-							{account.status ? account.status.toUpperCase() : 'UNKNOWN'}
+							DISABLED
 						</Badge>
 					)}
 				</div>
@@ -155,19 +143,6 @@ function OverviewTab({
 					<Badge color="vanilla">{formatTimestamp(account.updatedAt)}</Badge>
 				</div>
 			</div>
-
-			{saveErrors.length > 0 && (
-				<div className="sa-drawer__save-errors">
-					{saveErrors.map(({ context, apiError, onRetry }) => (
-						<SaveErrorItem
-							key={context}
-							context={context}
-							apiError={apiError}
-							onRetry={onRetry}
-						/>
-					))}
-				</div>
-			)}
 		</>
 	);
 }

frontend/src/components/ServiceAccountDrawer/RevokeKeyModal.tsx

@@ -11,7 +11,7 @@ import {
 } from 'api/generated/services/serviceaccount';
 import type {
 	RenderErrorResponseDTO,
-	ServiceaccounttypesGettableFactorAPIKeyDTO,
+	ServiceaccounttypesFactorAPIKeyDTO,
 } from 'api/generated/services/sigNoz.schemas';
 import { AxiosError } from 'axios';
 import { SA_QUERY_PARAMS } from 'container/ServiceAccountsSettings/constants';
@@ -64,9 +64,9 @@ function RevokeKeyModal(): JSX.Element {
 	const open = !!revokeKeyId && !!accountId;
 
 	const cachedKeys = accountId
-		? queryClient.getQueryData<{
-				data: ServiceaccounttypesGettableFactorAPIKeyDTO[];
-		  }>(getListServiceAccountKeysQueryKey({ id: accountId }))
+		? queryClient.getQueryData<{ data: ServiceaccounttypesFactorAPIKeyDTO[] }>(
+				getListServiceAccountKeysQueryKey({ id: accountId }),
+		  )
 		: null;
 	const keyName = cachedKeys?.data?.find((k) => k.id === revokeKeyId)?.name;
 

frontend/src/components/ServiceAccountDrawer/SaveErrorItem.tsx

@@ -1,74 +0,0 @@
-import { useState } from 'react';
-import { Button } from '@signozhq/button';
-import { Color } from '@signozhq/design-tokens';
-import { ChevronDown, ChevronUp, CircleAlert, RotateCw } from '@signozhq/icons';
-import ErrorContent from 'components/ErrorModal/components/ErrorContent';
-import APIError from 'types/api/error';
-
-interface SaveErrorItemProps {
-	context: string;
-	apiError: APIError;
-	onRetry?: () => void | Promise<void>;
-}
-
-function SaveErrorItem({
-	context,
-	apiError,
-	onRetry,
-}: SaveErrorItemProps): JSX.Element {
-	const [expanded, setExpanded] = useState(false);
-	const [isRetrying, setIsRetrying] = useState(false);
-
-	const ChevronIcon = expanded ? ChevronUp : ChevronDown;
-
-	return (
-		<div className="sa-error-item">
-			<div
-				role="button"
-				tabIndex={0}
-				className="sa-error-item__header"
-				aria-disabled={isRetrying}
-				onClick={(): void => {
-					if (!isRetrying) {
-						setExpanded((prev) => !prev);
-					}
-				}}
-			>
-				<CircleAlert size={12} className="sa-error-item__icon" />
-				<span className="sa-error-item__title">
-					{isRetrying ? 'Retrying...' : `${context}: ${apiError.getErrorMessage()}`}
-				</span>
-				{onRetry && !isRetrying && (
-					<Button
-						type="button"
-						aria-label="Retry"
-						size="xs"
-						onClick={async (e): Promise<void> => {
-							e.stopPropagation();
-							setIsRetrying(true);
-							setExpanded(false);
-							try {
-								await onRetry();
-							} finally {
-								setIsRetrying(false);
-							}
-						}}
-					>
-						<RotateCw size={12} color={Color.BG_CHERRY_400} />
-					</Button>
-				)}
-				{!isRetrying && (
-					<ChevronIcon size={14} className="sa-error-item__chevron" />
-				)}
-			</div>
-
-			{expanded && !isRetrying && (
-				<div className="sa-error-item__body">
-					<ErrorContent error={apiError} />
-				</div>
-			)}
-		</div>
-	);
-}
-
-export default SaveErrorItem;

frontend/src/components/ServiceAccountDrawer/ServiceAccountDrawer.styles.scss

@@ -92,23 +92,6 @@
 		display: flex;
 		flex-direction: column;
 		gap: var(--spacing-8);
-
-		&::-webkit-scrollbar {
-			width: 0.25rem;
-		}
-
-		&::-webkit-scrollbar-thumb {
-			background: rgba(136, 136, 136, 0.4);
-			border-radius: 0.125rem;
-
-			&:hover {
-				background: rgba(136, 136, 136, 0.7);
-			}
-		}
-
-		&::-webkit-scrollbar-track {
-			background: transparent;
-		}
 	}
 
 	&__footer {
@@ -256,113 +239,6 @@
 		letter-spacing: 0.48px;
 		text-transform: uppercase;
 	}
-
-	&__save-errors {
-		display: flex;
-		flex-direction: column;
-		gap: var(--spacing-2);
-	}
-}
-
-.sa-error-item {
-	border: 1px solid var(--l1-border);
-	border-radius: 4px;
-	overflow: hidden;
-
-	&__header {
-		display: flex;
-		align-items: center;
-		gap: var(--spacing-3);
-		width: 100%;
-		padding: var(--padding-2) var(--padding-4);
-		background: transparent;
-		border: none;
-		cursor: pointer;
-		text-align: left;
-		outline: none;
-
-		&:hover {
-			background: rgba(229, 72, 77, 0.08);
-		}
-
-		&:focus-visible {
-			outline: 2px solid var(--primary);
-			outline-offset: -2px;
-		}
-
-		&[aria-disabled='true'] {
-			cursor: default;
-			pointer-events: none;
-		}
-	}
-
-	&:hover {
-		border-color: var(--callout-error-border);
-	}
-
-	&__icon {
-		flex-shrink: 0;
-		color: var(--bg-cherry-500);
-	}
-
-	&__title {
-		flex: 1;
-		min-width: 0;
-		font-size: var(--font-size-xs);
-		font-weight: var(--font-weight-medium);
-		color: var(--bg-cherry-500);
-		line-height: var(--line-height-18);
-		letter-spacing: -0.06px;
-		text-align: left;
-		white-space: nowrap;
-		overflow: hidden;
-		text-overflow: ellipsis;
-	}
-
-	&__chevron {
-		flex-shrink: 0;
-		color: var(--l2-foreground);
-	}
-
-	&__body {
-		border-top: 1px solid var(--l1-border);
-
-		.error-content {
-			&__summary {
-				padding: 10px 12px;
-			}
-
-			&__summary-left {
-				gap: 6px;
-			}
-
-			&__error-code {
-				font-size: 12px;
-				line-height: 18px;
-			}
-
-			&__error-message {
-				font-size: 11px;
-				line-height: 16px;
-			}
-
-			&__docs-button {
-				font-size: 11px;
-				padding: 5px 8px;
-			}
-
-			&__message-badge {
-				padding: 0 12px 10px;
-				gap: 8px;
-			}
-
-			&__message-item {
-				font-size: 11px;
-				padding: 2px 12px 2px 22px;
-				margin-bottom: 2px;
-			}
-		}
-	}
 }
 
 .keys-tab {
@@ -553,7 +429,7 @@
 	}
 }
 
-.sa-delete-dialog {
+.sa-disable-dialog {
 	background: var(--l2-background);
 	border: 1px solid var(--l2-border);
 

frontend/src/components/ServiceAccountDrawer/ServiceAccountDrawer.tsx

@@ -1,29 +1,25 @@
 import { useCallback, useEffect, useMemo, useState } from 'react';
-import { useQueryClient } from 'react-query';
 import { Button } from '@signozhq/button';
 import { DrawerWrapper } from '@signozhq/drawer';
-import { Key, LayoutGrid, Plus, Trash2, X } from '@signozhq/icons';
+import { Key, LayoutGrid, Plus, PowerOff, X } from '@signozhq/icons';
 import { toast } from '@signozhq/sonner';
 import { ToggleGroup, ToggleGroupItem } from '@signozhq/toggle-group';
 import { Pagination, Skeleton } from 'antd';
 import { convertToApiError } from 'api/ErrorResponseHandlerForGeneratedAPIs';
 import {
-	getListServiceAccountsQueryKey,
 	useGetServiceAccount,
 	useListServiceAccountKeys,
 	useUpdateServiceAccount,
 } from 'api/generated/services/serviceaccount';
-import type { RenderErrorResponseDTO } from 'api/generated/services/sigNoz.schemas';
+import { RenderErrorResponseDTO } from 'api/generated/services/sigNoz.schemas';
 import { AxiosError } from 'axios';
 import ErrorInPlace from 'components/ErrorInPlace/ErrorInPlace';
 import { useRoles } from 'components/RolesSelect';
 import { SA_QUERY_PARAMS } from 'container/ServiceAccountsSettings/constants';
 import {
 	ServiceAccountRow,
-	ServiceAccountStatus,
 	toServiceAccountRow,
 } from 'container/ServiceAccountsSettings/utils';
-import { useServiceAccountRoleManager } from 'hooks/serviceAccount/useServiceAccountRoleManager';
 import {
 	parseAsBoolean,
 	parseAsInteger,
@@ -31,14 +27,12 @@ import {
 	parseAsStringEnum,
 	useQueryState,
 } from 'nuqs';
-import APIError from 'types/api/error';
 import { toAPIError } from 'utils/errorUtils';
 
 import AddKeyModal from './AddKeyModal';
-import DeleteAccountModal from './DeleteAccountModal';
+import DisableAccountModal from './DisableAccountModal';
 import KeysTab from './KeysTab';
 import OverviewTab from './OverviewTab';
-import type { SaveError } from './utils';
 import { ServiceAccountDrawerTab } from './utils';
 
 import './ServiceAccountDrawer.styles.scss';
@@ -75,16 +69,12 @@ function ServiceAccountDrawer({
 		SA_QUERY_PARAMS.ADD_KEY,
 		parseAsBoolean.withDefault(false),
 	);
-	const [, setIsDeleteOpen] = useQueryState(
-		SA_QUERY_PARAMS.DELETE_SA,
+	const [, setIsDisableOpen] = useQueryState(
+		SA_QUERY_PARAMS.DISABLE_SA,
 		parseAsBoolean.withDefault(false),
 	);
 	const [localName, setLocalName] = useState('');
 	const [localRoles, setLocalRoles] = useState<string[]>([]);
-	const [isSaving, setIsSaving] = useState(false);
-	const [saveErrors, setSaveErrors] = useState<SaveError[]>([]);
-
-	const queryClient = useQueryClient();
 
 	const {
 		data: accountData,
@@ -103,30 +93,21 @@ function ServiceAccountDrawer({
 		[accountData],
 	);
 
-	const { currentRoles, applyDiff } = useServiceAccountRoleManager(
-		selectedAccountId ?? '',
-	);
-
 	useEffect(() => {
-		if (account?.id) {
-			setLocalName(account?.name ?? '');
+		if (account) {
+			setLocalName(account.name ?? '');
+			setLocalRoles(account.roles ?? []);
 			setKeysPage(1);
 		}
-		setSaveErrors([]);
-	}, [account?.id, account?.name, setKeysPage]);
+		// eslint-disable-next-line react-hooks/exhaustive-deps
+	}, [account?.id]);
 
-	useEffect(() => {
-		setLocalRoles(currentRoles.map((r) => r.id).filter(Boolean) as string[]);
-	}, [currentRoles]);
-
-	const isDeleted =
-		account?.status?.toUpperCase() === ServiceAccountStatus.Deleted;
+	const isDisabled = account?.status?.toUpperCase() !== 'ACTIVE';
 
 	const isDirty =
 		account !== null &&
 		(localName !== (account.name ?? '') ||
-			JSON.stringify([...localRoles].sort()) !==
-				JSON.stringify([...currentRoles.map((r) => r.id).filter(Boolean)].sort()));
+			JSON.stringify(localRoles) !== JSON.stringify(account.roles ?? []));
 
 	const {
 		roles: availableRoles,
@@ -152,189 +133,51 @@ function ServiceAccountDrawer({
 		}
 	}, [keysLoading, keys.length, keysPage, setKeysPage]);
 
-	// the retry for this mutation is safe due to the api being idempotent on backend
-	const { mutateAsync: updateMutateAsync } = useUpdateServiceAccount();
-
-	const toSaveApiError = useCallback(
-		(err: unknown): APIError =>
-			convertToApiError(err as AxiosError<RenderErrorResponseDTO>) ??
-			toAPIError(err as AxiosError<RenderErrorResponseDTO>),
-		[],
-	);
-
-	const retryNameUpdate = useCallback(async (): Promise<void> => {
-		if (!account) {
-			return;
-		}
-		try {
-			await updateMutateAsync({
-				pathParams: { id: account.id },
-				data: { name: localName },
-			});
-			setSaveErrors((prev) => prev.filter((e) => e.context !== 'Name update'));
-			refetchAccount();
-			queryClient.invalidateQueries(getListServiceAccountsQueryKey());
-		} catch (err) {
-			setSaveErrors((prev) =>
-				prev.map((e) =>
-					e.context === 'Name update' ? { ...e, apiError: toSaveApiError(err) } : e,
-				),
-			);
-		}
-	}, [
-		account,
-		localName,
-		updateMutateAsync,
-		refetchAccount,
-		queryClient,
-		toSaveApiError,
-	]);
-
-	const handleNameChange = useCallback((name: string): void => {
-		setLocalName(name);
-		setSaveErrors((prev) => prev.filter((e) => e.context !== 'Name update'));
-	}, []);
-
-	const makeRoleRetry = useCallback(
-		(
-			context: string,
-			rawRetry: () => Promise<void>,
-		) => async (): Promise<void> => {
-			try {
-				await rawRetry();
-				setSaveErrors((prev) => prev.filter((e) => e.context !== context));
-			} catch (err) {
-				setSaveErrors((prev) =>
-					prev.map((e) =>
-						e.context === context ? { ...e, apiError: toSaveApiError(err) } : e,
-					),
-				);
-			}
-		},
-		[toSaveApiError],
-	);
-
-	const retryRolesUpdate = useCallback(async (): Promise<void> => {
-		try {
-			const failures = await applyDiff(localRoles, availableRoles);
-			if (failures.length === 0) {
-				setSaveErrors((prev) => prev.filter((e) => e.context !== 'Roles update'));
-			} else {
-				setSaveErrors((prev) => {
-					const rest = prev.filter((e) => e.context !== 'Roles update');
-					const roleErrors = failures.map((f) => {
-						const ctx = `Role '${f.roleName}'`;
-						return {
-							context: ctx,
-							apiError: toSaveApiError(f.error),
-							onRetry: makeRoleRetry(ctx, f.onRetry),
-						};
+	const { mutate: updateAccount, isLoading: isSaving } = useUpdateServiceAccount(
+		{
+			mutation: {
+				onSuccess: () => {
+					toast.success('Service account updated successfully', {
+						richColors: true,
 					});
-					return [...rest, ...roleErrors];
-				});
-			}
-		} catch (err) {
-			setSaveErrors((prev) =>
-				prev.map((e) =>
-					e.context === 'Roles update' ? { ...e, apiError: toSaveApiError(err) } : e,
-				),
-			);
-		}
-	}, [localRoles, availableRoles, applyDiff, toSaveApiError, makeRoleRetry]);
+					refetchAccount();
+					onSuccess({ closeDrawer: false });
+				},
+				onError: (error) => {
+					const errMessage =
+						convertToApiError(
+							error as AxiosError<RenderErrorResponseDTO, unknown> | null,
+						)?.getErrorMessage() || 'Failed to update service account';
+					toast.error(errMessage, { richColors: true });
+				},
+			},
+		},
+	);
 
-	const handleSave = useCallback(async (): Promise<void> => {
+	function handleSave(): void {
 		if (!account || !isDirty) {
 			return;
 		}
-		setSaveErrors([]);
-		setIsSaving(true);
-		try {
-			const namePromise =
-				localName !== (account.name ?? '')
-					? updateMutateAsync({
-							pathParams: { id: account.id },
-							data: { name: localName },
-					  })
-					: Promise.resolve();
-
-			const [nameResult, rolesResult] = await Promise.allSettled([
-				namePromise,
-				applyDiff(localRoles, availableRoles),
-			]);
-
-			const errors: SaveError[] = [];
-
-			if (nameResult.status === 'rejected') {
-				errors.push({
-					context: 'Name update',
-					apiError: toSaveApiError(nameResult.reason),
-					onRetry: retryNameUpdate,
-				});
-			}
-
-			if (rolesResult.status === 'rejected') {
-				errors.push({
-					context: 'Roles update',
-					apiError: toSaveApiError(rolesResult.reason),
-					onRetry: retryRolesUpdate,
-				});
-			} else {
-				for (const failure of rolesResult.value) {
-					const context = `Role '${failure.roleName}'`;
-					errors.push({
-						context,
-						apiError: toSaveApiError(failure.error),
-						onRetry: makeRoleRetry(context, failure.onRetry),
-					});
-				}
-			}
-
-			if (errors.length > 0) {
-				setSaveErrors(errors);
-			} else {
-				toast.success('Service account updated successfully', {
-					richColors: true,
-				});
-				onSuccess({ closeDrawer: false });
-			}
-
-			refetchAccount();
-			queryClient.invalidateQueries(getListServiceAccountsQueryKey());
-		} finally {
-			setIsSaving(false);
-		}
-	}, [
-		account,
-		isDirty,
-		localName,
-		localRoles,
-		availableRoles,
-		updateMutateAsync,
-		applyDiff,
-		refetchAccount,
-		onSuccess,
-		queryClient,
-		toSaveApiError,
-		retryNameUpdate,
-		makeRoleRetry,
-		retryRolesUpdate,
-	]);
+		updateAccount({
+			pathParams: { id: account.id },
+			data: { name: localName, email: account.email, roles: localRoles },
+		});
+	}
 
 	const handleClose = useCallback((): void => {
-		setIsDeleteOpen(null);
+		setIsDisableOpen(null);
 		setIsAddKeyOpen(null);
 		setSelectedAccountId(null);
 		setActiveTab(null);
 		setKeysPage(null);
 		setEditKeyId(null);
-		setSaveErrors([]);
 	}, [
 		setSelectedAccountId,
 		setActiveTab,
 		setKeysPage,
 		setEditKeyId,
 		setIsAddKeyOpen,
-		setIsDeleteOpen,
+		setIsDisableOpen,
 	]);
 
 	const drawerContent = (
@@ -377,7 +220,7 @@ function ServiceAccountDrawer({
 						variant="outlined"
 						size="sm"
 						color="secondary"
-						disabled={isDeleted}
+						disabled={isDisabled}
 						onClick={(): void => {
 							setIsAddKeyOpen(true);
 						}}
@@ -408,23 +251,22 @@ function ServiceAccountDrawer({
 							<OverviewTab
 								account={account}
 								localName={localName}
-								onNameChange={handleNameChange}
+								onNameChange={setLocalName}
 								localRoles={localRoles}
 								onRolesChange={setLocalRoles}
-								isDisabled={isDeleted}
+								isDisabled={isDisabled}
 								availableRoles={availableRoles}
 								rolesLoading={rolesLoading}
 								rolesError={rolesError}
 								rolesErrorObj={rolesErrorObj}
 								onRefetchRoles={refetchRoles}
-								saveErrors={saveErrors}
 							/>
 						)}
 						{activeTab === ServiceAccountDrawerTab.Keys && (
 							<KeysTab
 								keys={keys}
 								isLoading={keysLoading}
-								isDisabled={isDeleted}
+								isDisabled={isDisabled}
 								currentPage={keysPage}
 								pageSize={PAGE_SIZE}
 							/>
@@ -456,20 +298,20 @@ function ServiceAccountDrawer({
 					/>
 				) : (
 					<>
-						{!isDeleted && (
+						{!isDisabled && (
 							<Button
 								variant="ghost"
 								color="destructive"
 								className="sa-drawer__footer-btn"
 								onClick={(): void => {
-									setIsDeleteOpen(true);
+									setIsDisableOpen(true);
 								}}
 							>
-								<Trash2 size={12} />
-								Delete Service Account
+								<PowerOff size={12} />
+								Disable Service Account
 							</Button>
 						)}
-						{!isDeleted && (
+						{!isDisabled && (
 							<div className="sa-drawer__footer-right">
 								<Button
 									variant="solid"
@@ -517,7 +359,7 @@ function ServiceAccountDrawer({
 				className="sa-drawer"
 			/>
 
-			<DeleteAccountModal />
+			<DisableAccountModal />
 
 			<AddKeyModal />
 		</>

frontend/src/components/ServiceAccountDrawer/__tests__/EditKeyModal.test.tsx

@@ -1,5 +1,5 @@
 import { toast } from '@signozhq/sonner';
-import type { ServiceaccounttypesGettableFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
+import type { ServiceaccounttypesFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
 import { rest, server } from 'mocks-server/server';
 import { NuqsTestingAdapter } from 'nuqs/adapters/testing';
 import { render, screen, userEvent, waitFor } from 'tests/test-utils';
@@ -14,16 +14,17 @@ const mockToast = jest.mocked(toast);
 
 const SA_KEY_ENDPOINT = '*/api/v1/service_accounts/sa-1/keys/key-1';
 
-const mockKey: ServiceaccounttypesGettableFactorAPIKeyDTO = {
+const mockKey: ServiceaccounttypesFactorAPIKeyDTO = {
 	id: 'key-1',
 	name: 'Original Key Name',
 	expiresAt: 0,
 	lastObservedAt: null as any,
+	key: 'snz_abc123',
 	serviceAccountId: 'sa-1',
 };
 
 function renderModal(
-	keyItem: ServiceaccounttypesGettableFactorAPIKeyDTO | null = mockKey,
+	keyItem: ServiceaccounttypesFactorAPIKeyDTO | null = mockKey,
 	searchParams: Record<string, string> = {
 		account: 'sa-1',
 		'edit-key': 'key-1',

frontend/src/components/ServiceAccountDrawer/__tests__/KeysTab.test.tsx

@@ -1,5 +1,5 @@
 import { toast } from '@signozhq/sonner';
-import { ServiceaccounttypesGettableFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
+import { ServiceaccounttypesFactorAPIKeyDTO } from 'api/generated/services/sigNoz.schemas';
 import { rest, server } from 'mocks-server/server';
 import { NuqsTestingAdapter } from 'nuqs/adapters/testing';
 import { render, screen, userEvent, waitFor } from 'tests/test-utils';
@@ -14,12 +14,13 @@ const mockToast = jest.mocked(toast);
 
 const SA_KEY_ENDPOINT = '*/api/v1/service_accounts/sa-1/keys/:fid';
 
-const keys: ServiceaccounttypesGettableFactorAPIKeyDTO[] = [
+const keys: ServiceaccounttypesFactorAPIKeyDTO[] = [
 	{
 		id: 'key-1',
 		name: 'Production Key',
 		expiresAt: 0,
 		lastObservedAt: null as any,
+		key: 'snz_prod_123',
 		serviceAccountId: 'sa-1',
 	},
 	{
@@ -27,6 +28,7 @@ const keys: ServiceaccounttypesGettableFactorAPIKeyDTO[] = [
 		name: 'Staging Key',
 		expiresAt: 1924905600, // 2030-12-31
 		lastObservedAt: new Date('2026-03-10T10:00:00Z'),
+		key: 'snz_stag_456',
 		serviceAccountId: 'sa-1',
 	},
 ];

frontend/src/components/ServiceAccountDrawer/__tests__/ServiceAccountDrawer.test.tsx

@@ -23,9 +23,7 @@ jest.mock('@signozhq/sonner', () => ({
 const ROLES_ENDPOINT = '*/api/v1/roles';
 const SA_KEYS_ENDPOINT = '*/api/v1/service_accounts/:id/keys';
 const SA_ENDPOINT = '*/api/v1/service_accounts/sa-1';
-const SA_DELETE_ENDPOINT = '*/api/v1/service_accounts/sa-1';
-const SA_ROLES_ENDPOINT = '*/api/v1/service_accounts/:id/roles';
-const SA_ROLE_DELETE_ENDPOINT = '*/api/v1/service_accounts/:id/roles/:rid';
+const SA_STATUS_ENDPOINT = '*/api/v1/service_accounts/sa-1/status';
 
 const activeAccountResponse = {
 	id: 'sa-1',
@@ -37,10 +35,10 @@ const activeAccountResponse = {
 	updatedAt: '2026-01-02T00:00:00Z',
 };
 
-const deletedAccountResponse = {
+const disabledAccountResponse = {
 	...activeAccountResponse,
 	id: 'sa-2',
-	status: 'DELETED',
+	status: 'DISABLED',
 };
 
 function renderDrawer(
@@ -69,23 +67,7 @@ describe('ServiceAccountDrawer', () => {
 			rest.put(SA_ENDPOINT, (_, res, ctx) =>
 				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
 			),
-			rest.delete(SA_DELETE_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
-			),
-			rest.get(SA_ROLES_ENDPOINT, (_, res, ctx) =>
-				res(
-					ctx.status(200),
-					ctx.json({
-						data: listRolesSuccessResponse.data.filter(
-							(r) => r.name === 'signoz-admin',
-						),
-					}),
-				),
-			),
-			rest.post(SA_ROLES_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
-			),
-			rest.delete(SA_ROLE_DELETE_ENDPOINT, (_, res, ctx) =>
+			rest.put(SA_STATUS_ENDPOINT, (_, res, ctx) =>
 				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
 			),
 		);
@@ -133,6 +115,8 @@ describe('ServiceAccountDrawer', () => {
 			expect(updateSpy).toHaveBeenCalledWith(
 				expect.objectContaining({
 					name: 'CI Bot Updated',
+					email: 'ci-bot@signoz.io',
+					roles: ['signoz-admin'],
 				}),
 			);
 			expect(onSuccess).toHaveBeenCalledWith({ closeDrawer: false });
@@ -141,7 +125,6 @@ describe('ServiceAccountDrawer', () => {
 
 	it('changing roles enables Save; clicking Save sends updated roles in payload', async () => {
 		const updateSpy = jest.fn();
-		const roleSpy = jest.fn();
 		const user = userEvent.setup({ pointerEventsCheck: 0 });
 
 		server.use(
@@ -149,10 +132,6 @@ describe('ServiceAccountDrawer', () => {
 				updateSpy(await req.json());
 				return res(ctx.status(200), ctx.json({ status: 'success', data: {} }));
 			}),
-			rest.post(SA_ROLES_ENDPOINT, async (req, res, ctx) => {
-				roleSpy(await req.json());
-				return res(ctx.status(200), ctx.json({ status: 'success', data: {} }));
-			}),
 		);
 
 		renderDrawer();
@@ -167,22 +146,21 @@ describe('ServiceAccountDrawer', () => {
 		await user.click(saveBtn);
 
 		await waitFor(() => {
-			expect(updateSpy).not.toHaveBeenCalled();
-			expect(roleSpy).toHaveBeenCalledWith(
+			expect(updateSpy).toHaveBeenCalledWith(
 				expect.objectContaining({
-					id: '019c24aa-2248-7585-a129-4188b3473c27',
+					roles: expect.arrayContaining(['signoz-admin', 'signoz-viewer']),
 				}),
 			);
 		});
 	});
 
-	it('"Delete Service Account" opens confirm dialog; confirming sends delete request', async () => {
-		const deleteSpy = jest.fn();
+	it('"Disable Service Account" opens confirm dialog; confirming sends correct status payload', async () => {
+		const statusSpy = jest.fn();
 		const user = userEvent.setup({ pointerEventsCheck: 0 });
 
 		server.use(
-			rest.delete(SA_DELETE_ENDPOINT, (_, res, ctx) => {
-				deleteSpy();
+			rest.put(SA_STATUS_ENDPOINT, async (req, res, ctx) => {
+				statusSpy(await req.json());
 				return res(ctx.status(200), ctx.json({ status: 'success', data: {} }));
 			}),
 		);
@@ -192,19 +170,19 @@ describe('ServiceAccountDrawer', () => {
 		await screen.findByDisplayValue('CI Bot');
 
 		await user.click(
-			screen.getByRole('button', { name: /Delete Service Account/i }),
+			screen.getByRole('button', { name: /Disable Service Account/i }),
 		);
 
 		const dialog = await screen.findByRole('dialog', {
-			name: /Delete service account CI Bot/i,
+			name: /Disable service account CI Bot/i,
 		});
 		expect(dialog).toBeInTheDocument();
 
-		const confirmBtns = screen.getAllByRole('button', { name: /^Delete$/i });
+		const confirmBtns = screen.getAllByRole('button', { name: /^Disable$/i });
 		await user.click(confirmBtns[confirmBtns.length - 1]);
 
 		await waitFor(() => {
-			expect(deleteSpy).toHaveBeenCalled();
+			expect(statusSpy).toHaveBeenCalledWith({ status: 'DISABLED' });
 		});
 
 		await waitFor(() => {
@@ -212,17 +190,14 @@ describe('ServiceAccountDrawer', () => {
 		});
 	});
 
-	it('deleted account shows read-only name, no Save button, no Delete button', async () => {
+	it('disabled account shows read-only name, no Save button, no Disable button', async () => {
 		server.use(
 			rest.get('*/api/v1/service_accounts/sa-2', (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ data: deletedAccountResponse })),
+				res(ctx.status(200), ctx.json({ data: disabledAccountResponse })),
 			),
 			rest.get('*/api/v1/service_accounts/sa-2/keys', (_, res, ctx) =>
 				res(ctx.status(200), ctx.json({ data: [] })),
 			),
-			rest.get('*/api/v1/service_accounts/sa-2/roles', (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ data: [] })),
-			),
 		);
 
 		renderDrawer({ account: 'sa-2' });
@@ -233,7 +208,7 @@ describe('ServiceAccountDrawer', () => {
 			screen.queryByRole('button', { name: /Save Changes/i }),
 		).not.toBeInTheDocument();
 		expect(
-			screen.queryByRole('button', { name: /Delete Service Account/i }),
+			screen.queryByRole('button', { name: /Disable Service Account/i }),
 		).not.toBeInTheDocument();
 		expect(screen.queryByDisplayValue('CI Bot')).not.toBeInTheDocument();
 	});
@@ -273,169 +248,3 @@ describe('ServiceAccountDrawer', () => {
 		).toBeInTheDocument();
 	});
 });
-
-describe('ServiceAccountDrawer – save-error UX', () => {
-	beforeEach(() => {
-		jest.clearAllMocks();
-		server.use(
-			rest.get(ROLES_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json(listRolesSuccessResponse)),
-			),
-			rest.get(SA_KEYS_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ data: [] })),
-			),
-			rest.get(SA_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ data: activeAccountResponse })),
-			),
-			rest.put(SA_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
-			),
-			rest.delete(SA_DELETE_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
-			),
-			rest.get(SA_ROLES_ENDPOINT, (_, res, ctx) =>
-				res(
-					ctx.status(200),
-					ctx.json({
-						data: listRolesSuccessResponse.data.filter(
-							(r) => r.name === 'signoz-admin',
-						),
-					}),
-				),
-			),
-			rest.post(SA_ROLES_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
-			),
-			rest.delete(SA_ROLE_DELETE_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
-			),
-		);
-	});
-
-	afterEach(() => {
-		server.resetHandlers();
-	});
-
-	it('name update failure shows SaveErrorItem with "Name update" context', async () => {
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-
-		server.use(
-			rest.put(SA_ENDPOINT, (_, res, ctx) =>
-				res(
-					ctx.status(500),
-					ctx.json({
-						error: {
-							code: 'INTERNAL_ERROR',
-							message: 'name update failed',
-						},
-					}),
-				),
-			),
-		);
-
-		renderDrawer();
-
-		const nameInput = await screen.findByDisplayValue('CI Bot');
-		await user.clear(nameInput);
-		await user.type(nameInput, 'New Name');
-
-		const saveBtn = screen.getByRole('button', { name: /Save Changes/i });
-		await waitFor(() => expect(saveBtn).not.toBeDisabled());
-		await user.click(saveBtn);
-
-		expect(
-			await screen.findByText(/Name update.*name update failed/i, undefined, {
-				timeout: 5000,
-			}),
-		).toBeInTheDocument();
-	});
-
-	it('role update failure shows SaveErrorItem with the role name context', async () => {
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-
-		server.use(
-			rest.post(SA_ROLES_ENDPOINT, (_, res, ctx) =>
-				res(
-					ctx.status(500),
-					ctx.json({
-						error: {
-							code: 'INTERNAL_ERROR',
-							message: 'role assign failed',
-						},
-					}),
-				),
-			),
-		);
-
-		renderDrawer();
-
-		await screen.findByDisplayValue('CI Bot');
-
-		// Add the signoz-viewer role (which is not currently assigned)
-		await user.click(screen.getByLabelText('Roles'));
-		await user.click(await screen.findByTitle('signoz-viewer'));
-
-		const saveBtn = screen.getByRole('button', { name: /Save Changes/i });
-		await waitFor(() => expect(saveBtn).not.toBeDisabled());
-		await user.click(saveBtn);
-
-		expect(
-			await screen.findByText(
-				/Role 'signoz-viewer'.*role assign failed/i,
-				undefined,
-				{
-					timeout: 5000,
-				},
-			),
-		).toBeInTheDocument();
-	});
-
-	it('clicking Retry on a name-update error re-triggers the request; on success the error item is removed', async () => {
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-
-		// First: PUT always fails so the error appears
-		server.use(
-			rest.put(SA_ENDPOINT, (_, res, ctx) =>
-				res(
-					ctx.status(500),
-					ctx.json({
-						error: {
-							code: 'INTERNAL_ERROR',
-							message: 'name update failed',
-						},
-					}),
-				),
-			),
-		);
-
-		renderDrawer();
-
-		const nameInput = await screen.findByDisplayValue('CI Bot');
-		await user.clear(nameInput);
-		await user.type(nameInput, 'Retry Test');
-
-		const saveBtn = screen.getByRole('button', { name: /Save Changes/i });
-		await waitFor(() => expect(saveBtn).not.toBeDisabled());
-		await user.click(saveBtn);
-
-		await screen.findByText(/Name update.*name update failed/i, undefined, {
-			timeout: 5000,
-		});
-
-		server.use(
-			rest.put(SA_ENDPOINT, (_, res, ctx) =>
-				res(ctx.status(200), ctx.json({ status: 'success', data: {} })),
-			),
-		);
-
-		const retryBtn = screen.getByRole('button', { name: /Retry/i });
-		await user.click(retryBtn);
-
-		// Error item should be removed after successful retry
-		await waitFor(() => {
-			expect(
-				screen.queryByText(/Name update.*name update failed/i),
-			).not.toBeInTheDocument();
-		});
-	});
-});

frontend/src/components/ServiceAccountDrawer/utils.ts

@@ -1,13 +1,6 @@
 import { DATE_TIME_FORMATS } from 'constants/dateTimeFormats';
 import type { Dayjs } from 'dayjs';
 import dayjs from 'dayjs';
-import APIError from 'types/api/error';
-
-export interface SaveError {
-	context: string;
-	apiError: APIError;
-	onRetry: () => Promise<void>;
-}
 
 export enum ServiceAccountDrawerTab {
 	Overview = 'overview',

frontend/src/components/ServiceAccountsTable/__tests__/ServiceAccountsTable.test.tsx

@@ -8,6 +8,7 @@ const mockActiveAccount: ServiceAccountRow = {
 	id: 'sa-1',
 	name: 'CI Bot',
 	email: 'ci-bot@signoz.io',
+	roles: ['signoz-admin'],
 	status: 'ACTIVE',
 	createdAt: '2026-01-01T00:00:00Z',
 	updatedAt: '2026-01-02T00:00:00Z',
@@ -17,6 +18,7 @@ const mockDisabledAccount: ServiceAccountRow = {
 	id: 'sa-2',
 	name: 'Legacy Bot',
 	email: 'legacy@signoz.io',
+	roles: ['signoz-viewer', 'signoz-editor', 'billing-manager'],
 	status: 'DISABLED',
 	createdAt: '2025-06-01T00:00:00Z',
 	updatedAt: '2025-12-01T00:00:00Z',
@@ -37,6 +39,7 @@ describe('ServiceAccountsTable', () => {
 
 		expect(screen.getByText('CI Bot')).toBeInTheDocument();
 		expect(screen.getByText('ci-bot@signoz.io')).toBeInTheDocument();
+		expect(screen.getByText('signoz-admin')).toBeInTheDocument();
 		expect(screen.getByText('ACTIVE')).toBeInTheDocument();
 	});
 
@@ -46,6 +49,8 @@ describe('ServiceAccountsTable', () => {
 		);
 
 		expect(screen.getByText('DISABLED')).toBeInTheDocument();
+		expect(screen.getByText('signoz-viewer')).toBeInTheDocument();
+		expect(screen.getByText('+2')).toBeInTheDocument();
 	});
 
 	it('calls onRowClick with the correct account when a row is clicked', async () => {

frontend/src/components/ServiceAccountsTable/utils.tsx

@@ -25,6 +25,32 @@ export function NameEmailCell({
 	);
 }
 
+export function RolesCell({ roles }: { roles: string[] }): JSX.Element {
+	if (!roles || roles.length === 0) {
+		return <span className="sa-dash">—</span>;
+	}
+	const first = roles[0];
+	const overflow = roles.length - 1;
+	const tooltipContent = roles.slice(1).join(', ');
+
+	return (
+		<div className="sa-roles-cell">
+			<Badge color="vanilla">{first}</Badge>
+			{overflow > 0 && (
+				<Tooltip
+					title={tooltipContent}
+					overlayClassName="sa-tooltip"
+					overlayStyle={{ maxWidth: '600px' }}
+				>
+					<Badge color="vanilla" variant="outline" className="sa-status-badge">
+						+{overflow}
+					</Badge>
+				</Tooltip>
+			)}
+		</div>
+	);
+}
+
 export function StatusBadge({ status }: { status: string }): JSX.Element {
 	if (status?.toUpperCase() === 'ACTIVE') {
 		return (
@@ -33,16 +59,9 @@ export function StatusBadge({ status }: { status: string }): JSX.Element {
 			</Badge>
 		);
 	}
-	if (status?.toUpperCase() === 'DELETED') {
-		return (
-			<Badge color="cherry" variant="outline">
-				DELETED
-			</Badge>
-		);
-	}
 	return (
 		<Badge color="vanilla" variant="outline" className="sa-status-badge">
-			{status ? status.toUpperCase() : 'UNKNOWN'}
+			DISABLED
 		</Badge>
 	);
 }
@@ -79,6 +98,13 @@ export const columns: ColumnsType<ServiceAccountRow> = [
 			<NameEmailCell name={record.name} email={record.email} />
 		),
 	},
+	{
+		title: 'Roles',
+		dataIndex: 'roles',
+		key: 'roles',
+		width: 420,
+		render: (roles: string[]): JSX.Element => <RolesCell roles={roles} />,
+	},
 	{
 		title: 'Status',
 		dataIndex: 'status',

frontend/src/constants/routes.ts

@@ -38,6 +38,7 @@ const ROUTES = {
 	SETTINGS: '/settings',
 	MY_SETTINGS: '/settings/my-settings',
 	ORG_SETTINGS: '/settings/org-settings',
+	API_KEYS: '/settings/api-keys',
 	INGESTION_SETTINGS: '/settings/ingestion-settings',
 	SOMETHING_WENT_WRONG: '/something-went-wrong',
 	UN_AUTHORIZED: '/un-authorized',

frontend/src/constants/shortcutActions.tsx

@@ -248,5 +248,15 @@ export function createShortcutActions(deps: ActionDeps): CmdAction[] {
 			roles: ['ADMIN', 'EDITOR'],
 			perform: (): void => navigate(ROUTES.BILLING),
 		},
+		{
+			id: 'my-settings-api-keys',
+			name: 'Go to Account Settings API Keys',
+			shortcut: [GlobalShortcutsName.NavigateToSettingsAPIKeys],
+			keywords: 'account settings api keys',
+			section: 'Settings',
+			icon: <Settings size={14} />,
+			roles: ['ADMIN', 'EDITOR'],
+			perform: (): void => navigate(ROUTES.API_KEYS),
+		},
 	];
 }

frontend/src/constants/shortcuts/globalShortcuts.ts

@@ -26,6 +26,7 @@ export const GlobalShortcuts = {
 	NavigateToSettings: 'shift+g',
 	NavigateToSettingsIngestion: 'shift+g+i',
 	NavigateToSettingsBilling: 'shift+g+b',
+	NavigateToSettingsAPIKeys: 'shift+g+k',
 	NavigateToSettingsNotificationChannels: 'shift+g+n',
 };
 
@@ -46,6 +47,7 @@ export const GlobalShortcutsName = {
 	NavigateToSettings: 'shift+g',
 	NavigateToSettingsIngestion: 'shift+g+i',
 	NavigateToSettingsBilling: 'shift+g+b',
+	NavigateToSettingsAPIKeys: 'shift+g+k',
 	NavigateToSettingsNotificationChannels: 'shift+g+n',
 	NavigateToLogs: 'shift+l',
 	NavigateToLogsPipelines: 'shift+l+p',
@@ -70,6 +72,7 @@ export const GlobalShortcutsDescription = {
 	NavigateToSettings: 'Navigate to Settings',
 	NavigateToSettingsIngestion: 'Navigate to Ingestion Settings',
 	NavigateToSettingsBilling: 'Navigate to Billing Settings',
+	NavigateToSettingsAPIKeys: 'Navigate to API Keys Settings',
 	NavigateToSettingsNotificationChannels:
 		'Navigate to Notification Channels Settings',
 	NavigateToLogsPipelines: 'Navigate to Logs Pipelines',

frontend/src/container/APIKeys/APIKeys.styles.scss

@@ -0,0 +1,685 @@
+.api-key-container {
+	margin-top: 24px;
+	display: flex;
+	justify-content: center;
+	width: 100%;
+
+	.api-key-content {
+		width: calc(100% - 30px);
+		max-width: 736px;
+
+		.title {
+			color: var(--bg-vanilla-100);
+			font-size: var(--font-size-lg);
+			font-style: normal;
+			font-weight: var(--font-weight-normal);
+			line-height: 28px; /* 155.556% */
+			letter-spacing: -0.09px;
+		}
+
+		.subtitle {
+			color: var(--bg-vanilla-400);
+			font-size: var(--font-size-sm);
+			font-style: normal;
+			font-weight: var(--font-weight-normal);
+			line-height: 20px; /* 142.857% */
+			letter-spacing: -0.07px;
+		}
+
+		.api-keys-search-add-new {
+			display: flex;
+			align-items: center;
+			gap: 12px;
+
+			padding: 16px 0;
+
+			.add-new-api-key-btn {
+				display: flex;
+				align-items: center;
+				gap: 8px;
+			}
+		}
+
+		.ant-table-row {
+			.ant-table-cell {
+				padding: 0;
+				border: none;
+				background: var(--bg-ink-500);
+			}
+			.column-render {
+				margin: 8px 0 !important;
+				border-radius: 6px;
+				border: 1px solid var(--bg-slate-500);
+				background: var(--bg-ink-400);
+
+				.title-with-action {
+					display: flex;
+					justify-content: space-between;
+
+					align-items: center;
+					padding: 8px;
+
+					.api-key-data {
+						display: flex;
+						gap: 8px;
+						align-items: center;
+
+						.api-key-title {
+							display: flex;
+							align-items: center;
+							gap: 6px;
+
+							.ant-typography {
+								color: var(--bg-vanilla-400);
+								font-size: var(--font-size-sm);
+								font-style: normal;
+								font-weight: var(--font-weight-medium);
+								line-height: 20px;
+								letter-spacing: -0.07px;
+							}
+						}
+
+						.api-key-value {
+							display: flex;
+							align-items: center;
+							gap: 12px;
+
+							border-radius: 20px;
+							padding: 0px 12px;
+
+							background: var(--bg-ink-200);
+
+							.ant-typography {
+								color: var(--bg-vanilla-400);
+								font-size: var(--font-size-xs);
+								font-family: 'Space Mono', monospace;
+								font-style: normal;
+								font-weight: var(--font-weight-medium);
+								line-height: 20px;
+								letter-spacing: -0.07px;
+							}
+
+							.copy-key-btn {
+								cursor: pointer;
+							}
+						}
+					}
+
+					.action-btn {
+						display: flex;
+						align-items: center;
+						gap: 4px;
+						cursor: pointer;
+					}
+
+					.visibility-btn {
+						border: 1px solid rgba(113, 144, 249, 0.2);
+						background: rgba(113, 144, 249, 0.1);
+					}
+				}
+
+				.ant-collapse {
+					border: none;
+
+					.ant-collapse-header {
+						padding: 0px 8px;
+
+						display: flex;
+						align-items: center;
+						background-color: #121317;
+					}
+
+					.ant-collapse-content {
+						border-top: 1px solid var(--bg-slate-500);
+					}
+
+					.ant-collapse-item {
+						border-bottom: none;
+					}
+
+					.ant-collapse-expand-icon {
+						padding-inline-end: 0px;
+					}
+				}
+
+				.api-key-details {
+					display: flex;
+					align-items: center;
+					justify-content: space-between;
+					gap: 8px;
+					border-top: 1px solid var(--bg-slate-500);
+					padding: 8px;
+
+					.api-key-tag {
+						width: 14px;
+						height: 14px;
+						border-radius: 50px;
+						background: var(--bg-slate-300);
+						display: flex;
+						justify-content: center;
+						align-items: center;
+
+						.tag-text {
+							color: var(--bg-vanilla-400);
+							leading-trim: both;
+							text-edge: cap;
+							font-size: 10px;
+							font-style: normal;
+							font-weight: var(--font-weight-normal);
+							line-height: normal;
+							letter-spacing: -0.05px;
+						}
+					}
+
+					.api-key-created-by {
+						margin-left: 8px;
+					}
+
+					.api-key-last-used-at {
+						display: flex;
+						align-items: center;
+						gap: 8px;
+
+						.ant-typography {
+							color: var(--bg-vanilla-400);
+							font-size: var(--font-size-sm);
+							font-style: normal;
+							font-weight: var(--font-weight-normal);
+							line-height: 18px; /* 128.571% */
+							letter-spacing: -0.07px;
+							font-variant-numeric: lining-nums tabular-nums stacked-fractions
+								slashed-zero;
+							font-feature-settings: 'dlig' on, 'salt' on, 'cpsp' on, 'case' on;
+						}
+					}
+
+					.api-key-expires-in {
+						font-style: normal;
+						font-weight: 400;
+						line-height: 18px;
+
+						display: flex;
+						align-items: center;
+						gap: 8px;
+
+						.dot {
+							height: 6px;
+							width: 6px;
+							border-radius: 50%;
+						}
+
+						&.warning {
+							color: var(--bg-amber-400);
+
+							.dot {
+								background: var(--bg-amber-400);
+								box-shadow: 0px 0px 6px 0px var(--bg-amber-400);
+							}
+						}
+
+						&.danger {
+							color: var(--bg-cherry-400);
+
+							.dot {
+								background: var(--bg-cherry-400);
+								box-shadow: 0px 0px 6px 0px var(--bg-cherry-400);
+							}
+						}
+					}
+				}
+			}
+		}
+
+		.ant-pagination-item {
+			display: flex;
+			justify-content: center;
+			align-items: center;
+
+			> a {
+				color: var(--bg-vanilla-400);
+				font-variant-numeric: lining-nums tabular-nums slashed-zero;
+				font-feature-settings: 'dlig' on, 'salt' on, 'case' on, 'cpsp' on;
+				font-size: var(--font-size-sm);
+				font-style: normal;
+				font-weight: var(--font-weight-normal);
+				line-height: 20px; /* 142.857% */
+			}
+		}
+
+		.ant-pagination-item-active {
+			background-color: var(--bg-robin-500);
+			> a {
+				color: var(--bg-ink-500) !important;
+				font-size: var(--font-size-sm);
+				font-style: normal;
+				font-weight: var(--font-weight-medium);
+				line-height: 20px;
+			}
+		}
+	}
+}
+
+.api-key-info-container {
+	display: flex;
+	gap: 12px;
+	flex-direction: column;
+
+	.user-info {
+		display: flex;
+		gap: 8px;
+		align-items: center;
+		flex-wrap: wrap;
+
+		.user-avatar {
+			background-color: lightslategray;
+			vertical-align: middle;
+		}
+	}
+
+	.user-email {
+		display: inline-flex;
+		align-items: center;
+		gap: 12px;
+		border-radius: 20px;
+		padding: 0px 12px;
+		background: var(--bg-ink-200);
+
+		font-family: 'Space Mono', monospace;
+	}
+
+	.role {
+		display: flex;
+		align-items: center;
+		gap: 12px;
+	}
+}
+
+.api-key-modal {
+	.ant-modal-content {
+		border-radius: 4px;
+		border: 1px solid var(--bg-slate-500);
+		background: var(--bg-ink-400);
+		box-shadow: 0px -4px 16px 2px rgba(0, 0, 0, 0.2);
+		padding: 0;
+
+		.ant-modal-header {
+			background: none;
+			border-bottom: 1px solid var(--bg-slate-500);
+			padding: 16px;
+		}
+
+		.ant-modal-close-x {
+			font-size: 12px;
+		}
+
+		.ant-modal-body {
+			padding: 12px 16px;
+		}
+
+		.ant-modal-footer {
+			padding: 16px;
+			margin-top: 0;
+
+			display: flex;
+			justify-content: flex-end;
+		}
+	}
+}
+
+.api-key-access-role {
+	display: flex;
+
+	.ant-radio-button-wrapper {
+		font-size: 12px;
+		text-transform: capitalize;
+
+		&.ant-radio-button-wrapper-checked {
+			color: #fff;
+			background: var(--bg-slate-400, #1d212d);
+			border-color: var(--bg-slate-400, #1d212d);
+
+			&:hover {
+				color: #fff;
+				background: var(--bg-slate-400, #1d212d);
+				border-color: var(--bg-slate-400, #1d212d);
+
+				&::before {
+					background-color: var(--bg-slate-400, #1d212d);
+				}
+			}
+
+			&:focus {
+				color: #fff;
+				background: var(--bg-slate-400, #1d212d);
+				border-color: var(--bg-slate-400, #1d212d);
+			}
+		}
+	}
+
+	.tab {
+		border: 1px solid var(--bg-slate-400);
+
+		flex: 1;
+
+		display: flex;
+		justify-content: center;
+
+		&::before {
+			background: var(--bg-slate-400);
+		}
+
+		&.selected {
+			background: var(--bg-slate-400, #1d212d);
+		}
+	}
+
+	.role {
+		display: flex;
+		align-items: center;
+		gap: 8px;
+	}
+}
+
+.delete-api-key-modal {
+	width: calc(100% - 30px) !important; /* Adjust the 20px as needed */
+	max-width: 384px;
+	.ant-modal-content {
+		padding: 0;
+		border-radius: 4px;
+		border: 1px solid var(--bg-slate-500);
+		background: var(--bg-ink-400);
+		box-shadow: 0px -4px 16px 2px rgba(0, 0, 0, 0.2);
+
+		.ant-modal-header {
+			padding: 16px;
+			background: var(--bg-ink-400);
+		}
+
+		.ant-modal-body {
+			padding: 0px 16px 28px 16px;
+
+			.ant-typography {
+				color: var(--bg-vanilla-400);
+				font-size: var(--font-size-sm);
+				font-style: normal;
+				font-weight: var(--font-weight-normal);
+				line-height: 20px;
+				letter-spacing: -0.07px;
+			}
+
+			.api-key-input {
+				margin-top: 8px;
+				display: flex;
+				gap: 8px;
+			}
+
+			.ant-color-picker-trigger {
+				padding: 6px;
+				border-radius: 2px;
+				border: 1px solid var(--bg-slate-400);
+				background: var(--bg-ink-300);
+				width: 32px;
+				height: 32px;
+
+				.ant-color-picker-color-block {
+					border-radius: 50px;
+					width: 16px;
+					height: 16px;
+					flex-shrink: 0;
+
+					.ant-color-picker-color-block-inner {
+						display: flex;
+						justify-content: center;
+						align-items: center;
+					}
+				}
+			}
+		}
+
+		.ant-modal-footer {
+			display: flex;
+			justify-content: flex-end;
+			padding: 16px 16px;
+			margin: 0;
+
+			.cancel-btn {
+				display: flex;
+				align-items: center;
+				border: none;
+				border-radius: 2px;
+				background: var(--bg-slate-500);
+			}
+
+			.delete-btn {
+				display: flex;
+				align-items: center;
+				border: none;
+				border-radius: 2px;
+				background: var(--bg-cherry-500);
+				margin-left: 12px;
+			}
+
+			.delete-btn:hover {
+				color: var(--bg-vanilla-100);
+				background: var(--bg-cherry-600);
+			}
+		}
+	}
+
+	.title {
+		color: var(--bg-vanilla-100);
+		font-size: var(--font-size-sm);
+		font-style: normal;
+		font-weight: var(--font-weight-medium);
+		line-height: 20px; /* 142.857% */
+	}
+}
+
+.expiration-selector {
+	.ant-select-selector {
+		border: 1px solid var(--bg-slate-400) !important;
+	}
+}
+
+.newAPIKeyDetails {
+	display: flex;
+	flex-direction: column;
+	gap: 8px;
+}
+
+.copyable-text {
+	display: inline-flex;
+	align-items: center;
+	gap: 12px;
+	border-radius: 20px;
+	padding: 0px 12px;
+	background: var(--bg-ink-200, #23262e);
+
+	.copy-key-btn {
+		cursor: pointer;
+	}
+}
+
+.lightMode {
+	.api-key-container {
+		.api-key-content {
+			.title {
+				color: var(--bg-ink-500);
+			}
+
+			.ant-table-row {
+				.ant-table-cell {
+					background: var(--bg-vanilla-200);
+				}
+
+				&:hover {
+					.ant-table-cell {
+						background: var(--bg-vanilla-200) !important;
+					}
+				}
+
+				.column-render {
+					border: 1px solid var(--bg-vanilla-200);
+					background: var(--bg-vanilla-100);
+
+					.ant-collapse {
+						border: none;
+
+						.ant-collapse-header {
+							background: var(--bg-vanilla-100);
+						}
+
+						.ant-collapse-content {
+							border-top: 1px solid var(--bg-vanilla-300);
+						}
+					}
+
+					.title-with-action {
+						.api-key-title {
+							.ant-typography {
+								color: var(--bg-ink-500);
+							}
+						}
+
+						.api-key-value {
+							background: var(--bg-vanilla-200);
+
+							.ant-typography {
+								color: var(--bg-slate-400);
+							}
+
+							.copy-key-btn {
+								cursor: pointer;
+							}
+						}
+
+						.action-btn {
+							.ant-typography {
+								color: var(--bg-ink-500);
+							}
+						}
+					}
+
+					.api-key-details {
+						border-top: 1px solid var(--bg-vanilla-200);
+						.api-key-tag {
+							background: var(--bg-vanilla-200);
+							.tag-text {
+								color: var(--bg-ink-500);
+							}
+						}
+
+						.api-key-created-by {
+							color: var(--bg-ink-500);
+						}
+
+						.api-key-last-used-at {
+							.ant-typography {
+								color: var(--bg-ink-500);
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+
+	.delete-api-key-modal {
+		.ant-modal-content {
+			border: 1px solid var(--bg-vanilla-200);
+			background: var(--bg-vanilla-100);
+
+			.ant-modal-header {
+				background: var(--bg-vanilla-100);
+
+				.title {
+					color: var(--bg-ink-500);
+				}
+			}
+
+			.ant-modal-body {
+				.ant-typography {
+					color: var(--bg-ink-500);
+				}
+
+				.api-key-input {
+					.ant-input {
+						background: var(--bg-vanilla-200);
+						color: var(--bg-ink-500);
+					}
+				}
+			}
+
+			.ant-modal-footer {
+				.cancel-btn {
+					background: var(--bg-vanilla-300);
+					color: var(--bg-ink-400);
+				}
+			}
+		}
+	}
+
+	.api-key-info-container {
+		.user-email {
+			background: var(--bg-vanilla-200);
+		}
+	}
+
+	.api-key-modal {
+		.ant-modal-content {
+			border-radius: 4px;
+			border: 1px solid var(--bg-vanilla-200);
+			background: var(--bg-vanilla-100);
+			box-shadow: 0px -4px 16px 2px rgba(0, 0, 0, 0.2);
+			padding: 0;
+
+			.ant-modal-header {
+				background: none;
+				border-bottom: 1px solid var(--bg-vanilla-200);
+				padding: 16px;
+			}
+		}
+	}
+
+	.api-key-access-role {
+		.ant-radio-button-wrapper {
+			&.ant-radio-button-wrapper-checked {
+				color: var(--bg-ink-400);
+				background: var(--bg-vanilla-300);
+				border-color: var(--bg-vanilla-300);
+
+				&:hover {
+					color: var(--bg-ink-400);
+					background: var(--bg-vanilla-300);
+					border-color: var(--bg-vanilla-300);
+
+					&::before {
+						background-color: var(--bg-vanilla-300);
+					}
+				}
+
+				&:focus {
+					color: var(--bg-ink-400);
+					background: var(--bg-vanilla-300);
+					border-color: var(--bg-vanilla-300);
+				}
+			}
+		}
+
+		.tab {
+			border: 1px solid var(--bg-vanilla-300);
+
+			&::before {
+				background: var(--bg-vanilla-300);
+			}
+
+			&.selected {
+				background: var(--bg-vanilla-300);
+			}
+		}
+	}
+
+	.copyable-text {
+		background: var(--bg-vanilla-200);
+	}
+}

frontend/src/container/APIKeys/APIKeys.test.tsx

@@ -0,0 +1,99 @@
+import {
+	createAPIKeyResponse,
+	getAPIKeysResponse,
+} from 'mocks-server/__mockdata__/apiKeys';
+import { server } from 'mocks-server/server';
+import { rest } from 'msw';
+import { act, fireEvent, render, screen, waitFor } from 'tests/test-utils';
+
+import APIKeys from './APIKeys';
+
+const apiKeysURL = 'http://localhost/api/v1/pats';
+
+describe('APIKeys component', () => {
+	beforeEach(() => {
+		server.use(
+			rest.get(apiKeysURL, (req, res, ctx) =>
+				res(ctx.status(200), ctx.json(getAPIKeysResponse)),
+			),
+		);
+
+		render(<APIKeys />);
+	});
+
+	afterEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('renders APIKeys component without crashing', () => {
+		expect(screen.getByText('API Keys')).toBeInTheDocument();
+		expect(
+			screen.getByText('Create and manage API keys for the SigNoz API'),
+		).toBeInTheDocument();
+	});
+
+	it('render list of Access Tokens', async () => {
+		server.use(
+			rest.get(apiKeysURL, (req, res, ctx) =>
+				res(ctx.status(200), ctx.json(getAPIKeysResponse)),
+			),
+		);
+
+		await waitFor(() => {
+			expect(screen.getByText('No Expiry Key')).toBeInTheDocument();
+			expect(screen.getByText('1-5 of 18 keys')).toBeInTheDocument();
+		});
+	});
+
+	it('opens add new key modal on button click', async () => {
+		fireEvent.click(screen.getByText('New Key'));
+		await waitFor(() => {
+			const createNewKeyBtn = screen.getByRole('button', {
+				name: /Create new key/i,
+			});
+
+			expect(createNewKeyBtn).toBeInTheDocument();
+		});
+	});
+
+	it('closes add new key modal on cancel button click', async () => {
+		fireEvent.click(screen.getByText('New Key'));
+
+		const createNewKeyBtn = screen.getByRole('button', {
+			name: /Create new key/i,
+		});
+
+		await waitFor(() => {
+			expect(createNewKeyBtn).toBeInTheDocument();
+		});
+		fireEvent.click(screen.getByText('Cancel'));
+		await waitFor(() => {
+			expect(createNewKeyBtn).not.toBeInTheDocument();
+		});
+	});
+
+	it('creates a new key on form submission', async () => {
+		server.use(
+			rest.post(apiKeysURL, (req, res, ctx) =>
+				res(ctx.status(200), ctx.json(createAPIKeyResponse)),
+			),
+		);
+
+		fireEvent.click(screen.getByText('New Key'));
+
+		const createNewKeyBtn = screen.getByRole('button', {
+			name: /Create new key/i,
+		});
+
+		await waitFor(() => {
+			expect(createNewKeyBtn).toBeInTheDocument();
+		});
+
+		act(() => {
+			const inputElement = screen.getByPlaceholderText('Enter Key Name');
+			fireEvent.change(inputElement, { target: { value: 'Top Secret' } });
+			fireEvent.click(screen.getByTestId('create-form-admin-role-btn'));
+			fireEvent.click(createNewKeyBtn);
+		});
+	});
+});

frontend/src/container/APIKeys/APIKeys.tsx

@@ -0,0 +1,874 @@
+import { ChangeEvent, useEffect, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+import { useMutation } from 'react-query';
+import { useCopyToClipboard } from 'react-use';
+import { Color } from '@signozhq/design-tokens';
+import {
+	Avatar,
+	Button,
+	Col,
+	Collapse,
+	CollapseProps,
+	Flex,
+	Form,
+	Input,
+	Modal,
+	Radio,
+	Row,
+	Select,
+	Table,
+	TableProps,
+	Tooltip,
+	Typography,
+} from 'antd';
+import type { NotificationInstance } from 'antd/es/notification/interface';
+import createAPIKeyApi from 'api/v1/pats/create';
+import deleteAPIKeyApi from 'api/v1/pats/delete';
+import updateAPIKeyApi from 'api/v1/pats/update';
+import cx from 'classnames';
+import dayjs from 'dayjs';
+import relativeTime from 'dayjs/plugin/relativeTime';
+import { useGetAllAPIKeys } from 'hooks/APIKeys/useGetAllAPIKeys';
+import { useNotifications } from 'hooks/useNotifications';
+import {
+	CalendarClock,
+	Check,
+	ClipboardEdit,
+	Contact2,
+	Copy,
+	Eye,
+	Minus,
+	PenLine,
+	Plus,
+	Search,
+	Trash2,
+	View,
+	X,
+} from 'lucide-react';
+import { useAppContext } from 'providers/App/App';
+import APIError from 'types/api/error';
+import { APIKeyProps } from 'types/api/pat/types';
+import { USER_ROLES } from 'types/roles';
+
+import './APIKeys.styles.scss';
+
+dayjs.extend(relativeTime);
+
+export const showErrorNotification = (
+	notifications: NotificationInstance,
+	err: APIError,
+): void => {
+	notifications.error({
+		message: err.getErrorCode(),
+		description: err.getErrorMessage(),
+	});
+};
+
+type ExpiryOption = {
+	value: string;
+	label: string;
+};
+
+export const EXPIRATION_WITHIN_SEVEN_DAYS = 7;
+
+const API_KEY_EXPIRY_OPTIONS: ExpiryOption[] = [
+	{ value: '1', label: '1 day' },
+	{ value: '7', label: '1 week' },
+	{ value: '30', label: '1 month' },
+	{ value: '90', label: '3 months' },
+	{ value: '365', label: '1 year' },
+	{ value: '0', label: 'No Expiry' },
+];
+
+export const isExpiredToken = (expiryTimestamp: number): boolean => {
+	if (expiryTimestamp === 0) {
+		return false;
+	}
+	const currentTime = dayjs();
+	const tokenExpiresAt = dayjs.unix(expiryTimestamp);
+	return tokenExpiresAt.isBefore(currentTime);
+};
+
+export const getDateDifference = (
+	createdTimestamp: number,
+	expiryTimestamp: number,
+): number => {
+	const differenceInSeconds = Math.abs(expiryTimestamp - createdTimestamp);
+
+	// Convert seconds to days
+	return differenceInSeconds / (60 * 60 * 24);
+};
+
+function APIKeys(): JSX.Element {
+	const { user } = useAppContext();
+	const { notifications } = useNotifications();
+	const [isDeleteModalOpen, setIsDeleteModalOpen] = useState(false);
+	const [isAddModalOpen, setIsAddModalOpen] = useState(false);
+	const [showNewAPIKeyDetails, setShowNewAPIKeyDetails] = useState(false);
+	const [, handleCopyToClipboard] = useCopyToClipboard();
+
+	const [isEditModalOpen, setIsEditModalOpen] = useState(false);
+	const [activeAPIKey, setActiveAPIKey] = useState<APIKeyProps | null>();
+
+	const [searchValue, setSearchValue] = useState<string>('');
+	const [dataSource, setDataSource] = useState<APIKeyProps[]>([]);
+	const { t } = useTranslation(['apiKeys']);
+
+	const [editForm] = Form.useForm();
+	const [createForm] = Form.useForm();
+
+	const handleFormReset = (): void => {
+		editForm.resetFields();
+		createForm.resetFields();
+	};
+
+	const hideDeleteViewModal = (): void => {
+		handleFormReset();
+		setActiveAPIKey(null);
+		setIsDeleteModalOpen(false);
+	};
+
+	const showDeleteModal = (apiKey: APIKeyProps): void => {
+		setActiveAPIKey(apiKey);
+		setIsDeleteModalOpen(true);
+	};
+
+	const hideEditViewModal = (): void => {
+		handleFormReset();
+		setActiveAPIKey(null);
+		setIsEditModalOpen(false);
+	};
+
+	const hideAddViewModal = (): void => {
+		handleFormReset();
+		setShowNewAPIKeyDetails(false);
+		setActiveAPIKey(null);
+		setIsAddModalOpen(false);
+	};
+
+	const showEditModal = (apiKey: APIKeyProps): void => {
+		handleFormReset();
+		setActiveAPIKey(apiKey);
+
+		editForm.setFieldsValue({
+			name: apiKey.name,
+			role: apiKey.role || USER_ROLES.VIEWER,
+		});
+
+		setIsEditModalOpen(true);
+	};
+
+	const showAddModal = (): void => {
+		setActiveAPIKey(null);
+		setIsAddModalOpen(true);
+	};
+
+	const handleModalClose = (): void => {
+		setActiveAPIKey(null);
+	};
+
+	const {
+		data: APIKeys,
+		isLoading,
+		isRefetching,
+		refetch: refetchAPIKeys,
+		error,
+		isError,
+	} = useGetAllAPIKeys();
+
+	useEffect(() => {
+		setActiveAPIKey(APIKeys?.data?.[0]);
+	}, [APIKeys]);
+
+	useEffect(() => {
+		setDataSource(APIKeys?.data || []);
+	}, [APIKeys?.data]);
+
+	useEffect(() => {
+		if (isError) {
+			showErrorNotification(notifications, error as APIError);
+		}
+	}, [error, isError, notifications]);
+
+	const handleSearch = (e: ChangeEvent<HTMLInputElement>): void => {
+		setSearchValue(e.target.value);
+		const filteredData = APIKeys?.data?.filter(
+			(key: APIKeyProps) =>
+				key &&
+				key.name &&
+				key.name.toLowerCase().includes(e.target.value.toLowerCase()),
+		);
+		setDataSource(filteredData || []);
+	};
+
+	const clearSearch = (): void => {
+		setSearchValue('');
+	};
+
+	const { mutate: createAPIKey, isLoading: isLoadingCreateAPIKey } = useMutation(
+		createAPIKeyApi,
+		{
+			onSuccess: (data) => {
+				setShowNewAPIKeyDetails(true);
+				setActiveAPIKey(data.data);
+
+				refetchAPIKeys();
+			},
+			onError: (error) => {
+				showErrorNotification(notifications, error as APIError);
+			},
+		},
+	);
+
+	const { mutate: updateAPIKey, isLoading: isLoadingUpdateAPIKey } = useMutation(
+		updateAPIKeyApi,
+		{
+			onSuccess: () => {
+				refetchAPIKeys();
+				setIsEditModalOpen(false);
+			},
+			onError: (error) => {
+				showErrorNotification(notifications, error as APIError);
+			},
+		},
+	);
+
+	const { mutate: deleteAPIKey, isLoading: isDeleteingAPIKey } = useMutation(
+		deleteAPIKeyApi,
+		{
+			onSuccess: () => {
+				refetchAPIKeys();
+				setIsDeleteModalOpen(false);
+			},
+			onError: (error) => {
+				showErrorNotification(notifications, error as APIError);
+			},
+		},
+	);
+
+	const onDeleteHandler = (): void => {
+		clearSearch();
+
+		if (activeAPIKey) {
+			deleteAPIKey(activeAPIKey.id);
+		}
+	};
+
+	const onUpdateApiKey = (): void => {
+		editForm
+			.validateFields()
+			.then((values) => {
+				if (activeAPIKey) {
+					updateAPIKey({
+						id: activeAPIKey.id,
+						data: {
+							name: values.name,
+							role: values.role,
+						},
+					});
+				}
+			})
+			.catch((errorInfo) => {
+				console.error('error info', errorInfo);
+			});
+	};
+
+	const onCreateAPIKey = (): void => {
+		createForm
+			.validateFields()
+			.then((values) => {
+				if (user) {
+					createAPIKey({
+						name: values.name,
+						expiresInDays: parseInt(values.expiration, 10),
+						role: values.role,
+					});
+				}
+			})
+			.catch((errorInfo) => {
+				console.error('error info', errorInfo);
+			});
+	};
+
+	const handleCopyKey = (text: string): void => {
+		handleCopyToClipboard(text);
+		notifications.success({
+			message: 'Copied to clipboard',
+		});
+	};
+
+	const getFormattedTime = (epochTime: number): string => {
+		const timeOptions: Intl.DateTimeFormatOptions = {
+			hour: '2-digit',
+			minute: '2-digit',
+			second: '2-digit',
+			hour12: false,
+		};
+		const formattedTime = new Date(epochTime * 1000).toLocaleTimeString(
+			'en-US',
+			timeOptions,
+		);
+
+		const dateOptions: Intl.DateTimeFormatOptions = {
+			month: 'short',
+			day: 'numeric',
+			year: 'numeric',
+		};
+
+		const formattedDate = new Date(epochTime * 1000).toLocaleDateString(
+			'en-US',
+			dateOptions,
+		);
+
+		return `${formattedDate} ${formattedTime}`;
+	};
+
+	const handleCopyClose = (): void => {
+		if (activeAPIKey) {
+			handleCopyKey(activeAPIKey?.token);
+		}
+
+		hideAddViewModal();
+	};
+
+	const columns: TableProps<APIKeyProps>['columns'] = [
+		{
+			title: 'API Key',
+			key: 'api-key',
+			// eslint-disable-next-line sonarjs/cognitive-complexity
+			render: (APIKey: APIKeyProps): JSX.Element => {
+				const formattedDateAndTime =
+					APIKey && APIKey?.lastUsed && APIKey?.lastUsed !== 0
+						? getFormattedTime(APIKey?.lastUsed)
+						: 'Never';
+
+				const createdOn = new Date(APIKey.createdAt).toLocaleString();
+
+				const expiresIn =
+					APIKey.expiresAt === 0
+						? Number.POSITIVE_INFINITY
+						: getDateDifference(
+								new Date(APIKey?.createdAt).getTime() / 1000,
+								APIKey?.expiresAt,
+						  );
+
+				const isExpired = isExpiredToken(APIKey.expiresAt);
+
+				const expiresOn =
+					!APIKey.expiresAt || APIKey.expiresAt === 0
+						? 'No Expiry'
+						: getFormattedTime(APIKey.expiresAt);
+
+				const updatedOn =
+					!APIKey.updatedAt || APIKey.updatedAt === ''
+						? null
+						: new Date(APIKey.updatedAt).toLocaleString();
+
+				const items: CollapseProps['items'] = [
+					{
+						key: '1',
+						label: (
+							<div className="title-with-action">
+								<div className="api-key-data">
+									<div className="api-key-title">
+										<Typography.Text>{APIKey?.name}</Typography.Text>
+									</div>
+
+									<div className="api-key-value">
+										<Typography.Text>
+											{APIKey?.token.substring(0, 2)}********
+											{APIKey?.token.substring(APIKey.token.length - 2).trim()}
+										</Typography.Text>
+
+										<Copy
+											className="copy-key-btn"
+											size={12}
+											onClick={(e): void => {
+												e.stopPropagation();
+												e.preventDefault();
+												handleCopyKey(APIKey.token);
+											}}
+										/>
+									</div>
+
+									{APIKey.role === USER_ROLES.ADMIN && (
+										<Tooltip title={USER_ROLES.ADMIN}>
+											<Contact2 size={14} color={Color.BG_ROBIN_400} />
+										</Tooltip>
+									)}
+
+									{APIKey.role === USER_ROLES.EDITOR && (
+										<Tooltip title={USER_ROLES.EDITOR}>
+											<ClipboardEdit size={14} color={Color.BG_ROBIN_400} />
+										</Tooltip>
+									)}
+
+									{APIKey.role === USER_ROLES.VIEWER && (
+										<Tooltip title={USER_ROLES.VIEWER}>
+											<View size={14} color={Color.BG_ROBIN_400} />
+										</Tooltip>
+									)}
+
+									{!APIKey.role && (
+										<Tooltip title={USER_ROLES.ADMIN}>
+											<Contact2 size={14} color={Color.BG_ROBIN_400} />
+										</Tooltip>
+									)}
+								</div>
+								<div className="action-btn">
+									<Button
+										className="periscope-btn ghost"
+										icon={<PenLine size={14} />}
+										onClick={(e): void => {
+											e.stopPropagation();
+											e.preventDefault();
+											showEditModal(APIKey);
+										}}
+									/>
+
+									<Button
+										className="periscope-btn ghost"
+										icon={<Trash2 color={Color.BG_CHERRY_500} size={14} />}
+										onClick={(e): void => {
+											e.stopPropagation();
+											e.preventDefault();
+											showDeleteModal(APIKey);
+										}}
+									/>
+								</div>
+							</div>
+						),
+						children: (
+							<div className="api-key-info-container">
+								{APIKey?.createdByUser && (
+									<Row>
+										<Col span={6}> Creator </Col>
+										<Col span={12} className="user-info">
+											<Avatar className="user-avatar" size="small">
+												{APIKey?.createdByUser?.displayName?.substring(0, 1)}
+											</Avatar>
+
+											<Typography.Text>
+												{APIKey.createdByUser?.displayName}
+											</Typography.Text>
+
+											<div className="user-email">{APIKey.createdByUser?.email}</div>
+										</Col>
+									</Row>
+								)}
+								<Row>
+									<Col span={6}> Created on </Col>
+									<Col span={12}>
+										<Typography.Text>{createdOn}</Typography.Text>
+									</Col>
+								</Row>
+								{updatedOn && (
+									<Row>
+										<Col span={6}> Updated on </Col>
+										<Col span={12}>
+											<Typography.Text>{updatedOn}</Typography.Text>
+										</Col>
+									</Row>
+								)}
+
+								<Row>
+									<Col span={6}> Expires on </Col>
+									<Col span={12}>
+										<Typography.Text>{expiresOn}</Typography.Text>
+									</Col>
+								</Row>
+							</div>
+						),
+					},
+				];
+
+				return (
+					<div className="column-render">
+						<Collapse items={items} />
+
+						<div className="api-key-details">
+							<div className="api-key-last-used-at">
+								<CalendarClock size={14} />
+								Last used <Minus size={12} />
+								<Typography.Text>{formattedDateAndTime}</Typography.Text>
+							</div>
+
+							{!isExpired && expiresIn <= EXPIRATION_WITHIN_SEVEN_DAYS && (
+								<div
+									className={cx(
+										'api-key-expires-in',
+										expiresIn <= 3 ? 'danger' : 'warning',
+									)}
+								>
+									<span className="dot" /> Expires {dayjs().to(expiresOn)}
+								</div>
+							)}
+
+							{isExpired && (
+								<div className={cx('api-key-expires-in danger')}>
+									<span className="dot" /> Expired
+								</div>
+							)}
+						</div>
+					</div>
+				);
+			},
+		},
+	];
+
+	return (
+		<div className="api-key-container">
+			<div className="api-key-content">
+				<header>
+					<Typography.Title className="title">API Keys</Typography.Title>
+					<Typography.Text className="subtitle">
+						Create and manage API keys for the SigNoz API
+					</Typography.Text>
+				</header>
+
+				<div className="api-keys-search-add-new">
+					<Input
+						placeholder="Search for keys..."
+						prefix={<Search size={12} color={Color.BG_VANILLA_400} />}
+						value={searchValue}
+						onChange={handleSearch}
+					/>
+
+					<Button
+						className="add-new-api-key-btn"
+						type="primary"
+						onClick={showAddModal}
+					>
+						<Plus size={14} /> New Key
+					</Button>
+				</div>
+
+				<Table
+					columns={columns}
+					dataSource={dataSource}
+					loading={isLoading || isRefetching}
+					showHeader={false}
+					pagination={{
+						pageSize: 5,
+						hideOnSinglePage: true,
+						showTotal: (total: number, range: number[]): string =>
+							`${range[0]}-${range[1]} of ${total} keys`,
+					}}
+				/>
+			</div>
+
+			{/* Delete Key Modal */}
+			<Modal
+				className="delete-api-key-modal"
+				title={<span className="title">Delete Key</span>}
+				open={isDeleteModalOpen}
+				closable
+				afterClose={handleModalClose}
+				onCancel={hideDeleteViewModal}
+				destroyOnClose
+				footer={[
+					<Button
+						key="cancel"
+						onClick={hideDeleteViewModal}
+						className="cancel-btn"
+						icon={<X size={16} />}
+					>
+						Cancel
+					</Button>,
+					<Button
+						key="submit"
+						icon={<Trash2 size={16} />}
+						loading={isDeleteingAPIKey}
+						onClick={onDeleteHandler}
+						className="delete-btn"
+					>
+						Delete key
+					</Button>,
+				]}
+			>
+				<Typography.Text className="delete-text">
+					{t('delete_confirm_message', {
+						keyName: activeAPIKey?.name,
+					})}
+				</Typography.Text>
+			</Modal>
+
+			{/* Edit Key Modal */}
+			<Modal
+				className="api-key-modal"
+				title="Edit key"
+				open={isEditModalOpen}
+				key="edit-api-key-modal"
+				afterClose={handleModalClose}
+				// closable
+				onCancel={hideEditViewModal}
+				destroyOnClose
+				footer={[
+					<Button
+						key="cancel"
+						onClick={hideEditViewModal}
+						className="periscope-btn cancel-btn"
+						icon={<X size={16} />}
+					>
+						Cancel
+					</Button>,
+					<Button
+						className="periscope-btn primary"
+						key="submit"
+						type="primary"
+						loading={isLoadingUpdateAPIKey}
+						icon={<Check size={14} />}
+						onClick={onUpdateApiKey}
+					>
+						Update key
+					</Button>,
+				]}
+			>
+				<Form
+					name="edit-api-key-form"
+					key={activeAPIKey?.id}
+					form={editForm}
+					layout="vertical"
+					autoComplete="off"
+					initialValues={{
+						name: activeAPIKey?.name,
+						role: activeAPIKey?.role,
+					}}
+				>
+					<Form.Item
+						name="name"
+						label="Name"
+						rules={[{ required: true }, { type: 'string', min: 6 }]}
+					>
+						<Input placeholder="Enter Key Name" autoFocus />
+					</Form.Item>
+
+					<Form.Item name="role" label="Role">
+						<Flex vertical gap="middle">
+							<Radio.Group
+								buttonStyle="solid"
+								className="api-key-access-role"
+								defaultValue={activeAPIKey?.role}
+							>
+								<Radio.Button value={USER_ROLES.ADMIN} className={cx('tab')}>
+									<div className="role">
+										<Contact2 size={14} /> Admin
+									</div>
+								</Radio.Button>
+								<Radio.Button value={USER_ROLES.EDITOR} className={cx('tab')}>
+									<div className="role">
+										<ClipboardEdit size={14} /> Editor
+									</div>
+								</Radio.Button>
+								<Radio.Button value={USER_ROLES.VIEWER} className={cx('tab')}>
+									<div className="role">
+										<Eye size={14} /> Viewer
+									</div>
+								</Radio.Button>
+							</Radio.Group>
+						</Flex>
+					</Form.Item>
+				</Form>
+			</Modal>
+
+			{/* Create New Key Modal */}
+			<Modal
+				className="api-key-modal"
+				title="Create new key"
+				open={isAddModalOpen}
+				key="create-api-key-modal"
+				closable
+				onCancel={hideAddViewModal}
+				destroyOnClose
+				footer={
+					showNewAPIKeyDetails
+						? [
+								<Button
+									key="copy-key-close"
+									className="periscope-btn primary"
+									data-testid="copy-key-close-btn"
+									type="primary"
+									onClick={handleCopyClose}
+									icon={<Check size={12} />}
+								>
+									Copy key and close
+								</Button>,
+						  ]
+						: [
+								<Button
+									key="cancel"
+									onClick={hideAddViewModal}
+									className="periscope-btn cancel-btn"
+									icon={<X size={16} />}
+								>
+									Cancel
+								</Button>,
+								<Button
+									className="periscope-btn primary"
+									test-id="create-new-key"
+									key="submit"
+									type="primary"
+									icon={<Check size={14} />}
+									loading={isLoadingCreateAPIKey}
+									onClick={onCreateAPIKey}
+								>
+									Create new key
+								</Button>,
+						  ]
+				}
+			>
+				{!showNewAPIKeyDetails && (
+					<Form
+						key="createForm"
+						name="create-api-key-form"
+						form={createForm}
+						initialValues={{
+							role: USER_ROLES.ADMIN,
+							expiration: '1',
+							name: '',
+						}}
+						layout="vertical"
+						autoComplete="off"
+					>
+						<Form.Item
+							name="name"
+							label="Name"
+							rules={[{ required: true }, { type: 'string', min: 6 }]}
+							validateTrigger="onFinish"
+						>
+							<Input placeholder="Enter Key Name" autoFocus />
+						</Form.Item>
+
+						<Form.Item name="role" label="Role">
+							<Flex vertical gap="middle">
+								<Radio.Group
+									buttonStyle="solid"
+									className="api-key-access-role"
+									defaultValue={USER_ROLES.ADMIN}
+								>
+									<Radio.Button value={USER_ROLES.ADMIN} className={cx('tab')}>
+										<div className="role" data-testid="create-form-admin-role-btn">
+											<Contact2 size={14} /> Admin
+										</div>
+									</Radio.Button>
+									<Radio.Button value={USER_ROLES.EDITOR} className="tab">
+										<div className="role" data-testid="create-form-editor-role-btn">
+											<ClipboardEdit size={14} /> Editor
+										</div>
+									</Radio.Button>
+									<Radio.Button value={USER_ROLES.VIEWER} className="tab">
+										<div className="role" data-testid="create-form-viewer-role-btn">
+											<Eye size={14} /> Viewer
+										</div>
+									</Radio.Button>
+								</Radio.Group>
+							</Flex>
+						</Form.Item>
+						<Form.Item name="expiration" label="Expiration">
+							<Select
+								className="expiration-selector"
+								placeholder="Expiration"
+								options={API_KEY_EXPIRY_OPTIONS}
+							/>
+						</Form.Item>
+					</Form>
+				)}
+
+				{showNewAPIKeyDetails && (
+					<div className="api-key-info-container">
+						<Row>
+							<Col span={8}>Key</Col>
+							<Col span={16}>
+								<span className="copyable-text">
+									<Typography.Text>
+										{activeAPIKey?.token.substring(0, 2)}****************
+										{activeAPIKey?.token.substring(activeAPIKey.token.length - 2).trim()}
+									</Typography.Text>
+
+									<Copy
+										className="copy-key-btn"
+										size={12}
+										onClick={(): void => {
+											if (activeAPIKey) {
+												handleCopyKey(activeAPIKey.token);
+											}
+										}}
+									/>
+								</span>
+							</Col>
+						</Row>
+
+						<Row>
+							<Col span={8}>Name</Col>
+							<Col span={16}>{activeAPIKey?.name}</Col>
+						</Row>
+
+						<Row>
+							<Col span={8}>Role</Col>
+							<Col span={16}>
+								{activeAPIKey?.role === USER_ROLES.ADMIN && (
+									<div className="role">
+										<Contact2 size={14} /> Admin
+									</div>
+								)}
+								{activeAPIKey?.role === USER_ROLES.EDITOR && (
+									<div className="role">
+										{' '}
+										<ClipboardEdit size={14} /> Editor
+									</div>
+								)}
+								{activeAPIKey?.role === USER_ROLES.VIEWER && (
+									<div className="role">
+										{' '}
+										<View size={14} /> Viewer
+									</div>
+								)}
+							</Col>
+						</Row>
+
+						<Row>
+							<Col span={8}>Creator</Col>
+
+							<Col span={16} className="user-info">
+								<Avatar className="user-avatar" size="small">
+									{activeAPIKey?.createdByUser?.displayName?.substring(0, 1)}
+								</Avatar>
+
+								<Typography.Text>
+									{activeAPIKey?.createdByUser?.displayName}
+								</Typography.Text>
+
+								<div className="user-email">{activeAPIKey?.createdByUser?.email}</div>
+							</Col>
+						</Row>
+
+						{activeAPIKey?.createdAt && (
+							<Row>
+								<Col span={8}>Created on</Col>
+								<Col span={16}>
+									{new Date(activeAPIKey?.createdAt).toLocaleString()}
+								</Col>
+							</Row>
+						)}
+
+						{activeAPIKey?.expiresAt !== 0 && activeAPIKey?.expiresAt && (
+							<Row>
+								<Col span={8}>Expires on</Col>
+								<Col span={16}>{getFormattedTime(activeAPIKey?.expiresAt)}</Col>
+							</Row>
+						)}
+
+						{activeAPIKey?.expiresAt === 0 && (
+							<Row>
+								<Col span={8}>Expires on</Col>
+								<Col span={16}> No Expiry </Col>
+							</Row>
+						)}
+					</div>
+				)}
+			</Modal>
+		</div>
+	);
+}
+
+export default APIKeys;

frontend/src/container/Home/Home.tsx

@@ -16,6 +16,7 @@ import { ORG_PREFERENCES } from 'constants/orgPreferences';
 import { initialQueriesMap, PANEL_TYPES } from 'constants/queryBuilder';
 import { REACT_QUERY_KEY } from 'constants/reactQueryKeys';
 import ROUTES from 'constants/routes';
+import { IS_SERVICE_ACCOUNTS_ENABLED } from 'container/ServiceAccountsSettings/config';
 import { DEFAULT_TIME_RANGE } from 'container/TopNav/DateTimeSelectionV2/constants';
 import { useGetQueryRange } from 'hooks/queryBuilder/useGetQueryRange';
 import { useIsDarkMode } from 'hooks/useDarkMode';
@@ -264,21 +265,23 @@ export default function Home(): JSX.Element {
 
 	return (
 		<div className="home-container">
-			<PersistedAnnouncementBanner
-				type="warning"
-				storageKey={LOCALSTORAGE.DISMISSED_API_KEYS_DEPRECATION_BANNER}
-				message={
-					<>
-						<strong>API Keys</strong> have been deprecated and replaced by{' '}
-						<strong>Service Accounts</strong>. Please migrate to Service Accounts for
-						programmatic API access.
-					</>
-				}
-				action={{
-					label: 'Go to Service Accounts',
-					onClick: (): void => history.push(ROUTES.SERVICE_ACCOUNTS_SETTINGS),
-				}}
-			/>
+			{IS_SERVICE_ACCOUNTS_ENABLED && (
+				<PersistedAnnouncementBanner
+					type="warning"
+					storageKey={LOCALSTORAGE.DISMISSED_API_KEYS_DEPRECATION_BANNER}
+					message={
+						<>
+							<strong>API Keys</strong> have been deprecated and replaced by{' '}
+							<strong>Service Accounts</strong>. Please migrate to Service Accounts for
+							programmatic API access.
+						</>
+					}
+					action={{
+						label: 'Go to Service Accounts',
+						onClick: (): void => history.push(ROUTES.SERVICE_ACCOUNTS_SETTINGS),
+					}}
+				/>
+			)}
 
 			<div className="sticky-header">
 				<Header

frontend/src/container/ServiceAccountsSettings/ServiceAccountsSettings.tsx

@@ -1,10 +1,18 @@
 import { useCallback, useEffect, useMemo } from 'react';
+import { useQueryClient } from 'react-query';
 import { Button } from '@signozhq/button';
 import { Check, ChevronDown, Plus } from '@signozhq/icons';
 import { Input } from '@signozhq/input';
 import type { MenuProps } from 'antd';
 import { Dropdown } from 'antd';
-import { useListServiceAccounts } from 'api/generated/services/serviceaccount';
+import {
+	getGetServiceAccountQueryKey,
+	useListServiceAccounts,
+} from 'api/generated/services/serviceaccount';
+import type {
+	GetServiceAccount200,
+	ListServiceAccounts200,
+} from 'api/generated/services/sigNoz.schemas';
 import CreateServiceAccountModal from 'components/CreateServiceAccountModal/CreateServiceAccountModal';
 import ErrorInPlace from 'components/ErrorInPlace/ErrorInPlace';
 import ServiceAccountDrawer from 'components/ServiceAccountDrawer/ServiceAccountDrawer';
@@ -51,13 +59,29 @@ function ServiceAccountsSettings(): JSX.Element {
 		parseAsBoolean.withDefault(false),
 	);
 
+	const queryClient = useQueryClient();
+
+	const seedAccountCache = useCallback(
+		(data: ListServiceAccounts200) => {
+			data.data.forEach((account) => {
+				queryClient.setQueryData<GetServiceAccount200>(
+					getGetServiceAccountQueryKey({ id: account.id }),
+					(old) => old ?? { data: account, status: data.status },
+				);
+			});
+		},
+		[queryClient],
+	);
+
 	const {
 		data: serviceAccountsData,
 		isLoading,
 		isError,
 		error,
 		refetch: handleCreateSuccess,
-	} = useListServiceAccounts();
+	} = useListServiceAccounts({
+		query: { onSuccess: seedAccountCache },
+	});
 
 	const allAccounts = useMemo(
 		(): ServiceAccountRow[] =>
@@ -73,10 +97,10 @@ function ServiceAccountsSettings(): JSX.Element {
 		[allAccounts],
 	);
 
-	const deletedCount = useMemo(
+	const disabledCount = useMemo(
 		() =>
 			allAccounts.filter(
-				(a) => a.status?.toUpperCase() === ServiceAccountStatus.Deleted,
+				(a) => a.status?.toUpperCase() !== ServiceAccountStatus.Active,
 			).length,
 		[allAccounts],
 	);
@@ -88,9 +112,9 @@ function ServiceAccountsSettings(): JSX.Element {
 			result = result.filter(
 				(a) => a.status?.toUpperCase() === ServiceAccountStatus.Active,
 			);
-		} else if (filterMode === FilterMode.Deleted) {
+		} else if (filterMode === FilterMode.Disabled) {
 			result = result.filter(
-				(a) => a.status?.toUpperCase() === ServiceAccountStatus.Deleted,
+				(a) => a.status?.toUpperCase() !== ServiceAccountStatus.Active,
 			);
 		}
 
@@ -98,7 +122,9 @@ function ServiceAccountsSettings(): JSX.Element {
 			const q = searchQuery.trim().toLowerCase();
 			result = result.filter(
 				(a) =>
-					a.name?.toLowerCase().includes(q) || a.email?.toLowerCase().includes(q),
+					a.name?.toLowerCase().includes(q) ||
+					a.email?.toLowerCase().includes(q) ||
+					a.roles?.some((role: string) => role.toLowerCase().includes(q)),
 			);
 		}
 
@@ -148,15 +174,15 @@ function ServiceAccountsSettings(): JSX.Element {
 			},
 		},
 		{
-			key: FilterMode.Deleted,
+			key: FilterMode.Disabled,
 			label: (
 				<div className="sa-settings-filter-option">
-					<span>Deleted ⎯ {deletedCount}</span>
-					{filterMode === FilterMode.Deleted && <Check size={14} />}
+					<span>Disabled ⎯ {disabledCount}</span>
+					{filterMode === FilterMode.Disabled && <Check size={14} />}
 				</div>
 			),
 			onClick: (): void => {
-				setFilterMode(FilterMode.Deleted);
+				setFilterMode(FilterMode.Disabled);
 				setPage(1);
 			},
 		},
@@ -166,8 +192,8 @@ function ServiceAccountsSettings(): JSX.Element {
 		switch (filterMode) {
 			case FilterMode.Active:
 				return `Active ⎯ ${activeCount}`;
-			case FilterMode.Deleted:
-				return `Deleted ⎯ ${deletedCount}`;
+			case FilterMode.Disabled:
+				return `Disabled ⎯ ${disabledCount}`;
 			default:
 				return `All accounts ⎯ ${totalCount}`;
 		}

frontend/src/container/ServiceAccountsSettings/__tests__/ServiceAccountsSettings.integration.test.tsx

@@ -2,7 +2,7 @@ import type { ReactNode } from 'react';
 import { listRolesSuccessResponse } from 'mocks-server/__mockdata__/roles';
 import { rest, server } from 'mocks-server/server';
 import { NuqsTestingAdapter } from 'nuqs/adapters/testing';
-import { render, screen, userEvent, waitFor } from 'tests/test-utils';
+import { render, screen, userEvent } from 'tests/test-utils';
 
 import ServiceAccountsSettings from '../ServiceAccountsSettings';
 
@@ -149,7 +149,7 @@ describe('ServiceAccountsSettings (integration)', () => {
 		);
 
 		expect(
-			await screen.findByRole('button', { name: /Delete Service Account/i }),
+			await screen.findByRole('button', { name: /Disable Service Account/i }),
 		).toBeInTheDocument();
 	});
 
@@ -187,16 +187,14 @@ describe('ServiceAccountsSettings (integration)', () => {
 		await user.click(screen.getByRole('button', { name: /Save Changes/i }));
 
 		await screen.findByDisplayValue('CI Bot Updated');
-		await waitFor(() => {
-			expect(listRefetchSpy).toHaveBeenCalled();
-		});
+		expect(listRefetchSpy).toHaveBeenCalled();
 	});
 
 	it('"New Service Account" button opens the Create Service Account modal', async () => {
 		const user = userEvent.setup({ pointerEventsCheck: 0 });
 
 		render(
-			<NuqsTestingAdapter hasMemory>
+			<NuqsTestingAdapter>
 				<ServiceAccountsSettings />
 			</NuqsTestingAdapter>,
 		);

frontend/src/container/ServiceAccountsSettings/config.ts

@@ -0,0 +1 @@
+export const IS_SERVICE_ACCOUNTS_ENABLED = false;

frontend/src/container/ServiceAccountsSettings/constants.ts

@@ -9,5 +9,5 @@ export const SA_QUERY_PARAMS = {
 	ADD_KEY: 'add-key',
 	EDIT_KEY: 'edit-key',
 	REVOKE_KEY: 'revoke-key',
-	DELETE_SA: 'delete-sa',
+	DISABLE_SA: 'disable-sa',
 } as const;

frontend/src/container/ServiceAccountsSettings/utils.ts

@@ -8,6 +8,7 @@ export function toServiceAccountRow(
 		id: sa.id,
 		name: sa.name,
 		email: sa.email,
+		roles: sa.roles,
 		status: sa.status,
 		createdAt: toISOString(sa.createdAt),
 		updatedAt: toISOString(sa.updatedAt),
@@ -17,18 +18,19 @@ export function toServiceAccountRow(
 export enum FilterMode {
 	All = 'all',
 	Active = 'active',
-	Deleted = 'deleted',
+	Disabled = 'disabled',
 }
 
 export enum ServiceAccountStatus {
 	Active = 'ACTIVE',
-	Deleted = 'DELETED',
+	Disabled = 'DISABLED',
 }
 
 export interface ServiceAccountRow {
 	id: string;
 	name: string;
 	email: string;
+	roles: string[];
 	status: string;
 	createdAt: string | null;
 	updatedAt: string | null;

frontend/src/container/SideNav/SideNav.tsx

@@ -692,6 +692,9 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 		registerShortcut(GlobalShortcuts.NavigateToSettingsBilling, () =>
 			onClickHandler(ROUTES.BILLING, null),
 		);
+		registerShortcut(GlobalShortcuts.NavigateToSettingsAPIKeys, () =>
+			onClickHandler(ROUTES.API_KEYS, null),
+		);
 		registerShortcut(GlobalShortcuts.NavigateToSettingsNotificationChannels, () =>
 			onClickHandler(ROUTES.ALL_CHANNELS, null),
 		);
@@ -717,6 +720,7 @@ function SideNav({ isPinned }: { isPinned: boolean }): JSX.Element {
 			deregisterShortcut(GlobalShortcuts.NavigateToSettings);
 			deregisterShortcut(GlobalShortcuts.NavigateToSettingsIngestion);
 			deregisterShortcut(GlobalShortcuts.NavigateToSettingsBilling);
+			deregisterShortcut(GlobalShortcuts.NavigateToSettingsAPIKeys);
 			deregisterShortcut(GlobalShortcuts.NavigateToSettingsNotificationChannels);
 			deregisterShortcut(GlobalShortcuts.NavigateToLogsPipelines);
 			deregisterShortcut(GlobalShortcuts.NavigateToLogsViews);

frontend/src/container/SideNav/menuItems.tsx

@@ -19,6 +19,7 @@ import {
 	Github,
 	HardDrive,
 	Home,
+	Key,
 	Keyboard,
 	Layers2,
 	LayoutGrid,
@@ -365,6 +366,13 @@ export const settingsNavSections: SettingsNavSection[] = [
 				isEnabled: false,
 				itemKey: 'service-accounts',
 			},
+			{
+				key: ROUTES.API_KEYS,
+				label: 'API Keys',
+				icon: <Key size={16} />,
+				isEnabled: false,
+				itemKey: 'api-keys',
+			},
 			{
 				key: ROUTES.INGESTION_SETTINGS,
 				label: 'Ingestion',

frontend/src/container/TopNav/DateTimeSelectionV2/constants.ts

@@ -158,6 +158,7 @@ export const routesToSkip = [
 	ROUTES.MEMBERS_SETTINGS,
 	ROUTES.SERVICE_ACCOUNTS_SETTINGS,
 	ROUTES.INGESTION_SETTINGS,
+	ROUTES.API_KEYS,
 	ROUTES.ERROR_DETAIL,
 	ROUTES.LOGS_PIPELINES,
 	ROUTES.BILLING,

frontend/src/hooks/APIKeys/useGetAllAPIKeys.ts

@@ -0,0 +1,14 @@
+import { useQuery, UseQueryResult } from 'react-query';
+import list from 'api/v1/pats/list';
+import { SuccessResponseV2 } from 'types/api';
+import APIError from 'types/api/error';
+import { APIKeyProps } from 'types/api/pat/types';
+
+export const useGetAllAPIKeys = (): UseQueryResult<
+	SuccessResponseV2<APIKeyProps[]>,
+	APIError
+> =>
+	useQuery<SuccessResponseV2<APIKeyProps[]>, APIError>({
+		queryKey: ['APIKeys'],
+		queryFn: () => list(),
+	});

frontend/src/hooks/serviceAccount/useServiceAccountRoleManager.ts

@@ -1,113 +0,0 @@
-import { useCallback, useMemo } from 'react';
-import { useQueryClient } from 'react-query';
-import {
-	getGetServiceAccountRolesQueryKey,
-	useCreateServiceAccountRole,
-	useDeleteServiceAccountRole,
-	useGetServiceAccountRoles,
-} from 'api/generated/services/serviceaccount';
-import type { AuthtypesRoleDTO } from 'api/generated/services/sigNoz.schemas';
-
-export interface RoleUpdateFailure {
-	roleName: string;
-	error: unknown;
-	onRetry: () => Promise<void>;
-}
-
-interface UseServiceAccountRoleManagerResult {
-	currentRoles: AuthtypesRoleDTO[];
-	isLoading: boolean;
-	applyDiff: (
-		localRoleIds: string[],
-		availableRoles: AuthtypesRoleDTO[],
-	) => Promise<RoleUpdateFailure[]>;
-}
-
-export function useServiceAccountRoleManager(
-	accountId: string,
-): UseServiceAccountRoleManagerResult {
-	const queryClient = useQueryClient();
-
-	const { data, isLoading } = useGetServiceAccountRoles({ id: accountId });
-
-	const currentRoles = useMemo<AuthtypesRoleDTO[]>(() => data?.data ?? [], [
-		data?.data,
-	]);
-
-	// the retry for these mutations is safe due to being idempotent on backend
-	const { mutateAsync: createRole } = useCreateServiceAccountRole();
-	const { mutateAsync: deleteRole } = useDeleteServiceAccountRole();
-
-	const invalidateRoles = useCallback(
-		() =>
-			queryClient.invalidateQueries(
-				getGetServiceAccountRolesQueryKey({ id: accountId }),
-			),
-		[accountId, queryClient],
-	);
-
-	const applyDiff = useCallback(
-		async (
-			localRoleIds: string[],
-			availableRoles: AuthtypesRoleDTO[],
-		): Promise<RoleUpdateFailure[]> => {
-			const currentRoleIds = new Set(
-				currentRoles.map((r) => r.id).filter(Boolean),
-			);
-			const desiredRoleIds = new Set(
-				localRoleIds.filter((id) => id != null && id !== ''),
-			);
-
-			const addedRoles = availableRoles.filter(
-				(r) => r.id && desiredRoleIds.has(r.id) && !currentRoleIds.has(r.id),
-			);
-
-			const removedRoles = currentRoles.filter(
-				(r) => r.id && !desiredRoleIds.has(r.id),
-			);
-
-			const allOperations = [
-				...addedRoles.map((role) => ({
-					role,
-					run: (): ReturnType<typeof createRole> =>
-						createRole({ pathParams: { id: accountId }, data: { id: role.id } }),
-				})),
-				...removedRoles.map((role) => ({
-					role,
-					run: (): ReturnType<typeof deleteRole> =>
-						deleteRole({ pathParams: { id: accountId, rid: role.id } }),
-				})),
-			];
-
-			const results = await Promise.allSettled(
-				allOperations.map((op) => op.run()),
-			);
-
-			await invalidateRoles();
-
-			const failures: RoleUpdateFailure[] = [];
-			results.forEach((result, index) => {
-				if (result.status === 'rejected') {
-					const { role, run } = allOperations[index];
-					failures.push({
-						roleName: role.name ?? 'unknown',
-						error: result.reason,
-						onRetry: async (): Promise<void> => {
-							await run();
-							await invalidateRoles();
-						},
-					});
-				}
-			});
-
-			return failures;
-		},
-		[accountId, currentRoles, createRole, deleteRole, invalidateRoles],
-	);
-
-	return {
-		currentRoles,
-		isLoading,
-		applyDiff,
-	};
-}

frontend/src/mocks-server/__mockdata__/apiKeys.ts

@@ -0,0 +1,541 @@
+const createdByEmail = 'mando@signoz.io';
+
+export const getAPIKeysResponse = {
+	status: 'success',
+	data: [
+		{
+			id: '26',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'T2DuASwpuUx3wlYraFl5r7N9G1ikBhzGuy2ihcIKDMs=',
+			role: 'ADMIN',
+			name: '1 Day Old',
+			createdAt: 1708010258,
+			expiresAt: 1708096658,
+			updatedAt: 1708010258,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '24',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: 'EteVs77BA4FFLJD/TsFE9c+CLX4kXVmlx+0GGK7dpXY=',
+			role: 'ADMIN',
+			name: '1 year expiry - updated',
+			createdAt: 1708008146,
+			expiresAt: 1739544146,
+			updatedAt: 1708008239,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+		{
+			id: '25',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: '1udrUFmRI6gdb8r/hLabS7zRlgfMQlUw/tz9sac82pE=',
+			role: 'ADMIN',
+			name: 'No Expiry Key',
+			createdAt: 1708008178,
+			expiresAt: 0,
+			updatedAt: 1708008190,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+		{
+			id: '22',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: 'gtqKF7g7avoe+Yu2+WhyDDLQSr6IsVaR5xpby2XhLAY=',
+			role: 'VIEWER',
+			name: 'No Expiry',
+			createdAt: 1708007395,
+			expiresAt: 0,
+			updatedAt: 1708007936,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+		{
+			id: '23',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: 'GM/TqEID8N4ynlvQHK38ITEvRAcn5XkJZpmd11xT3OQ=',
+			role: 'VIEWER',
+			name: 'No Expiry - 2',
+			createdAt: 1708007685,
+			expiresAt: 0,
+			updatedAt: 1708007786,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+		{
+			id: '19',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: 'Oj75e6Zr7JmjFcWIo0UK/Nl06RdC2BKOr/QVHoBA0gM=',
+			role: 'ADMIN',
+			name: '7 Days',
+			createdAt: 1708003326,
+			expiresAt: 1708608126,
+			updatedAt: 1708007380,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+		{
+			id: '20',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: 'T+sNdYe6I74ya/9mEKqB3UTrFm8+jwI0DiirqEx3bsM=',
+			role: 'EDITOR',
+			name: '1 month',
+			createdAt: 1708004012,
+			expiresAt: 1710596012,
+			updatedAt: 1708005206,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+		{
+			id: '21',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: 'JWw26FuymeHq+fsfFcb+2+Ls/MdokmeXxXdZisuaVeI=',
+			role: 'ADMIN',
+			name: '3 Months',
+			createdAt: 1708004755,
+			expiresAt: 1715780755,
+			updatedAt: 1708005197,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+		{
+			id: '17',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: '2zDrYNr+IWXUyA14+afVvO6GI9dcHfEsOYxjA9mrprg=',
+			role: 'ADMIN',
+			name: 'New No Expiry',
+			createdAt: 1708000444,
+			expiresAt: 0,
+			updatedAt: 1708000444,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '14',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'Q+/+UB2OrDPcS9b0+5A1dDXYmWHz0abbVVidF48QCso=',
+			role: 'EDITOR',
+			name: 'Editor Token for user 1',
+			createdAt: 1707997720,
+			expiresAt: 1708170520,
+			updatedAt: 1707997720,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '13',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: '/X3OEaSOLrrJImvzIB3g5WGg+5831X89fZZQT1JaxvQ=',
+			role: 'EDITOR',
+			name: 'Editor Token for user 2',
+			createdAt: 1707997603,
+			expiresAt: 1708170403,
+			updatedAt: 1707997603,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '12',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'bTs+Q6waIiP4KJ8L5N58EQonuapWMXsfEra/cmMwmbE=',
+			role: 'EDITOR',
+			name: 'Editor Token for user 3',
+			createdAt: 1707997539,
+			expiresAt: 1708170339,
+			updatedAt: 1707997539,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '11',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'YaEqQHrH8KOnYFllor/8Tq653TgxPU1Z7ZDzY3+ETmI=',
+			role: 'EDITOR',
+			name: 'Editor Token for user',
+			createdAt: 1707997537,
+			expiresAt: 1708170337,
+			updatedAt: 1707997537,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '10',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'Hg/QpMU9VQyqIuzSh9ND2454IN5uOHzVkv7owEtBcPo=',
+			role: 'EDITOR',
+			name: 'test123',
+			createdAt: 1707997288,
+			expiresAt: 1708083688,
+			updatedAt: 1707997288,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '9',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'M5gMsccDthPTibquB7kR7ZSEI76y4endOxZPESZ9/po=',
+			role: 'VIEWER',
+			name: 'Viewer Token for user',
+			createdAt: 1707996747,
+			expiresAt: 1708255947,
+			updatedAt: 1707996747,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '8',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'H8NVlOD09IcMgQ/rzfVucb+4+jEcqZ4ZRx6n7QztMSc=',
+			role: 'EDITOR',
+			name: 'Editor Token for user',
+			createdAt: 1707996736,
+			expiresAt: 1708169536,
+			updatedAt: 1707996736,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '7',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '',
+				name: '',
+				email: '',
+				createdAt: 0,
+				profilePictureURL: '',
+				notFound: true,
+			},
+			token: 'z24SswLmNlPVUgb1j6rfc2u4Kb4xSUolwb11cI8kbrs=',
+			role: 'ADMIN',
+			name: 'Admin Token for user',
+			createdAt: 1707996719,
+			expiresAt: 0,
+			updatedAt: 1707996719,
+			lastUsed: 0,
+			revoked: false,
+			updatedByUserId: '',
+		},
+		{
+			id: '5',
+			userId: 'mandalorian',
+			createdByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			updatedByUser: {
+				id: '001',
+				name: 'Mando',
+				email: createdByEmail,
+				createdAt: 1707974098,
+				profilePictureURL: '',
+				notFound: false,
+			},
+			token: 'SWuNSF08EB6+VN05312QaAsPum2wkqIm+ujiWZKnm2Q=',
+			role: 'EDITOR',
+			name: 'Editor Token',
+			createdAt: 1707992270,
+			expiresAt: 1708165070,
+			updatedAt: 1707995424,
+			lastUsed: 1707992517,
+			revoked: false,
+			updatedByUserId: 'mandalorian',
+		},
+	],
+};
+
+export const createAPIKeyResponse = {
+	status: 'success',
+	data: {
+		id: '57',
+		userId: 'mandalorian',
+		token: 'pQ5kiHjcbQ2FbKlS14LQjA2RzXEBi/KvBfM7BRSwltI=',
+		name: 'test1233',
+		createdAt: 1707818550,
+		expiresAt: 0,
+	},
+};

frontend/src/pages/Settings/Settings.tsx

@@ -5,6 +5,7 @@ import logEvent from 'api/common/logEvent';
 import RouteTab from 'components/RouteTab';
 import { FeatureKeys } from 'constants/features';
 import ROUTES from 'constants/routes';
+import { IS_SERVICE_ACCOUNTS_ENABLED } from 'container/ServiceAccountsSettings/config';
 import { routeConfig } from 'container/SideNav/config';
 import { getQueryString } from 'container/SideNav/helper';
 import { settingsNavSections } from 'container/SideNav/menuItems';
@@ -83,10 +84,12 @@ function SettingsPage(): JSX.Element {
 							item.key === ROUTES.ROLES_SETTINGS ||
 							item.key === ROUTES.ROLE_DETAILS ||
 							item.key === ROUTES.INTEGRATIONS ||
+							item.key === ROUTES.API_KEYS ||
 							item.key === ROUTES.INGESTION_SETTINGS ||
 							item.key === ROUTES.ORG_SETTINGS ||
 							item.key === ROUTES.MEMBERS_SETTINGS ||
-							item.key === ROUTES.SERVICE_ACCOUNTS_SETTINGS ||
+							(IS_SERVICE_ACCOUNTS_ENABLED &&
+								item.key === ROUTES.SERVICE_ACCOUNTS_SETTINGS) ||
 							item.key === ROUTES.SHORTCUTS
 								? true
 								: item.isEnabled,
@@ -115,9 +118,11 @@ function SettingsPage(): JSX.Element {
 							item.key === ROUTES.ROLES_SETTINGS ||
 							item.key === ROUTES.ROLE_DETAILS ||
 							item.key === ROUTES.INTEGRATIONS ||
+							item.key === ROUTES.API_KEYS ||
 							item.key === ROUTES.ORG_SETTINGS ||
 							item.key === ROUTES.MEMBERS_SETTINGS ||
-							item.key === ROUTES.SERVICE_ACCOUNTS_SETTINGS ||
+							(IS_SERVICE_ACCOUNTS_ENABLED &&
+								item.key === ROUTES.SERVICE_ACCOUNTS_SETTINGS) ||
 							item.key === ROUTES.INGESTION_SETTINGS
 								? true
 								: item.isEnabled,
@@ -141,9 +146,11 @@ function SettingsPage(): JSX.Element {
 					updatedItems = updatedItems.map((item) => ({
 						...item,
 						isEnabled:
+							item.key === ROUTES.API_KEYS ||
 							item.key === ROUTES.ORG_SETTINGS ||
 							item.key === ROUTES.MEMBERS_SETTINGS ||
-							item.key === ROUTES.SERVICE_ACCOUNTS_SETTINGS
+							(IS_SERVICE_ACCOUNTS_ENABLED &&
+								item.key === ROUTES.SERVICE_ACCOUNTS_SETTINGS)
 								? true
 								: item.isEnabled,
 					}));

frontend/src/pages/Settings/__tests__/Settings.test.tsx

@@ -53,6 +53,7 @@ describe('SettingsPage nav sections', () => {
 			'billing',
 			'roles',
 			'members',
+			'api-keys',
 			'sso',
 			'integrations',
 			'ingestion',
@@ -81,9 +82,12 @@ describe('SettingsPage nav sections', () => {
 			expect(screen.getByTestId(id)).toBeInTheDocument();
 		});
 
-		it.each(['billing', 'roles'])('does not render "%s" element', (id) => {
-			expect(screen.queryByTestId(id)).not.toBeInTheDocument();
-		});
+		it.each(['billing', 'roles', 'api-keys'])(
+			'does not render "%s" element',
+			(id) => {
+				expect(screen.queryByTestId(id)).not.toBeInTheDocument();
+			},
+		);
 	});
 
 	describe('Self-hosted Admin', () => {
@@ -95,7 +99,7 @@ describe('SettingsPage nav sections', () => {
 			});
 		});
 
-		it.each(['roles', 'members', 'integrations', 'sso', 'ingestion'])(
+		it.each(['roles', 'members', 'api-keys', 'integrations', 'sso', 'ingestion'])(
 			'renders "%s" element',
 			(id) => {
 				expect(screen.getByTestId(id)).toBeInTheDocument();

frontend/src/pages/Settings/config.tsx

@@ -1,6 +1,7 @@
 import { RouteTabProps } from 'components/RouteTab/types';
 import ROUTES from 'constants/routes';
 import AlertChannels from 'container/AllAlertChannels';
+import APIKeys from 'container/APIKeys/APIKeys';
 import BillingContainer from 'container/BillingContainer/BillingContainer';
 import CreateAlertChannels from 'container/CreateAlertChannels';
 import { ChannelType } from 'container/CreateAlertChannels/config';
@@ -21,6 +22,7 @@ import {
 	Cpu,
 	CreditCard,
 	Keyboard,
+	KeySquare,
 	Pencil,
 	Plus,
 	Shield,
@@ -112,6 +114,19 @@ export const generalSettingsCloud = (t: TFunction): RouteTabProps['routes'] => [
 	},
 ];
 
+export const apiKeys = (t: TFunction): RouteTabProps['routes'] => [
+	{
+		Component: APIKeys,
+		name: (
+			<div className="periscope-tab">
+				<KeySquare size={16} /> {t('routes:api_keys').toString()}
+			</div>
+		),
+		route: ROUTES.API_KEYS,
+		key: ROUTES.API_KEYS,
+	},
+];
+
 export const billingSettings = (t: TFunction): RouteTabProps['routes'] => [
 	{
 		Component: BillingContainer,

frontend/src/pages/Settings/utils.ts

@@ -1,9 +1,11 @@
 import { RouteTabProps } from 'components/RouteTab/types';
+import { IS_SERVICE_ACCOUNTS_ENABLED } from 'container/ServiceAccountsSettings/config';
 import { TFunction } from 'i18next';
 import { ROLES, USER_ROLES } from 'types/roles';
 
 import {
 	alertChannels,
+	apiKeys,
 	billingSettings,
 	createAlertChannels,
 	editAlertChannels,
@@ -62,7 +64,11 @@ export const getRoutes = (
 	settings.push(...alertChannels(t));
 
 	if (isAdmin) {
-		settings.push(...membersSettings(t), ...serviceAccountsSettings(t));
+		settings.push(...apiKeys(t), ...membersSettings(t));
+
+		if (IS_SERVICE_ACCOUNTS_ENABLED) {
+			settings.push(...serviceAccountsSettings(t));
+		}
 	}
 
 	// todo: Sagar - check the condition for role list and details page, to whom we want to serve

frontend/src/tests/test-utils.tsx

@@ -47,9 +47,6 @@ const queryClient = new QueryClient({
 			refetchOnWindowFocus: false,
 			retry: false,
 		},
-		mutations: {
-			retry: false,
-		},
 	},
 });
 

frontend/src/types/api/pat/types.ts

@@ -0,0 +1,56 @@
+export interface User {
+	createdAt?: number;
+	email?: string;
+	id: string;
+	displayName?: string;
+}
+
+export interface APIKeyProps {
+	name: string;
+	expiresAt: number;
+	role: string;
+	token: string;
+	id: string;
+	createdAt: string;
+	createdByUser?: User;
+	updatedAt?: string;
+	updatedByUser?: User;
+	lastUsed?: number;
+}
+
+export interface CreatePayloadProps {
+	data: APIKeyProps;
+	status: string;
+}
+
+export interface CreateAPIKeyProps {
+	name: string;
+	expiresInDays: number;
+	role: string;
+}
+
+export interface AllAPIKeyProps {
+	status: string;
+	data: APIKeyProps[];
+}
+
+export interface CreateAPIKeyProp {
+	data: APIKeyProps;
+}
+
+export interface DeleteAPIKeyPayloadProps {
+	status: string;
+}
+
+export interface UpdateAPIKeyProps {
+	id: string;
+	data: {
+		name: string;
+		role: string;
+	};
+}
+
+export type PayloadProps = {
+	status: string;
+	data: string;
+};

frontend/src/utils/permission/index.ts

@@ -108,6 +108,7 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	TRACES_SAVE_VIEWS: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACES_FUNNELS: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACES_FUNNELS_DETAIL: ['ADMIN', 'EDITOR', 'VIEWER'],
+	API_KEYS: ['ADMIN'],
 	LOGS_BASE: ['ADMIN', 'EDITOR', 'VIEWER'],
 	OLD_LOGS_EXPLORER: ['ADMIN', 'EDITOR', 'VIEWER'],
 	SHORTCUTS: ['ADMIN', 'EDITOR', 'VIEWER'],

pkg/apiserver/signozapiserver/provider.go

@@ -23,6 +23,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/rulestatehistory"
 	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -57,6 +58,7 @@ type provider struct {
 	factoryHandler          factory.Handler
 	cloudIntegrationHandler cloudintegration.Handler
 	ruleStateHistoryHandler rulestatehistory.Handler
+	traceDetailHandler      tracedetail.Handler
 }
 
 func NewFactory(
@@ -83,6 +85,7 @@ func NewFactory(
 	factoryHandler factory.Handler,
 	cloudIntegrationHandler cloudintegration.Handler,
 	ruleStateHistoryHandler rulestatehistory.Handler,
+	traceDetailHandler tracedetail.Handler,
 ) factory.ProviderFactory[apiserver.APIServer, apiserver.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config apiserver.Config) (apiserver.APIServer, error) {
 		return newProvider(
@@ -112,6 +115,7 @@ func NewFactory(
 			factoryHandler,
 			cloudIntegrationHandler,
 			ruleStateHistoryHandler,
+			traceDetailHandler,
 		)
 	})
 }
@@ -143,6 +147,7 @@ func newProvider(
 	factoryHandler factory.Handler,
 	cloudIntegrationHandler cloudintegration.Handler,
 	ruleStateHistoryHandler rulestatehistory.Handler,
+	traceDetailHandler tracedetail.Handler,
 ) (apiserver.APIServer, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/apiserver/signozapiserver")
 	router := mux.NewRouter().UseEncodedPath()
@@ -172,6 +177,7 @@ func newProvider(
 		factoryHandler:          factoryHandler,
 		cloudIntegrationHandler: cloudIntegrationHandler,
 		ruleStateHistoryHandler: ruleStateHistoryHandler,
+		traceDetailHandler:      traceDetailHandler,
 	}
 
 	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz)
@@ -272,6 +278,10 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
+	if err := provider.addTraceDetailRoutes(router); err != nil {
+		return err
+	}
+
 	return nil
 }
 

pkg/apiserver/signozapiserver/serviceaccount.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/http/handler"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/gorilla/mux"
 )
@@ -45,23 +44,6 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/me", handler.New(provider.authZ.OpenAccess(provider.serviceAccountHandler.GetMe), handler.OpenAPIDef{
-		ID:                  "GetMyServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Gets my service account",
-		Description:         "This endpoint gets my service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.ServiceAccountWithRoles),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     nil,
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
 	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Get), handler.OpenAPIDef{
 		ID:                  "GetServiceAccount",
 		Tags:                []string{"serviceaccount"},
@@ -69,7 +51,7 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		Description:         "This endpoint gets an existing service account",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(serviceaccounttypes.ServiceAccountWithRoles),
+		Response:            new(serviceaccounttypes.ServiceAccount),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
@@ -79,74 +61,6 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.GetRoles), handler.OpenAPIDef{
-		ID:                  "GetServiceAccountRoles",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Gets service account roles",
-		Description:         "This endpoint gets all the roles for the existing service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            new([]*authtypes.Role),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.SetRole), handler.OpenAPIDef{
-		ID:                  "CreateServiceAccountRole",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Create service account role",
-		Description:         "This endpoint assigns a role to a service account",
-		Request:             new(serviceaccounttypes.PostableServiceAccountRole),
-		RequestContentType:  "",
-		Response:            new(types.Identifiable),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPost).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.DeleteRole), handler.OpenAPIDef{
-		ID:                  "DeleteServiceAccountRole",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Delete service account role",
-		Description:         "This endpoint revokes a role from service account",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/service_accounts/me", handler.New(provider.authZ.OpenAccess(provider.serviceAccountHandler.UpdateMe), handler.OpenAPIDef{
-		ID:                  "UpdateMyServiceAccount",
-		Tags:                []string{"serviceaccount"},
-		Summary:             "Updates my service account",
-		Description:         "This endpoint gets my service account",
-		Request:             new(serviceaccounttypes.UpdatableServiceAccount),
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     nil,
-	})).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
 	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Update), handler.OpenAPIDef{
 		ID:                  "UpdateServiceAccount",
 		Tags:                []string{"serviceaccount"},
@@ -164,6 +78,23 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/service_accounts/{id}/status", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.UpdateStatus), handler.OpenAPIDef{
+		ID:                  "UpdateServiceAccountStatus",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Updates a service account status",
+		Description:         "This endpoint updates an existing service account status",
+		Request:             new(serviceaccounttypes.UpdatableServiceAccountStatus),
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Delete), handler.OpenAPIDef{
 		ID:                  "DeleteServiceAccount",
 		Tags:                []string{"serviceaccount"},
@@ -205,7 +136,7 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists the service account keys",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*serviceaccounttypes.GettableFactorAPIKey, 0),
+		Response:            make([]*serviceaccounttypes.FactorAPIKey, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},

pkg/apiserver/signozapiserver/tracedetail.go

@@ -0,0 +1,33 @@
+package signozapiserver
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/tracedetailtypes"
+	"github.com/gorilla/mux"
+)
+
+func (provider *provider) addTraceDetailRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v3/traces/{traceId}/waterfall", handler.New(
+		provider.authZ.ViewAccess(provider.traceDetailHandler.GetWaterfall),
+		handler.OpenAPIDef{
+			ID:                  "GetWaterfall",
+			Tags:                []string{"tracedetail"},
+			Summary:             "Get waterfall view for a trace",
+			Description:         "Returns the waterfall view of spans for a given trace ID with tree structure, metadata, and windowed pagination",
+			Request:             new(tracedetailtypes.WaterfallRequest),
+			RequestContentType:  "application/json",
+			Response:            new(tracedetailtypes.WaterfallResponse),
+			ResponseContentType: "application/json",
+			SuccessStatusCode:   http.StatusOK,
+			ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+			SecuritySchemes:     newSecuritySchemes(types.RoleViewer),
+		},
+	)).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/apiserver/signozapiserver/user.go

@@ -43,6 +43,74 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
+	if err := router.Handle("/api/v1/pats", handler.New(provider.authZ.AdminAccess(provider.userHandler.CreateAPIKey), handler.OpenAPIDef{
+		ID:                  "CreateAPIKey",
+		Tags:                []string{"users"},
+		Summary:             "Create api key",
+		Description:         "This endpoint creates an api key",
+		Request:             new(types.PostableAPIKey),
+		RequestContentType:  "application/json",
+		Response:            new(types.GettableAPIKey),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusCreated,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/pats", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListAPIKeys), handler.OpenAPIDef{
+		ID:                  "ListAPIKeys",
+		Tags:                []string{"users"},
+		Summary:             "List api keys",
+		Description:         "This endpoint lists all api keys",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*types.GettableAPIKey, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/pats/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.UpdateAPIKey), handler.OpenAPIDef{
+		ID:                  "UpdateAPIKey",
+		Tags:                []string{"users"},
+		Summary:             "Update api key",
+		Description:         "This endpoint updates an api key",
+		Request:             new(types.StorableAPIKey),
+		RequestContentType:  "application/json",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/pats/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.RevokeAPIKey), handler.OpenAPIDef{
+		ID:                  "RevokeAPIKey",
+		Tags:                []string{"users"},
+		Summary:             "Revoke api key",
+		Description:         "This endpoint revokes an api key",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/user", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsersDeprecated), handler.OpenAPIDef{
 		ID:                  "ListUsersDeprecated",
 		Tags:                []string{"users"},

pkg/authn/passwordauthn/emailpasswordauthn/authn.go

@@ -21,7 +21,7 @@ func New(store authtypes.AuthNStore) *AuthN {
 }
 
 func (a *AuthN) Authenticate(ctx context.Context, email string, password string, orgID valuer.UUID) (*authtypes.Identity, error) {
-	user, factorPassword, _, err := a.store.GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx, email, orgID)
+	user, factorPassword, userRoles, err := a.store.GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}
@@ -30,5 +30,11 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string,
 		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}
 
-	return authtypes.NewPrincipalUserIdentity(user.ID, orgID, user.Email, authtypes.IdentNProviderTokenizer), nil
+	if len(userRoles) == 0 {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	return authtypes.NewIdentity(user.ID, orgID, user.Email, role, authtypes.IdentNProviderTokenizer), nil
 }

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -97,7 +97,11 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 	}
 
 	if len(roles) != len(names) {
-		return nil, errors.Newf(errors.TypeInvalidInput, authtypes.ErrCodeRoleNotFound, "not all roles found for the provided names: %v", names)
+		return nil, store.sqlstore.WrapNotFoundErrf(
+			nil,
+			authtypes.ErrCodeRoleNotFound,
+			"not all roles found for the provided names: %v", names,
+		)
 	}
 
 	return roles, nil
@@ -118,7 +122,11 @@ func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, id
 	}
 
 	if len(roles) != len(ids) {
-		return nil, errors.Newf(errors.TypeInvalidInput, authtypes.ErrCodeRoleNotFound, "not all roles found for the provided names: %v", ids)
+		return nil, store.sqlstore.WrapNotFoundErrf(
+			nil,
+			authtypes.ErrCodeRoleNotFound,
+			"not all roles found for the provided ids: %v", ids,
+		)
 	}
 
 	return roles, nil

pkg/authz/openfgaauthz/provider.go

@@ -148,12 +148,7 @@ func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, names []
 		return err
 	}
 
-	err = provider.Write(ctx, tuples, nil)
-	if err != nil {
-		return errors.WrapInternalf(err, errors.CodeInternal, "failed to grant roles: %v to subject: %s", names, subject)
-	}
-
-	return nil
+	return provider.Write(ctx, tuples, nil)
 }
 
 func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleNames []string, updatedRoleNames []string, subject string) error {
@@ -185,13 +180,7 @@ func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names [
 	if err != nil {
 		return err
 	}
-
-	err = provider.Write(ctx, nil, tuples)
-	if err != nil {
-		return errors.WrapInternalf(err, errors.CodeInternal, "failed to revoke roles: %v to subject: %s", names, subject)
-	}
-
-	return nil
+	return provider.Write(ctx, nil, tuples)
 }
 
 func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID, managedRoles []*authtypes.Role) error {

pkg/authz/openfgaserver/server.go

@@ -140,22 +140,9 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openf
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
-	subject := ""
-	switch claims.Principal {
-	case authtypes.PrincipalUser:
-		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = user
-	case authtypes.PrincipalServiceAccount:
-		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
-		if err != nil {
-			return err
-		}
-
-		subject = serviceAccount
+	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+	if err != nil {
+		return err
 	}
 
 	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)

pkg/http/middleware/authz.go

@@ -40,6 +40,17 @@ func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIKey.StringValue() {
+			if err := claims.IsViewer(); err != nil {
+				middleware.logger.WarnContext(ctx, authzDeniedMessage, slog.Any("claims", claims))
+				render.Error(rw, err)
+				return
+			}
+
+			next(rw, req)
+			return
+		}
+
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozEditorRoleName),
@@ -79,6 +90,17 @@ func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIKey.StringValue() {
+			if err := claims.IsEditor(); err != nil {
+				middleware.logger.WarnContext(ctx, authzDeniedMessage, slog.Any("claims", claims))
+				render.Error(rw, err)
+				return
+			}
+
+			next(rw, req)
+			return
+		}
+
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozEditorRoleName),
@@ -117,6 +139,17 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIKey.StringValue() {
+			if err := claims.IsAdmin(); err != nil {
+				middleware.logger.WarnContext(ctx, authzDeniedMessage, slog.Any("claims", claims))
+				render.Error(rw, err)
+				return
+			}
+
+			next(rw, req)
+			return
+		}
+
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
 		}
@@ -153,28 +186,13 @@ func (middleware *AuthZ) SelfAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		selectors := []authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
+		id := mux.Vars(req)["id"]
+		if err := claims.IsSelfAccess(id); err != nil {
+			middleware.logger.WarnContext(req.Context(), authzDeniedMessage, slog.Any("claims", claims))
+			render.Error(rw, err)
+			return
 		}
 
-		err = middleware.authzService.CheckWithTupleCreation(
-			req.Context(),
-			claims,
-			valuer.MustNewUUID(claims.OrgID),
-			authtypes.RelationAssignee,
-			authtypes.TypeableRole,
-			selectors,
-			selectors,
-		)
-
-		if err != nil {
-			id := mux.Vars(req)["id"]
-			if err := claims.IsSelfAccess(id); err != nil {
-				middleware.logger.WarnContext(req.Context(), authzDeniedMessage, slog.Any("claims", claims))
-				render.Error(rw, err)
-				return
-			}
-		}
 		next(rw, req)
 	})
 }

pkg/http/middleware/identn.go

@@ -61,10 +61,8 @@ func (m *IdentN) Wrap(next http.Handler) http.Handler {
 		ctx = authtypes.NewContextWithClaims(ctx, claims)
 
 		comment := ctxtypes.CommentFromContext(ctx)
-		comment.Set("identn_provider", claims.IdentNProvider.StringValue())
+		comment.Set("identn_provider", claims.IdentNProvider)
 		comment.Set("user_id", claims.UserID)
-		comment.Set("service_account_id", claims.ServiceAccountID)
-		comment.Set("principal", claims.Principal.StringValue())
 		comment.Set("org_id", claims.OrgID)
 		ctx = ctxtypes.NewContextWithComment(ctx, comment)
 

pkg/identn/apikeyidentn/provider.go

@@ -10,29 +10,33 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/identn"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 )
 
+// todo: will move this in types layer with service account integration
+type apiKeyTokenKey struct{}
+
 type provider struct {
-	serviceAccount serviceaccount.Module
-	config         identn.Config
-	settings       factory.ScopedProviderSettings
-	sfGroup        *singleflight.Group
+	store    sqlstore.SQLStore
+	config   identn.Config
+	settings factory.ScopedProviderSettings
+	sfGroup  *singleflight.Group
 }
 
-func NewFactory(serviceAccount serviceaccount.Module) factory.ProviderFactory[identn.IdentN, identn.Config] {
+func NewFactory(store sqlstore.SQLStore) factory.ProviderFactory[identn.IdentN, identn.Config] {
 	return factory.NewProviderFactory(factory.MustNewName(authtypes.IdentNProviderAPIKey.StringValue()), func(ctx context.Context, providerSettings factory.ProviderSettings, config identn.Config) (identn.IdentN, error) {
-		return New(serviceAccount, config, providerSettings)
+		return New(providerSettings, store, config)
 	})
 }
 
-func New(serviceAccount serviceaccount.Module, config identn.Config, providerSettings factory.ProviderSettings) (identn.IdentN, error) {
+func New(providerSettings factory.ProviderSettings, store sqlstore.SQLStore, config identn.Config) (identn.IdentN, error) {
 	return &provider{
-		serviceAccount: serviceAccount,
-		config:         config,
-		settings:       factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/identn/apikeyidentn"),
-		sfGroup:        &singleflight.Group{},
+		store:    store,
+		config:   config,
+		settings: factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/identn/apikeyidentn"),
+		sfGroup:  &singleflight.Group{},
 	}, nil
 }
 
@@ -50,44 +54,75 @@ func (provider *provider) Test(req *http.Request) bool {
 }
 
 func (provider *provider) Pre(req *http.Request) *http.Request {
-	apiKey := provider.extractToken(req)
-	if apiKey == "" {
+	token := provider.extractToken(req)
+	if token == "" {
 		return req
 	}
 
-	ctx := authtypes.NewContextWithAPIKey(req.Context(), apiKey)
+	ctx := context.WithValue(req.Context(), apiKeyTokenKey{}, token)
 	return req.WithContext(ctx)
 }
 
 func (provider *provider) GetIdentity(req *http.Request) (*authtypes.Identity, error) {
 	ctx := req.Context()
-	apiKey, err := authtypes.APIKeyFromContext(ctx)
+	apiKeyToken, ok := ctx.Value(apiKeyTokenKey{}).(string)
+	if !ok || apiKeyToken == "" {
+		return nil, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "missing api key")
+	}
+
+	var apiKey types.StorableAPIKey
+	err := provider.
+		store.
+		BunDB().
+		NewSelect().
+		Model(&apiKey).
+		Where("token = ?", apiKeyToken).
+		Scan(ctx)
 	if err != nil {
 		return nil, err
 	}
 
-	identity, err := provider.serviceAccount.GetIdentity(ctx, apiKey)
+	if apiKey.ExpiresAt.Before(time.Now()) && !apiKey.ExpiresAt.Equal(types.NEVER_EXPIRES) {
+		return nil, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "api key has expired")
+	}
+
+	var user types.User
+	err = provider.
+		store.
+		BunDB().
+		NewSelect().
+		Model(&user).
+		Where("id = ?", apiKey.UserID).
+		Scan(ctx)
 	if err != nil {
 		return nil, err
 	}
 
+	identity := authtypes.NewIdentity(user.ID, user.OrgID, user.Email, apiKey.Role, provider.Name())
 	return identity, nil
 }
 
 func (provider *provider) Post(ctx context.Context, _ *http.Request, _ authtypes.Claims) {
-	apiKey, err := authtypes.APIKeyFromContext(ctx)
-	if err != nil {
+	apiKeyToken, ok := ctx.Value(apiKeyTokenKey{}).(string)
+	if !ok || apiKeyToken == "" {
 		return
 	}
 
-	_, _, _ = provider.sfGroup.Do(apiKey, func() (any, error) {
-		if err := provider.serviceAccount.SetLastObservedAt(ctx, apiKey, time.Now()); err != nil {
-			provider.settings.Logger().ErrorContext(ctx, "failed to set last observed at", errors.Attr(err))
-			return false, err
+	_, _, _ = provider.sfGroup.Do(apiKeyToken, func() (any, error) {
+		_, err := provider.
+			store.
+			BunDB().
+			NewUpdate().
+			Model(new(types.StorableAPIKey)).
+			Set("last_used = ?", time.Now()).
+			Where("token = ?", apiKeyToken).
+			Where("revoked = false").
+			Exec(ctx)
+		if err != nil {
+			provider.settings.Logger().ErrorContext(ctx, "failed to update last used of api key", errors.Attr(err))
 		}
 		return true, nil
 	})
-
 }
 
 func (provider *provider) extractToken(req *http.Request) string {

pkg/identn/impersonationidentn/provider.go

@@ -79,15 +79,22 @@ func (provider *provider) GetIdentity(req *http.Request) (*authtypes.Identity, e
 		return nil, err
 	}
 
-	rootUser, _, err := provider.userGetter.GetRootUserByOrgID(ctx, org.ID)
+	rootUser, userRoles, err := provider.userGetter.GetRootUserByOrgID(ctx, org.ID)
 	if err != nil {
 		return nil, err
 	}
 
-	provider.identity = authtypes.NewPrincipalUserIdentity(
+	if len(userRoles) == 0 {
+		return nil, errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	role := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	provider.identity = authtypes.NewIdentity(
 		rootUser.ID,
 		rootUser.OrgID,
 		rootUser.Email,
+		role,
 		authtypes.IdentNProviderImpersonation,
 	)
 

pkg/modules/dashboard/dashboard.go

@@ -43,7 +43,7 @@ type Module interface {
 
 	Update(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, data dashboardtypes.UpdatableDashboard, diff int) (*dashboardtypes.Dashboard, error)
 
-	LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, isAdmin bool, lock bool) error
+	LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error
 
 	Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error
 

pkg/modules/dashboard/impldashboard/handler.go

@@ -7,7 +7,6 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/http/binding"
@@ -23,12 +22,11 @@ import (
 
 type handler struct {
 	module           dashboard.Module
-	authz            authz.AuthZ
 	providerSettings factory.ProviderSettings
 }
 
-func NewHandler(module dashboard.Module, providerSettings factory.ProviderSettings, authz authz.AuthZ) dashboard.Handler {
-	return &handler{module: module, providerSettings: providerSettings, authz: authz}
+func NewHandler(module dashboard.Module, providerSettings factory.ProviderSettings) dashboard.Handler {
+	return &handler{module: module, providerSettings: providerSettings}
 }
 
 func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
@@ -59,7 +57,7 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		dashboardMigrator.Migrate(ctx, req)
 	}
 
-	dashboard, err := handler.module.Create(ctx, orgID, claims.Email, valuer.MustNewUUID(claims.IdentityID()), req)
+	dashboard, err := handler.module.Create(ctx, orgID, claims.Email, valuer.MustNewUUID(claims.UserID), req)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -110,7 +108,7 @@ func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
 
 	diff := 0
 	// Allow multiple deletions for API key requests; enforce for others
-	if claims.IdentNProvider == authtypes.IdentNProviderTokenizer {
+	if claims.IdentNProvider == authtypes.IdentNProviderTokenizer.StringValue() {
 		diff = 1
 	}
 
@@ -157,24 +155,7 @@ func (handler *handler) LockUnlock(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	isAdmin := false
-	selectors := []authtypes.Selector{
-		authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
-	}
-	err = handler.authz.CheckWithTupleCreation(
-		ctx,
-		claims,
-		valuer.MustNewUUID(claims.OrgID),
-		authtypes.RelationAssignee,
-		authtypes.TypeableRole,
-		selectors,
-		selectors,
-	)
-	if err == nil {
-		isAdmin = true
-	}
-
-	err = handler.module.LockUnlock(ctx, orgID, dashboardID, claims.Email, isAdmin, *req.Locked)
+	err = handler.module.LockUnlock(ctx, orgID, dashboardID, claims.Email, claims.Role, *req.Locked)
 	if err != nil {
 		render.Error(rw, err)
 		return

pkg/modules/dashboard/impldashboard/module.go

@@ -99,13 +99,13 @@ func (module *module) Update(ctx context.Context, orgID valuer.UUID, id valuer.U
 	return dashboard, nil
 }
 
-func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, isAdmin bool, lock bool) error {
+func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error {
 	dashboard, err := module.Get(ctx, orgID, id)
 	if err != nil {
 		return err
 	}
 
-	err = dashboard.LockUnlock(lock, isAdmin, updatedBy)
+	err = dashboard.LockUnlock(lock, role, updatedBy)
 	if err != nil {
 		return err
 	}

pkg/modules/serviceaccount/config.go

@@ -1,46 +0,0 @@
-package serviceaccount
-
-import (
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/factory"
-	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
-)
-
-type Config struct {
-	// Email config for service accounts
-	Email EmailConfig `mapstructure:"email"`
-
-	// Analytics collection config for service accounts
-	Analytics AnalyticsConfig `mapstructure:"analytics"`
-}
-
-type EmailConfig struct {
-	Domain string `mapstructure:"domain"`
-}
-
-type AnalyticsConfig struct {
-	Enabled bool `mapstructure:"enabled"`
-}
-
-func NewConfigFactory() factory.ConfigFactory {
-	return factory.NewConfigFactory(factory.MustNewName("serviceaccount"), newConfig)
-}
-
-func newConfig() factory.Config {
-	return &Config{
-		Email: EmailConfig{
-			Domain: "signozserviceaccount.com",
-		},
-		Analytics: AnalyticsConfig{
-			Enabled: true,
-		},
-	}
-}
-
-func (c Config) Validate() error {
-	if c.Email.Domain == "" {
-		return errors.New(errors.TypeInvalidInput, serviceaccounttypes.ErrCodeServiceAccountInvalidConfig, "email domain cannot be empty")
-	}
-
-	return nil
-}

pkg/modules/serviceaccount/implserviceaccount/handler.go

@@ -35,7 +35,7 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	serviceAccount := serviceaccounttypes.NewServiceAccount(req.Name, handler.module.Config().Email.Domain, serviceaccounttypes.ServiceAccountStatusActive, valuer.MustNewUUID(claims.OrgID))
+	serviceAccount := serviceaccounttypes.NewServiceAccount(req.Name, req.Email, req.Roles, serviceaccounttypes.StatusActive, valuer.MustNewUUID(claims.OrgID))
 	err = handler.module.Create(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
 	if err != nil {
 		render.Error(rw, err)
@@ -59,59 +59,13 @@ func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	serviceAccountWithRoles, err := handler.module.GetWithRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	render.Success(rw, http.StatusOK, serviceAccountWithRoles)
-}
-
-func (handler *handler) GetMe(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(claims.ServiceAccountID)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccountWithRoles, err := handler.module.GetWithRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, serviceAccountWithRoles)
-}
-
-func (handler *handler) GetRoles(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	serviceAccount, err := handler.module.GetWithRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusOK, serviceAccount.GetRoles())
+	render.Success(rw, http.StatusOK, serviceAccount)
 }
 
 func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
@@ -157,7 +111,7 @@ func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = serviceAccount.Update(req.Name)
+	err = serviceAccount.Update(req.Name, req.Email, req.Roles)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -172,7 +126,7 @@ func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusNoContent, nil)
 }
 
-func (handler *handler) UpdateMe(rw http.ResponseWriter, r *http.Request) {
+func (handler *handler) UpdateStatus(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {
@@ -180,13 +134,13 @@ func (handler *handler) UpdateMe(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	id, err := valuer.NewUUID(claims.ServiceAccountID)
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	req := new(serviceaccounttypes.UpdatableServiceAccount)
+	req := new(serviceaccounttypes.UpdatableServiceAccountStatus)
 	if err := binding.JSON.BindBody(r.Body, req); err != nil {
 		render.Error(rw, err)
 		return
@@ -198,71 +152,13 @@ func (handler *handler) UpdateMe(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = serviceAccount.Update(req.Name)
+	err = serviceAccount.UpdateStatus(req.Status)
 	if err != nil {
 		render.Error(rw, err)
 		return
 	}
 
-	err = handler.module.Update(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-func (handler *handler) SetRole(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	req := new(serviceaccounttypes.PostableServiceAccountRole)
-	if err := binding.JSON.BindBody(r.Body, req); err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.module.SetRole(ctx, valuer.MustNewUUID(claims.OrgID), id, req.ID)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	render.Success(rw, http.StatusNoContent, nil)
-}
-
-func (handler *handler) DeleteRole(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	id, err := valuer.NewUUID(mux.Vars(r)["id"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	roleID, err := valuer.NewUUID(mux.Vars(r)["rid"])
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
-	err = handler.module.DeleteRole(ctx, valuer.MustNewUUID(claims.OrgID), id, roleID)
+	err = handler.module.UpdateStatus(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -315,7 +211,7 @@ func (handler *handler) CreateFactorAPIKey(rw http.ResponseWriter, r *http.Reque
 	}
 
 	// this takes care of checking the existence of service account and the org constraint.
-	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -350,7 +246,7 @@ func (handler *handler) ListFactorAPIKey(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
-	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -391,7 +287,7 @@ func (handler *handler) UpdateFactorAPIKey(rw http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -403,12 +299,7 @@ func (handler *handler) UpdateFactorAPIKey(rw http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	err = factorAPIKey.Update(req.Name, req.ExpiresAt)
-	if err != nil {
-		render.Error(rw, err)
-		return
-	}
-
+	factorAPIKey.Update(req.Name, req.ExpiresAt)
 	err = handler.module.UpdateFactorAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount.ID, factorAPIKey)
 	if err != nil {
 		render.Error(rw, err)
@@ -438,7 +329,7 @@ func (handler *handler) RevokeFactorAPIKey(rw http.ResponseWriter, r *http.Reque
 		return
 	}
 
-	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
 	if err != nil {
 		render.Error(rw, err)
 		return

pkg/modules/serviceaccount/implserviceaccount/module.go

@@ -2,181 +2,52 @@ package implserviceaccount
 
 import (
 	"context"
-	"time"
 
-	"github.com/SigNoz/signoz/pkg/analytics"
 	"github.com/SigNoz/signoz/pkg/authz"
-	"github.com/SigNoz/signoz/pkg/cache"
+	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/cachetypes"
+	"github.com/SigNoz/signoz/pkg/types/emailtypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
-var (
-	emptyOrgID valuer.UUID = valuer.UUID{}
-)
-
 type module struct {
-	store     serviceaccounttypes.Store
-	authz     authz.AuthZ
-	cache     cache.Cache
-	analytics analytics.Analytics
-	settings  factory.ScopedProviderSettings
-	config    serviceaccount.Config
+	store    serviceaccounttypes.Store
+	authz    authz.AuthZ
+	emailing emailing.Emailing
+	settings factory.ScopedProviderSettings
 }
 
-func NewModule(store serviceaccounttypes.Store, authz authz.AuthZ, cache cache.Cache, analytics analytics.Analytics, providerSettings factory.ProviderSettings, config serviceaccount.Config) serviceaccount.Module {
+func NewModule(store serviceaccounttypes.Store, authz authz.AuthZ, emailing emailing.Emailing, providerSettings factory.ProviderSettings) serviceaccount.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount")
-	return &module{store: store, authz: authz, cache: cache, analytics: analytics, settings: settings, config: config}
+	return &module{store: store, authz: authz, emailing: emailing, settings: settings}
 }
 
 func (module *module) Create(ctx context.Context, orgID valuer.UUID, serviceAccount *serviceaccounttypes.ServiceAccount) error {
-	err := module.store.Create(ctx, serviceAccount)
+	// validates the presence of all roles passed in the create request
+	roles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, serviceAccount.Roles)
 	if err != nil {
 		return err
 	}
 
-	module.identifyUser(ctx, orgID.String(), serviceAccount.ID.String(), serviceAccount.Traits())
-	module.trackUser(ctx, orgID.String(), serviceAccount.ID.String(), "Service Account Created", serviceAccount.Traits())
-	return nil
-}
-
-func (module *module) GetOrCreate(ctx context.Context, orgID valuer.UUID, serviceAccountWithRoles *serviceaccounttypes.ServiceAccount) (*serviceaccounttypes.ServiceAccount, error) {
-	existingServiceAccount, err := module.GetActiveByOrgIDAndName(ctx, serviceAccountWithRoles.OrgID, serviceAccountWithRoles.Name)
-	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-		return nil, err
-	}
-
-	if existingServiceAccount != nil {
-		return existingServiceAccount, nil
-	}
-
-	err = module.Create(ctx, orgID, serviceAccountWithRoles)
-	if err != nil {
-		return nil, err
-	}
-
-	return serviceAccountWithRoles, nil
-}
-
-func (module *module) GetActiveByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*serviceaccounttypes.ServiceAccount, error) {
-	serviceAccount, err := module.store.GetActiveByOrgIDAndName(ctx, orgID, name)
-	if err != nil {
-		return nil, err
-	}
-
-	return module.Get(ctx, orgID, serviceAccount.ID)
-}
-
-func (module *module) GetWithRoles(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccountWithRoles, error) {
-	serviceAccountWithRoles, err := module.store.GetWithRoles(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return serviceAccountWithRoles, nil
-}
-
-func (module *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
-	storableServiceAccount, err := module.store.Get(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
-
-	return storableServiceAccount, nil
-}
-
-func (module *module) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error) {
-	serviceAccounts, err := module.store.List(ctx, orgID)
-	if err != nil {
-		return nil, err
-	}
-
-	return serviceAccounts, nil
-}
-
-func (module *module) Update(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
-	err := module.store.Update(ctx, orgID, input)
-	if err != nil {
-		return err
-	}
-
-	module.identifyUser(ctx, orgID.String(), input.ID.String(), input.Traits())
-	module.trackUser(ctx, orgID.String(), input.ID.String(), "Service Account Updated", input.Traits())
-	return nil
-}
-
-func (module *module) SetRole(ctx context.Context, orgID valuer.UUID, id valuer.UUID, roleID valuer.UUID) error {
-	role, err := module.authz.Get(ctx, orgID, roleID)
-	if err != nil {
-		return err
-	}
-
-	return module.setRole(ctx, orgID, id, role)
-}
-
-func (module *module) SetRoleByName(ctx context.Context, orgID valuer.UUID, id valuer.UUID, name string) error {
-	role, err := module.authz.GetByOrgIDAndName(ctx, orgID, name)
-	if err != nil {
-		return err
-	}
-
-	return module.setRole(ctx, orgID, id, role)
-}
-
-func (module *module) DeleteRole(ctx context.Context, orgID valuer.UUID, id valuer.UUID, roleID valuer.UUID) error {
-	role, err := module.authz.Get(ctx, orgID, roleID)
-	if err != nil {
-		return err
-	}
-
-	serviceAccount, err := module.Get(ctx, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	err = serviceAccount.ErrIfDeleted()
-	if err != nil {
-		return err
-	}
-
-	err = module.store.DeleteServiceAccountRole(ctx, serviceAccount.ID, roleID)
-	if err != nil {
-		return err
-	}
-
-	err = module.authz.Revoke(ctx, orgID, []string{role.Name}, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, id.String(), orgID, nil))
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (module *module) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
-	serviceAccount, err := module.GetWithRoles(ctx, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	err = serviceAccount.UpdateStatus(serviceaccounttypes.ServiceAccountStatusDeleted)
+	// authz actions cannot run in sql transactions
+	err = module.authz.Grant(ctx, orgID, serviceAccount.Roles, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, serviceAccount.ID.String(), orgID, nil))
 	if err != nil {
 		return err
 	}
 
+	storableServiceAccount := serviceaccounttypes.NewStorableServiceAccount(serviceAccount)
+	storableServiceAccountRoles := serviceaccounttypes.NewStorableServiceAccountRoles(serviceAccount.ID, roles)
 	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
-		// revoke all the API keys on disable
-		err := module.store.RevokeAllFactorAPIKeys(ctx, id)
+		err := module.store.Create(ctx, storableServiceAccount)
 		if err != nil {
 			return err
 		}
 
-		// update the status but do not delete the role mappings as we will use them for audits
-		err = module.store.Update(ctx, orgID, serviceAccount.ServiceAccount)
+		err = module.store.CreateServiceAccountRoles(ctx, storableServiceAccountRoles)
 		if err != nil {
 			return err
 		}
@@ -187,78 +58,251 @@ func (module *module) Delete(ctx context.Context, orgID valuer.UUID, id valuer.U
 		return err
 	}
 
-	err = module.authz.Revoke(ctx, orgID, serviceAccount.RoleNames(), authtypes.MustNewSubject(authtypes.TypeableServiceAccount, id.StringValue(), orgID, nil))
+	return nil
+}
+
+func (module *module) GetOrCreate(ctx context.Context, serviceAccount *serviceaccounttypes.ServiceAccount) (*serviceaccounttypes.ServiceAccount, error) {
+	existingServiceAccount, err := module.store.GetActiveByOrgIDAndName(ctx, serviceAccount.OrgID, serviceAccount.Name)
+	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
+		return nil, err
+	}
+
+	if existingServiceAccount != nil {
+		return serviceAccount, nil
+	}
+
+	err = module.Create(ctx, serviceAccount.OrgID, serviceAccount)
+	if err != nil {
+		return nil, err
+	}
+
+	return serviceAccount, nil
+}
+
+func (module *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
+	storableServiceAccount, err := module.store.Get(ctx, orgID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	// did the orchestration on application layer instead of DB as the ORM also does it anyways for many to many tables.
+	storableServiceAccountRoles, err := module.store.GetServiceAccountRoles(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]valuer.UUID, len(storableServiceAccountRoles))
+	for idx, sar := range storableServiceAccountRoles {
+		roleIDs[idx] = valuer.MustNewUUID(sar.RoleID)
+	}
+
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	rolesNames, err := serviceaccounttypes.NewRolesFromStorableServiceAccountRoles(storableServiceAccountRoles, roles)
+	if err != nil {
+		return nil, err
+	}
+
+	serviceAccount := serviceaccounttypes.NewServiceAccountFromStorables(storableServiceAccount, rolesNames)
+	return serviceAccount, nil
+}
+
+func (module *module) GetWithoutRoles(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
+	storableServiceAccount, err := module.store.Get(ctx, orgID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	// passing []string{} (not nil to prevent panics) roles as the function isn't supposed to put roles.
+	serviceAccount := serviceaccounttypes.NewServiceAccountFromStorables(storableServiceAccount, []string{})
+	return serviceAccount, nil
+}
+
+func (module *module) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error) {
+	storableServiceAccounts, err := module.store.List(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	storableServiceAccountRoles, err := module.store.ListServiceAccountRolesByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	// convert the service account roles to structured data
+	saIDToRoleIDs, roleIDs := serviceaccounttypes.GetUniqueRolesAndServiceAccountMapping(storableServiceAccountRoles)
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	// fill in the role fetched data back to service account
+	serviceAccounts := serviceaccounttypes.NewServiceAccountsFromRoles(storableServiceAccounts, roles, saIDToRoleIDs)
+	return serviceAccounts, nil
+}
+
+func (module *module) Update(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
+	serviceAccount, err := module.Get(ctx, orgID, input.ID)
 	if err != nil {
 		return err
 	}
 
-	// delete the cache when updating status for service account
-	module.cache.Delete(ctx, emptyOrgID, identityCacheKey(id))
+	roles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, input.Roles)
+	if err != nil {
+		return err
+	}
+
+	// gets the role diff if any to modify grants.
+	grants, revokes := serviceAccount.PatchRoles(input)
+	err = module.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, serviceAccount.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	storableServiceAccountRoles := serviceaccounttypes.NewStorableServiceAccountRoles(serviceAccount.ID, roles)
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		err := module.store.Update(ctx, orgID, serviceaccounttypes.NewStorableServiceAccount(input))
+		if err != nil {
+			return err
+		}
+
+		// delete all the service account roles and create new rather than diff here.
+		err = module.store.DeleteServiceAccountRoles(ctx, input.ID)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.CreateServiceAccountRoles(ctx, storableServiceAccountRoles)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) UpdateStatus(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
+	err := module.authz.Revoke(ctx, orgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, input.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		// revoke all the API keys on disable
+		err := module.store.RevokeAllFactorAPIKeys(ctx, input.ID)
+		if err != nil {
+			return err
+		}
+
+		// update the status but do not delete the role mappings as we will use them for audits
+		err = module.store.Update(ctx, orgID, serviceaccounttypes.NewStorableServiceAccount(input))
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
+	serviceAccount, err := module.Get(ctx, orgID, id)
+	if err != nil {
+		return err
+	}
+
+	// revoke from authz first as this cannot run in sql transaction
+	err = module.authz.Revoke(ctx, orgID, serviceAccount.Roles, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, serviceAccount.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		err := module.store.DeleteServiceAccountRoles(ctx, serviceAccount.ID)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.RevokeAllFactorAPIKeys(ctx, serviceAccount.ID)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.Delete(ctx, serviceAccount.OrgID, serviceAccount.ID)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
 
-	module.identifyUser(ctx, orgID.String(), id.String(), serviceAccount.Traits())
-	module.trackUser(ctx, orgID.String(), id.String(), "Service Account Deleted", map[string]any{})
 	return nil
 }
 
 func (module *module) CreateFactorAPIKey(ctx context.Context, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
-	err := module.store.CreateFactorAPIKey(ctx, factorAPIKey)
+	storableFactorAPIKey := serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey)
+
+	err := module.store.CreateFactorAPIKey(ctx, storableFactorAPIKey)
 	if err != nil {
 		return err
 	}
 
 	serviceAccount, err := module.store.GetByID(ctx, factorAPIKey.ServiceAccountID)
-	if err == nil {
-		module.trackUser(ctx, serviceAccount.OrgID.StringValue(), serviceAccount.ID.String(), "API Key created", factorAPIKey.Traits())
+	if err != nil {
+		return err
+	}
+
+	if err := module.emailing.SendHTML(ctx, serviceAccount.Email, "New API Key created for your SigNoz account", emailtypes.TemplateNameAPIKeyEvent, map[string]any{
+		"Name":         serviceAccount.Name,
+		"KeyName":      factorAPIKey.Name,
+		"KeyID":        factorAPIKey.ID.String(),
+		"KeyCreatedAt": factorAPIKey.CreatedAt.String(),
+	}); err != nil {
+		module.settings.Logger().ErrorContext(ctx, "failed to send email", errors.Attr(err))
 	}
 
 	return nil
 }
 
-func (module *module) GetOrCreateFactorAPIKey(ctx context.Context, factorAPIKey *serviceaccounttypes.FactorAPIKey) (*serviceaccounttypes.FactorAPIKey, error) {
-	existingFactorAPIKey, err := module.store.GetFactorAPIKeyByName(ctx, factorAPIKey.ServiceAccountID, factorAPIKey.Name)
-	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-		return nil, err
-	}
-
-	if existingFactorAPIKey != nil {
-		return existingFactorAPIKey, nil
-	}
-
-	err = module.CreateFactorAPIKey(ctx, factorAPIKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return factorAPIKey, nil
-}
-
 func (module *module) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.FactorAPIKey, error) {
-	factorAPIKey, err := module.store.GetFactorAPIKey(ctx, serviceAccountID, id)
+	storableFactorAPIKey, err := module.store.GetFactorAPIKey(ctx, serviceAccountID, id)
 	if err != nil {
 		return nil, err
 	}
 
-	return factorAPIKey, nil
+	return serviceaccounttypes.NewFactorAPIKeyFromStorable(storableFactorAPIKey), nil
 }
 
 func (module *module) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.FactorAPIKey, error) {
-	factorAPIKeys, err := module.store.ListFactorAPIKey(ctx, serviceAccountID)
+	storables, err := module.store.ListFactorAPIKey(ctx, serviceAccountID)
 	if err != nil {
 		return nil, err
 	}
 
-	return factorAPIKeys, nil
+	return serviceaccounttypes.NewFactorAPIKeyFromStorables(storables), nil
 }
 
-func (module *module) UpdateFactorAPIKey(ctx context.Context, orgID valuer.UUID, serviceAccountID valuer.UUID, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
-	err := module.store.UpdateFactorAPIKey(ctx, serviceAccountID, factorAPIKey)
+func (module *module) UpdateFactorAPIKey(ctx context.Context, _ valuer.UUID, serviceAccountID valuer.UUID, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
+	err := module.store.UpdateFactorAPIKey(ctx, serviceAccountID, serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey))
 	if err != nil {
 		return err
 	}
 
-	// delete the cache when updating the factor api key
-	module.cache.Delete(ctx, emptyOrgID, apiKeyCacheKey(factorAPIKey.Key))
-	module.trackUser(ctx, orgID.String(), serviceAccountID.String(), "API Key updated", factorAPIKey.Traits())
 	return nil
 }
 
@@ -278,143 +322,14 @@ func (module *module) RevokeFactorAPIKey(ctx context.Context, serviceAccountID v
 		return err
 	}
 
-	// delete the cache when revoking the factor api key
-	module.cache.Delete(ctx, emptyOrgID, apiKeyCacheKey(factorAPIKey.Key))
-	module.trackUser(ctx, serviceAccount.OrgID.StringValue(), serviceAccountID.String(), "API Key revoked", factorAPIKey.Traits())
-	return nil
-}
-
-func (module *module) Config() serviceaccount.Config {
-	return module.config
-}
-
-func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
-	stats := make(map[string]any)
-
-	count, err := module.store.CountByOrgID(ctx, orgID)
-	if err == nil {
-		stats["serviceaccount.count"] = count
-	}
-
-	count, err = module.store.CountFactorAPIKeysByOrgID(ctx, orgID)
-	if err == nil {
-		stats["serviceaccount.keys.count"] = count
-	}
-
-	return stats, nil
-}
-
-func (module *module) GetIdentity(ctx context.Context, key string) (*authtypes.Identity, error) {
-	apiKey, err := module.getOrGetSetAPIKey(ctx, key)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := apiKey.IsExpired(); err != nil {
-		return nil, err
-	}
-
-	identity, err := module.getOrGetSetIdentity(ctx, apiKey.ServiceAccountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return identity, nil
-}
-
-func (module *module) SetLastObservedAt(ctx context.Context, key string, lastObservedAt time.Time) error {
-	return module.store.UpdateLastObservedAt(ctx, key, lastObservedAt)
-}
-
-func (module *module) getOrGetSetAPIKey(ctx context.Context, key string) (*serviceaccounttypes.FactorAPIKey, error) {
-	factorAPIKey := new(serviceaccounttypes.FactorAPIKey)
-	err := module.cache.Get(ctx, emptyOrgID, apiKeyCacheKey(key), factorAPIKey)
-	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-		return nil, err
-	}
-
-	if err == nil {
-		return factorAPIKey, nil
-	}
-
-	factorAPIKey, err = module.store.GetFactorAPIKeyByKey(ctx, key)
-	if err != nil {
-		return nil, err
-	}
-
-	err = module.cache.Set(ctx, emptyOrgID, apiKeyCacheKey(key), factorAPIKey, time.Duration(factorAPIKey.ExpiresAt))
-	if err != nil {
-		return nil, err
-	}
-
-	return factorAPIKey, nil
-}
-
-func (module *module) getOrGetSetIdentity(ctx context.Context, serviceAccountID valuer.UUID) (*authtypes.Identity, error) {
-	identity := new(authtypes.Identity)
-	err := module.cache.Get(ctx, emptyOrgID, identityCacheKey(serviceAccountID), identity)
-	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
-		return nil, err
-	}
-
-	if err == nil {
-		return identity, nil
-	}
-
-	storableServiceAccount, err := module.store.GetByID(ctx, serviceAccountID)
-	if err != nil {
-		return nil, err
-	}
-
-	identity = storableServiceAccount.ToIdentity()
-	err = module.cache.Set(ctx, emptyOrgID, identityCacheKey(serviceAccountID), identity, 0)
-	if err != nil {
-		return nil, err
-	}
-
-	return identity, nil
-}
-
-func (module *module) setRole(ctx context.Context, orgID valuer.UUID, id valuer.UUID, role *authtypes.Role) error {
-	serviceAccount, err := module.Get(ctx, orgID, id)
-	if err != nil {
-		return err
-	}
-
-	serviceAccountRole, err := serviceAccount.AddRole(role)
-	if err != nil {
-		return err
-	}
-
-	err = module.store.CreateServiceAccountRole(ctx, serviceAccountRole)
-	if err != nil {
-		return err
-	}
-
-	err = module.authz.Grant(ctx, orgID, []string{role.Name}, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, id.String(), orgID, nil))
-	if err != nil {
-		return err
+	if err := module.emailing.SendHTML(ctx, serviceAccount.Email, "API Key revoked for your SigNoz account", emailtypes.TemplateNameAPIKeyEvent, map[string]any{
+		"Name":         serviceAccount.Name,
+		"KeyName":      factorAPIKey.Name,
+		"KeyID":        factorAPIKey.ID.String(),
+		"KeyCreatedAt": factorAPIKey.CreatedAt.String(),
+	}); err != nil {
+		module.settings.Logger().ErrorContext(ctx, "failed to send email", errors.Attr(err))
 	}
 
 	return nil
 }
-
-func (module *module) trackUser(ctx context.Context, orgID string, userID string, event string, attrs map[string]any) {
-	if module.config.Analytics.Enabled {
-		module.analytics.TrackUser(ctx, orgID, userID, event, attrs)
-	}
-}
-
-func (module *module) identifyUser(ctx context.Context, orgID string, userID string, traits map[string]any) {
-	if module.config.Analytics.Enabled {
-		module.analytics.IdentifyUser(ctx, orgID, userID, traits)
-	}
-}
-
-func apiKeyCacheKey(apiKey string) string {
-	return "api_key::" + cachetypes.NewSha1CacheKey(apiKey)
-}
-
-func identityCacheKey(serviceAccountID valuer.UUID) string {
-	return "identity::" + serviceAccountID.String()
-}

pkg/modules/serviceaccount/implserviceaccount/store.go

@@ -2,7 +2,6 @@ package implserviceaccount
 
 import (
 	"context"
-	"time"
 
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
@@ -17,7 +16,7 @@ func NewStore(sqlstore sqlstore.SQLStore) serviceaccounttypes.Store {
 	return &store{sqlstore: sqlstore}
 }
 
-func (store *store) Create(ctx context.Context, storable *serviceaccounttypes.ServiceAccount) error {
+func (store *store) Create(ctx context.Context, storable *serviceaccounttypes.StorableServiceAccount) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -31,8 +30,8 @@ func (store *store) Create(ctx context.Context, storable *serviceaccounttypes.Se
 	return nil
 }
 
-func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
-	storable := new(serviceaccounttypes.ServiceAccount)
+func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.StorableServiceAccount, error) {
+	storable := new(serviceaccounttypes.StorableServiceAccount)
 
 	err := store.
 		sqlstore.
@@ -49,28 +48,8 @@ func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID)
 	return storable, nil
 }
 
-func (store *store) GetWithRoles(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccountWithRoles, error) {
-	storable := new(serviceaccounttypes.ServiceAccountWithRoles)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Relation("ServiceAccountRoles").
-		Relation("ServiceAccountRoles.Role").
-		Where("id = ?", id).
-		Where("org_id = ?", orgID).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "service account with id: %s doesn't exist in org: %s", id, orgID)
-	}
-
-	return storable, nil
-}
-
-func (store *store) GetActiveByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*serviceaccounttypes.ServiceAccount, error) {
-	storable := new(serviceaccounttypes.ServiceAccount)
+func (store *store) GetActiveByOrgIDAndName(ctx context.Context, orgID valuer.UUID, name string) (*serviceaccounttypes.StorableServiceAccount, error) {
+	storable := new(serviceaccounttypes.StorableServiceAccount)
 
 	err := store.
 		sqlstore.
@@ -79,17 +58,17 @@ func (store *store) GetActiveByOrgIDAndName(ctx context.Context, orgID valuer.UU
 		Model(storable).
 		Where("org_id = ?", orgID).
 		Where("name = ?", name).
-		Where("status = ?", serviceaccounttypes.ServiceAccountStatusActive).
+		Where("status = ?", serviceaccounttypes.StatusActive).
 		Scan(ctx)
 	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "active service account with name: %s doesn't exist in org: %s", name, orgID.String())
+		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "service account with name: %s doesn't exist in org: %s", name, orgID.String())
 	}
 
 	return storable, nil
 }
 
-func (store *store) GetByID(ctx context.Context, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
-	storable := new(serviceaccounttypes.ServiceAccount)
+func (store *store) GetByID(ctx context.Context, id valuer.UUID) (*serviceaccounttypes.StorableServiceAccount, error) {
+	storable := new(serviceaccounttypes.StorableServiceAccount)
 
 	err := store.
 		sqlstore.
@@ -105,25 +84,8 @@ func (store *store) GetByID(ctx context.Context, id valuer.UUID) (*serviceaccoun
 	return storable, nil
 }
 
-func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	storable := new(serviceaccounttypes.ServiceAccount)
-
-	count, err := store.
-		sqlstore.
-		BunDB().
-		NewSelect().
-		Model(storable).
-		Where("org_id = ?", orgID).
-		Count(ctx)
-	if err != nil {
-		return 0, err
-	}
-
-	return int64(count), nil
-}
-
-func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error) {
-	storables := make([]*serviceaccounttypes.ServiceAccount, 0)
+func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccount, error) {
+	storables := make([]*serviceaccounttypes.StorableServiceAccount, 0)
 
 	err := store.
 		sqlstore.
@@ -139,7 +101,7 @@ func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*serviceacco
 	return storables, nil
 }
 
-func (store *store) Update(ctx context.Context, orgID valuer.UUID, storable *serviceaccounttypes.ServiceAccount) error {
+func (store *store) Update(ctx context.Context, orgID valuer.UUID, storable *serviceaccounttypes.StorableServiceAccount) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -148,21 +110,6 @@ func (store *store) Update(ctx context.Context, orgID valuer.UUID, storable *ser
 		WherePK().
 		Where("org_id = ?", orgID).
 		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeServiceAccountAlreadyExists, "service account with name: %s already exists", storable.Name)
-	}
-
-	return nil
-}
-
-func (store *store) CreateServiceAccountRole(ctx context.Context, serviceAccountRole *serviceaccounttypes.ServiceAccountRole) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewInsert().
-		Model(serviceAccountRole).
-		On("CONFLICT (service_account_id, role_id) DO NOTHING").
-		Exec(ctx)
 	if err != nil {
 		return err
 	}
@@ -170,14 +117,14 @@ func (store *store) CreateServiceAccountRole(ctx context.Context, serviceAccount
 	return nil
 }
 
-func (store *store) DeleteServiceAccountRole(ctx context.Context, serviceAccountID valuer.UUID, roleID valuer.UUID) error {
+func (store *store) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewDelete().
-		Model(new(serviceaccounttypes.ServiceAccountRole)).
-		Where("service_account_id = ?", serviceAccountID).
-		Where("role_id = ?", roleID).
+		Model(new(serviceaccounttypes.StorableServiceAccount)).
+		Where("id = ?", id).
+		Where("org_id = ?", orgID).
 		Exec(ctx)
 	if err != nil {
 		return err
@@ -186,7 +133,73 @@ func (store *store) DeleteServiceAccountRole(ctx context.Context, serviceAccount
 	return nil
 }
 
-func (store *store) CreateFactorAPIKey(ctx context.Context, storable *serviceaccounttypes.FactorAPIKey) error {
+func (store *store) CreateServiceAccountRoles(ctx context.Context, storables []*serviceaccounttypes.StorableServiceAccountRole) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewInsert().
+		Model(&storables).
+		Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeServiceAccountRoleAlreadyExists, "duplicate role assignments for service account")
+	}
+
+	return nil
+}
+
+func (store *store) GetServiceAccountRoles(ctx context.Context, id valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccountRole, error) {
+	storables := make([]*serviceaccounttypes.StorableServiceAccountRole, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&storables).
+		Where("service_account_id = ?", id).
+		Scan(ctx)
+	if err != nil {
+		// no need to wrap not found here as this is many to many table
+		return nil, err
+	}
+
+	return storables, nil
+}
+
+func (store *store) ListServiceAccountRolesByOrgID(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccountRole, error) {
+	storables := make([]*serviceaccounttypes.StorableServiceAccountRole, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&storables).
+		Join("JOIN service_account").
+		JoinOn("service_account.id = service_account_role.service_account_id").
+		Where("service_account.org_id = ?", orgID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storables, nil
+}
+
+func (store *store) DeleteServiceAccountRoles(ctx context.Context, id valuer.UUID) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewDelete().
+		Model(new(serviceaccounttypes.StorableServiceAccountRole)).
+		Where("service_account_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *store) CreateFactorAPIKey(ctx context.Context, storable *serviceaccounttypes.StorableFactorAPIKey) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -200,8 +213,8 @@ func (store *store) CreateFactorAPIKey(ctx context.Context, storable *serviceacc
 	return nil
 }
 
-func (store *store) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.FactorAPIKey, error) {
-	storable := new(serviceaccounttypes.FactorAPIKey)
+func (store *store) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.StorableFactorAPIKey, error) {
+	storable := new(serviceaccounttypes.StorableFactorAPIKey)
 
 	err := store.
 		sqlstore.
@@ -218,62 +231,8 @@ func (store *store) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer
 	return storable, nil
 }
 
-func (store *store) GetFactorAPIKeyByKey(ctx context.Context, key string) (*serviceaccounttypes.FactorAPIKey, error) {
-	storable := new(serviceaccounttypes.FactorAPIKey)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Where("key = ?", key).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeAPIKeytNotFound, "api key with key: %s doesn't exist.", key)
-	}
-
-	return storable, nil
-}
-
-func (store *store) GetFactorAPIKeyByName(ctx context.Context, serviceAccountID valuer.UUID, name string) (*serviceaccounttypes.FactorAPIKey, error) {
-	storable := new(serviceaccounttypes.FactorAPIKey)
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Where("service_account_id = ?", serviceAccountID.String()).
-		Where("name = ?", name).
-		Scan(ctx)
-	if err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeAPIKeytNotFound, "api key with name: %s doesn't exist in service account: %s", name, serviceAccountID.String())
-	}
-
-	return storable, nil
-}
-
-func (store *store) CountFactorAPIKeysByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	storable := new(serviceaccounttypes.FactorAPIKey)
-
-	count, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(storable).
-		Join("JOIN service_account").
-		JoinOn("service_account.id = factor_api_key.service_account_id").
-		Where("service_account.org_id = ?", orgID).
-		Count(ctx)
-	if err != nil {
-		return 0, err
-	}
-
-	return int64(count), nil
-}
-
-func (store *store) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.FactorAPIKey, error) {
-	storables := make([]*serviceaccounttypes.FactorAPIKey, 0)
+func (store *store) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.StorableFactorAPIKey, error) {
+	storables := make([]*serviceaccounttypes.StorableFactorAPIKey, 0)
 
 	err := store.
 		sqlstore.
@@ -289,31 +248,14 @@ func (store *store) ListFactorAPIKey(ctx context.Context, serviceAccountID value
 	return storables, nil
 }
 
-func (store *store) UpdateFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, storable *serviceaccounttypes.FactorAPIKey) error {
+func (store *store) UpdateFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, storable *serviceaccounttypes.StorableFactorAPIKey) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewUpdate().
 		Model(storable).
-		WherePK().
 		Where("service_account_id = ?", serviceAccountID).
 		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeAPIKeyAlreadyExists, "api key with name: %s already exists in service account: %s", storable.Name, storable.ServiceAccountID)
-	}
-
-	return nil
-}
-
-func (store *store) UpdateLastObservedAt(ctx context.Context, key string, lastObservedAt time.Time) error {
-	_, err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewUpdate().
-		TableExpr("factor_api_key").
-		Set("last_observed_at = ?", lastObservedAt).
-		Where("key = ?", key).
-		Exec(ctx)
 	if err != nil {
 		return err
 	}
@@ -326,7 +268,7 @@ func (store *store) RevokeFactorAPIKey(ctx context.Context, serviceAccountID val
 		sqlstore.
 		BunDBCtx(ctx).
 		NewDelete().
-		Model(new(serviceaccounttypes.FactorAPIKey)).
+		Model(new(serviceaccounttypes.StorableFactorAPIKey)).
 		Where("service_account_id = ?", serviceAccountID).
 		Where("id = ?", id).
 		Exec(ctx)
@@ -342,7 +284,7 @@ func (store *store) RevokeAllFactorAPIKeys(ctx context.Context, serviceAccountID
 		sqlstore.
 		BunDBCtx(ctx).
 		NewDelete().
-		Model(new(serviceaccounttypes.FactorAPIKey)).
+		Model(new(serviceaccounttypes.StorableFactorAPIKey)).
 		Where("service_account_id = ?", serviceAccountID).
 		Exec(ctx)
 	if err != nil {

pkg/modules/serviceaccount/serviceaccount.go

@@ -3,9 +3,7 @@ package serviceaccount
 import (
 	"context"
 	"net/http"
-	"time"
 
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
@@ -14,14 +12,14 @@ type Module interface {
 	// Creates a new service account for an organization.
 	Create(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
 
-	// Gets a service account with roles by id.
-	GetWithRoles(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccountWithRoles, error)
+	// Gets a service account by id.
+	Get(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccount, error)
 
 	// Gets or creates a service account by name
-	GetOrCreate(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) (*serviceaccounttypes.ServiceAccount, error)
+	GetOrCreate(context.Context, *serviceaccounttypes.ServiceAccount) (*serviceaccounttypes.ServiceAccount, error)
 
-	// Gets a service account by id
-	Get(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccount, error)
+	// Gets a service account by id without fetching roles.
+	GetWithoutRoles(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccount, error)
 
 	// List all service accounts for an organization.
 	List(context.Context, valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error)
@@ -29,14 +27,8 @@ type Module interface {
 	// Updates an existing service account
 	Update(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
 
-	// Assign a role to the service account. this is safe to retry
-	SetRole(context.Context, valuer.UUID, valuer.UUID, valuer.UUID) error
-
-	// Assigns a role by name to service account, this is safe to retry
-	SetRoleByName(context.Context, valuer.UUID, valuer.UUID, string) error
-
-	// Revokes a role from service account, this is safe to retry
-	DeleteRole(context.Context, valuer.UUID, valuer.UUID, valuer.UUID) error
+	// Updates an existing service account status
+	UpdateStatus(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
 
 	// Deletes an existing service account by id
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
@@ -47,25 +39,14 @@ type Module interface {
 	// Gets a factor API key by id
 	GetFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.FactorAPIKey, error)
 
-	// Gets or creates a factor api key by name
-	GetOrCreateFactorAPIKey(context.Context, *serviceaccounttypes.FactorAPIKey) (*serviceaccounttypes.FactorAPIKey, error)
-
 	// Lists all the API keys for a service account
 	ListFactorAPIKey(context.Context, valuer.UUID) ([]*serviceaccounttypes.FactorAPIKey, error)
 
 	// Updates an existing API key for a service account
 	UpdateFactorAPIKey(context.Context, valuer.UUID, valuer.UUID, *serviceaccounttypes.FactorAPIKey) error
 
-	// Set the last observed at for an api key.
-	SetLastObservedAt(context.Context, string, time.Time) error
-
 	// Revokes an existing API key for a service account
 	RevokeFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) error
-
-	// Gets the identity for service account based on the factor api key.
-	GetIdentity(context.Context, string) (*authtypes.Identity, error)
-
-	Config() Config
 }
 
 type Handler interface {
@@ -73,19 +54,11 @@ type Handler interface {
 
 	Get(http.ResponseWriter, *http.Request)
 
-	GetRoles(http.ResponseWriter, *http.Request)
-
-	GetMe(http.ResponseWriter, *http.Request)
-
 	List(http.ResponseWriter, *http.Request)
 
 	Update(http.ResponseWriter, *http.Request)
 
-	UpdateMe(http.ResponseWriter, *http.Request)
-
-	SetRole(http.ResponseWriter, *http.Request)
-
-	DeleteRole(http.ResponseWriter, *http.Request)
+	UpdateStatus(http.ResponseWriter, *http.Request)
 
 	Delete(http.ResponseWriter, *http.Request)
 

pkg/modules/session/implsession/module.go

@@ -160,7 +160,18 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
 	}
 
-	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewPrincipalUserIdentity(newUser.ID, newUser.OrgID, newUser.Email, authtypes.IdentNProviderTokenizer), map[string]string{})
+	userRoles, err := module.userGetter.GetRolesByUserID(ctx, newUser.ID)
+	if err != nil {
+		return "", err
+	}
+
+	if len(userRoles) == 0 {
+		return "", errors.New(errors.TypeUnexpected, authtypes.ErrCodeUserRolesNotFound, "no user roles entries found")
+	}
+
+	finalRole := authtypes.SigNozManagedRoleToExistingLegacyRole[userRoles[0].Role.Name]
+
+	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(newUser.ID, newUser.OrgID, newUser.Email, finalRole, authtypes.IdentNProviderTokenizer), map[string]string{})
 	if err != nil {
 		return "", err
 	}

pkg/modules/spanpercentile/implspanpercentile/handler.go

@@ -35,7 +35,7 @@ func (h *handler) GetSpanPercentileDetails(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	result, err := h.module.GetSpanPercentile(r.Context(), valuer.MustNewUUID(claims.OrgID), spanPercentileRequest)
+	result, err := h.module.GetSpanPercentile(r.Context(), valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), spanPercentileRequest)
 	if err != nil {
 		render.Error(w, err)
 		return

pkg/modules/spanpercentile/implspanpercentile/module.go

@@ -28,7 +28,7 @@ func NewModule(
 	}
 }
 
-func (m *module) GetSpanPercentile(ctx context.Context, orgID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error) {
+func (m *module) GetSpanPercentile(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error) {
 	ctx = ctxtypes.NewContextWithCommentVals(ctx, map[string]string{
 		instrumentationtypes.CodeNamespace:    "spanpercentile",
 		instrumentationtypes.CodeFunctionName: "GetSpanPercentile",

pkg/modules/spanpercentile/spanpercentile.go

@@ -9,7 +9,7 @@ import (
 )
 
 type Module interface {
-	GetSpanPercentile(ctx context.Context, orgID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error)
+	GetSpanPercentile(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error)
 }
 
 type Handler interface {

pkg/modules/tracedetail/impltracedetail/handler.go

@@ -0,0 +1,56 @@
+package impltracedetail
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/http/binding"
+	"github.com/SigNoz/signoz/pkg/http/render"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/tracedetailtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/gorilla/mux"
+)
+
+type handler struct {
+	module tracedetail.Module
+}
+
+func NewHandler(module tracedetail.Module) tracedetail.Handler {
+	return &handler{module: module}
+}
+
+func (h *handler) GetWaterfall(rw http.ResponseWriter, r *http.Request) {
+	claims, err := authtypes.ClaimsFromContext(r.Context())
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	orgID, err := valuer.NewUUID(claims.OrgID)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	traceID := mux.Vars(r)["traceId"]
+	if traceID == "" {
+		render.Error(rw, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "traceId is required"))
+		return
+	}
+
+	var req tracedetailtypes.WaterfallRequest
+	if err := binding.JSON.BindBody(r.Body, &req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	result, err := h.module.GetWaterfall(r.Context(), orgID, traceID, &req)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, result)
+}

pkg/modules/tracedetail/impltracedetail/module.go

@@ -0,0 +1,272 @@
+package impltracedetail
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"log/slog"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/cache"
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail"
+	"github.com/SigNoz/signoz/pkg/telemetrystore"
+	"github.com/SigNoz/signoz/pkg/types/tracedetailtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+
+	tracedetailv2 "github.com/SigNoz/signoz/pkg/query-service/app/traces/tracedetail"
+)
+
+const (
+	traceDB           = "signoz_traces"
+	traceTable        = "distributed_signoz_index_v3"
+	traceSummaryTable = "distributed_trace_summary"
+	cacheTTL          = 5 * time.Minute
+	fluxInterval      = 2 * time.Minute
+)
+
+type module struct {
+	telemetryStore telemetrystore.TelemetryStore
+	cache          cache.Cache
+	logger         *slog.Logger
+}
+
+func NewModule(telemetryStore telemetrystore.TelemetryStore, cache cache.Cache, providerSettings factory.ProviderSettings) tracedetail.Module {
+	return &module{
+		telemetryStore: telemetryStore,
+		cache:          cache,
+		logger:         providerSettings.Logger,
+	}
+}
+
+func (m *module) GetWaterfall(ctx context.Context, orgID valuer.UUID, traceID string, req *tracedetailtypes.WaterfallRequest) (*tracedetailtypes.WaterfallResponse, error) {
+	response := new(tracedetailtypes.WaterfallResponse)
+	var startTime, endTime, durationNano, totalErrorSpans, totalSpans uint64
+	var spanIDToSpanNodeMap = map[string]*tracedetailtypes.Span{}
+	var traceRoots []*tracedetailtypes.Span
+	var serviceNameToTotalDurationMap = map[string]uint64{}
+	var serviceNameIntervalMap = map[string][]tracedetailv2.Interval{}
+	var hasMissingSpans bool
+
+	// Try cache first
+	cachedTraceData, err := m.getFromCache(ctx, orgID, traceID)
+	if err == nil {
+		startTime = cachedTraceData.StartTime
+		endTime = cachedTraceData.EndTime
+		durationNano = cachedTraceData.DurationNano
+		spanIDToSpanNodeMap = cachedTraceData.SpanIDToSpanNodeMap
+		serviceNameToTotalDurationMap = cachedTraceData.ServiceNameToTotalDurationMap
+		traceRoots = cachedTraceData.TraceRoots
+		totalSpans = cachedTraceData.TotalSpans
+		totalErrorSpans = cachedTraceData.TotalErrorSpans
+		hasMissingSpans = cachedTraceData.HasMissingSpans
+	}
+
+	if err != nil {
+		m.logger.Info("cache miss for v3 waterfall", "traceID", traceID)
+
+		// Query trace summary for time boundaries
+		var summary tracedetailtypes.TraceSummary
+		summaryQuery := fmt.Sprintf(
+			"SELECT trace_id, min(start) AS start, max(end) AS end, sum(num_spans) AS num_spans FROM %s.%s WHERE trace_id=$1 GROUP BY trace_id",
+			traceDB, traceSummaryTable,
+		)
+		err := m.telemetryStore.ClickhouseDB().QueryRow(ctx, summaryQuery, traceID).Scan(
+			&summary.TraceID, &summary.Start, &summary.End, &summary.NumSpans,
+		)
+		if err != nil {
+			if err == sql.ErrNoRows {
+				return response, nil
+			}
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "error querying trace summary: %v", err)
+		}
+
+		// Query span details
+		detailsQuery := fmt.Sprintf(
+			"SELECT DISTINCT ON (span_id) "+
+				"timestamp, duration_nano, span_id, trace_id, has_error, kind, "+
+				"resource_string_service$$name, name, links as references, "+
+				"attributes_string, attributes_number, attributes_bool, resources_string, "+
+				"events, status_message, status_code_string, kind_string, parent_span_id, "+
+				"flags, is_remote, trace_state, status_code, "+
+				"db_name, db_operation, http_method, http_url, http_host, "+
+				"external_http_method, external_http_url, response_status_code "+
+				"FROM %s.%s WHERE trace_id=$1 AND ts_bucket_start>=$2 AND ts_bucket_start<=$3 "+
+				"ORDER BY timestamp ASC, name ASC",
+			traceDB, traceTable,
+		)
+
+		var spanItems []tracedetailtypes.SpanModel
+		err = m.telemetryStore.ClickhouseDB().Select(
+			ctx, &spanItems, detailsQuery,
+			traceID,
+			strconv.FormatInt(summary.Start.Unix()-1800, 10),
+			strconv.FormatInt(summary.End.Unix(), 10),
+		)
+		if err != nil {
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "error querying trace spans: %v", err)
+		}
+
+		if len(spanItems) == 0 {
+			return response, nil
+		}
+
+		totalSpans = uint64(len(spanItems))
+		spanIDToSpanNodeMap = make(map[string]*tracedetailtypes.Span, len(spanItems))
+
+		// Build span nodes
+		for _, item := range spanItems {
+			span := item.ToSpan()
+			startTimeUnixNano := span.TimeUnixNano
+
+			// Metadata calculation
+			if startTime == 0 || startTimeUnixNano < startTime {
+				startTime = startTimeUnixNano
+			}
+			if endTime == 0 || (startTimeUnixNano+span.DurationNano) > endTime {
+				endTime = startTimeUnixNano + span.DurationNano
+			}
+			if durationNano == 0 || span.DurationNano > durationNano {
+				durationNano = span.DurationNano
+			}
+			if span.HasError {
+				totalErrorSpans++
+			}
+
+			// Collect intervals for service execution time calculation
+			serviceNameIntervalMap[span.ServiceName] = append(
+				serviceNameIntervalMap[span.ServiceName],
+				tracedetailv2.Interval{StartTime: startTimeUnixNano, Duration: span.DurationNano, Service: span.ServiceName},
+			)
+
+			spanIDToSpanNodeMap[span.SpanID] = span
+		}
+
+		// Build tree: parent-child relationships and missing spans
+		for _, spanNode := range spanIDToSpanNodeMap {
+			if spanNode.ParentSpanID != "" {
+				if parentNode, exists := spanIDToSpanNodeMap[spanNode.ParentSpanID]; exists {
+					parentNode.Children = append(parentNode.Children, spanNode)
+				} else {
+					// Insert missing span
+					missingSpan := &tracedetailtypes.Span{
+						SpanID:       spanNode.ParentSpanID,
+						TraceID:      spanNode.TraceID,
+						Name:         "Missing Span",
+						TimeUnixNano: spanNode.TimeUnixNano,
+						DurationNano: spanNode.DurationNano,
+						Events:       make([]tracedetailtypes.Event, 0),
+						Children:     make([]*tracedetailtypes.Span, 0),
+						Attributes:   make(map[string]any),
+						Resources:    make(map[string]string),
+					}
+					missingSpan.Children = append(missingSpan.Children, spanNode)
+					spanIDToSpanNodeMap[missingSpan.SpanID] = missingSpan
+					traceRoots = append(traceRoots, missingSpan)
+					hasMissingSpans = true
+				}
+			} else if !containsSpan(traceRoots, spanNode) {
+				traceRoots = append(traceRoots, spanNode)
+			}
+		}
+
+		// Sort children of each span for consistent ordering across requests.
+		for _, root := range traceRoots {
+			SortSpanChildren(root)
+		}
+
+		// Sort trace roots
+		sort.Slice(traceRoots, func(i, j int) bool {
+			if traceRoots[i].TimeUnixNano == traceRoots[j].TimeUnixNano {
+				return traceRoots[i].Name < traceRoots[j].Name
+			}
+			return traceRoots[i].TimeUnixNano < traceRoots[j].TimeUnixNano
+		})
+
+		serviceNameToTotalDurationMap = tracedetailv2.CalculateServiceTime(serviceNameIntervalMap)
+
+		// Cache the processed data
+		traceCache := &tracedetailtypes.WaterfallCache{
+			StartTime:                     startTime,
+			EndTime:                       endTime,
+			DurationNano:                  durationNano,
+			TotalSpans:                    totalSpans,
+			TotalErrorSpans:               totalErrorSpans,
+			SpanIDToSpanNodeMap:           spanIDToSpanNodeMap,
+			ServiceNameToTotalDurationMap: serviceNameToTotalDurationMap,
+			TraceRoots:                    traceRoots,
+			HasMissingSpans:               hasMissingSpans,
+		}
+		cacheKey := strings.Join([]string{"v3_waterfall", traceID}, "-")
+		if cacheErr := m.cache.Set(ctx, orgID, cacheKey, traceCache, cacheTTL); cacheErr != nil {
+			m.logger.DebugContext(ctx, "failed to store v3 waterfall cache", "traceID", traceID, "error", cacheErr)
+		}
+	}
+
+	// Span selection: all spans or windowed
+	limit := min(req.Limit, MaxLimitToSelectAllSpans)
+	selectAllSpans := totalSpans <= uint64(limit)
+
+	var (
+		selectedSpans                          []*tracedetailtypes.Span
+		uncollapsedSpans                       []string
+		rootServiceName, rootServiceEntryPoint string
+	)
+	if selectAllSpans {
+		selectedSpans, rootServiceName, rootServiceEntryPoint = GetAllSpans(traceRoots)
+	} else {
+		selectedSpans, uncollapsedSpans, rootServiceName, rootServiceEntryPoint = GetSelectedSpans(
+			req.UncollapsedSpans, req.SelectedSpanID, traceRoots, spanIDToSpanNodeMap, req.IsSelectedSpanIDUnCollapsed,
+		)
+	}
+
+	// Convert timestamps to milliseconds for service duration map
+	for serviceName, totalDuration := range serviceNameToTotalDurationMap {
+		serviceNameToTotalDurationMap[serviceName] = totalDuration / 1000000
+	}
+
+	response.Spans = selectedSpans
+	response.UncollapsedSpans = uncollapsedSpans
+	response.StartTimestampMillis = startTime / 1000000
+	response.EndTimestampMillis = endTime / 1000000
+	response.DurationNano = durationNano
+	response.TotalSpansCount = totalSpans
+	response.TotalErrorSpansCount = totalErrorSpans
+	response.RootServiceName = rootServiceName
+	response.RootServiceEntryPoint = rootServiceEntryPoint
+	response.ServiceNameToTotalDurationMap = serviceNameToTotalDurationMap
+	response.HasMissingSpans = hasMissingSpans
+
+	return response, nil
+}
+
+func (m *module) getFromCache(ctx context.Context, orgID valuer.UUID, traceID string) (*tracedetailtypes.WaterfallCache, error) {
+	cachedData := new(tracedetailtypes.WaterfallCache)
+	cacheKey := strings.Join([]string{"v3_waterfall", traceID}, "-")
+	err := m.cache.Get(ctx, orgID, cacheKey, cachedData)
+	if err != nil {
+		return nil, err
+	}
+
+	// Skip cache if trace end time falls within flux interval
+	if time.Since(time.UnixMilli(int64(cachedData.EndTime))) < fluxInterval {
+		m.logger.InfoContext(ctx, "trace end time within flux interval, skipping v3 waterfall cache", "traceID", traceID)
+		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "trace end time within flux interval, traceID: %s", traceID)
+	}
+
+	m.logger.InfoContext(ctx, "cache hit for v3 waterfall", "traceID", traceID)
+	return cachedData, nil
+}
+
+func containsSpan(spans []*tracedetailtypes.Span, target *tracedetailtypes.Span) bool {
+	for _, s := range spans {
+		if s.SpanID == target.SpanID {
+			return true
+		}
+	}
+	return false
+}

pkg/modules/tracedetail/impltracedetail/waterfall.go

@@ -0,0 +1,193 @@
+package impltracedetail
+
+import (
+	"maps"
+	"slices"
+	"sort"
+
+	"github.com/SigNoz/signoz/pkg/types/tracedetailtypes"
+)
+
+var (
+	spanLimitPerRequest         float64 = 500
+	maxDepthForSelectedChildren int     = 5
+	MaxLimitToSelectAllSpans    uint    = 10_000
+)
+
+type traverseOpts struct {
+	uncollapsedSpans          map[string]struct{}
+	selectedSpanID            string
+	isSelectedSpanUncollapsed bool
+	selectAll                 bool
+}
+
+func traverseTrace(
+	span *tracedetailtypes.Span,
+	opts traverseOpts,
+	level uint64,
+	isPartOfPreOrder bool,
+	hasSibling bool,
+	autoExpandDepth int,
+) ([]*tracedetailtypes.Span, []string) {
+
+	preOrderTraversal := []*tracedetailtypes.Span{}
+	autoExpandedSpans := []string{}
+
+	span.SubTreeNodeCount = 0
+	nodeWithoutChildren := span.CopyWithoutChildren(level, hasSibling)
+
+	if isPartOfPreOrder {
+		preOrderTraversal = append(preOrderTraversal, nodeWithoutChildren)
+	}
+
+	remainingAutoExpandDepth := 0
+	if span.SpanID == opts.selectedSpanID && opts.isSelectedSpanUncollapsed {
+		remainingAutoExpandDepth = maxDepthForSelectedChildren
+	} else if autoExpandDepth > 0 {
+		remainingAutoExpandDepth = autoExpandDepth - 1
+	}
+
+	_, isAlreadyUncollapsed := opts.uncollapsedSpans[span.SpanID]
+	for index, child := range span.Children {
+		isChildWithinMaxDepth := remainingAutoExpandDepth > 0
+		childIsPartOfPreOrder := opts.selectAll || (isPartOfPreOrder && (isAlreadyUncollapsed || isChildWithinMaxDepth))
+
+		if isPartOfPreOrder && isChildWithinMaxDepth && !isAlreadyUncollapsed {
+			if !slices.Contains(autoExpandedSpans, span.SpanID) {
+				autoExpandedSpans = append(autoExpandedSpans, span.SpanID)
+			}
+		}
+
+		childTraversal, childAutoExpanded := traverseTrace(child, opts, level+1, childIsPartOfPreOrder, index != (len(span.Children)-1), remainingAutoExpandDepth)
+		preOrderTraversal = append(preOrderTraversal, childTraversal...)
+		autoExpandedSpans = append(autoExpandedSpans, childAutoExpanded...)
+		nodeWithoutChildren.SubTreeNodeCount += child.SubTreeNodeCount + 1
+		span.SubTreeNodeCount += child.SubTreeNodeCount + 1
+	}
+
+	nodeWithoutChildren.SubTreeNodeCount += 1
+	return preOrderTraversal, autoExpandedSpans
+}
+
+func GetSelectedSpans(uncollapsedSpans []string, selectedSpanID string, traceRoots []*tracedetailtypes.Span, spanIDToSpanNodeMap map[string]*tracedetailtypes.Span, isSelectedSpanIDUnCollapsed bool) ([]*tracedetailtypes.Span, []string, string, string) {
+	var preOrderTraversal = make([]*tracedetailtypes.Span, 0)
+	var rootServiceName, rootServiceEntryPoint string
+
+	uncollapsedSpanMap := make(map[string]struct{})
+	for _, spanID := range uncollapsedSpans {
+		uncollapsedSpanMap[spanID] = struct{}{}
+	}
+
+	selectedSpanIndex := -1
+	for _, rootSpanID := range traceRoots {
+		if rootNode, exists := spanIDToSpanNodeMap[rootSpanID.SpanID]; exists {
+			present, spansFromRootToNode := getPathFromRootToSelectedSpanID(rootNode, selectedSpanID)
+			if present {
+				for _, spanID := range spansFromRootToNode {
+					if selectedSpanID == spanID && !isSelectedSpanIDUnCollapsed {
+						continue
+					}
+					uncollapsedSpanMap[spanID] = struct{}{}
+				}
+			}
+
+			opts := traverseOpts{
+				uncollapsedSpans:          uncollapsedSpanMap,
+				selectedSpanID:            selectedSpanID,
+				isSelectedSpanUncollapsed: isSelectedSpanIDUnCollapsed,
+			}
+			traversal, autoExpanded := traverseTrace(rootNode, opts, 0, true, false, 0)
+			for _, spanID := range autoExpanded {
+				uncollapsedSpanMap[spanID] = struct{}{}
+			}
+			idx := findIndexForSelectedSpan(traversal, selectedSpanID)
+
+			if idx != -1 {
+				selectedSpanIndex = idx + len(preOrderTraversal)
+			}
+
+			preOrderTraversal = append(preOrderTraversal, traversal...)
+
+			if rootServiceName == "" {
+				rootServiceName = rootNode.ServiceName
+			}
+			if rootServiceEntryPoint == "" {
+				rootServiceEntryPoint = rootNode.Name
+			}
+		}
+	}
+
+	if selectedSpanIndex == -1 && selectedSpanID != "" {
+		selectedSpanIndex = 0
+	}
+
+	// Window: 40% before, 60% after selected span
+	startIndex := selectedSpanIndex - int(spanLimitPerRequest*0.4)
+	endIndex := selectedSpanIndex + int(spanLimitPerRequest*0.6)
+
+	if startIndex < 0 {
+		endIndex = endIndex - startIndex
+		startIndex = 0
+	}
+	if endIndex > len(preOrderTraversal) {
+		startIndex = startIndex - (endIndex - len(preOrderTraversal))
+		endIndex = len(preOrderTraversal)
+	}
+	if startIndex < 0 {
+		startIndex = 0
+	}
+
+	return preOrderTraversal[startIndex:endIndex], slices.Collect(maps.Keys(uncollapsedSpanMap)), rootServiceName, rootServiceEntryPoint
+}
+
+func GetAllSpans(traceRoots []*tracedetailtypes.Span) (spans []*tracedetailtypes.Span, rootServiceName, rootEntryPoint string) {
+	if len(traceRoots) > 0 {
+		rootServiceName = traceRoots[0].ServiceName
+		rootEntryPoint = traceRoots[0].Name
+	}
+	for _, root := range traceRoots {
+		childSpans, _ := traverseTrace(root, traverseOpts{selectAll: true}, 0, true, false, 0)
+		spans = append(spans, childSpans...)
+	}
+	return
+}
+
+func getPathFromRootToSelectedSpanID(node *tracedetailtypes.Span, selectedSpanID string) (bool, []string) {
+	path := []string{node.SpanID}
+	if node.SpanID == selectedSpanID {
+		return true, path
+	}
+
+	for _, child := range node.Children {
+		found, childPath := getPathFromRootToSelectedSpanID(child, selectedSpanID)
+		if found {
+			path = append(path, childPath...)
+			return true, path
+		}
+	}
+	return false, nil
+}
+
+func findIndexForSelectedSpan(spans []*tracedetailtypes.Span, selectedSpanID string) int {
+	for i, span := range spans {
+		if span.SpanID == selectedSpanID {
+			return i
+		}
+	}
+	return -1
+}
+
+// SortSpanChildren recursively sorts children of each span by TimeUnixNano then Name.
+// Must be called once after the span tree is fully built so that traverseTrace
+// sees a consistent ordering without needing to re-sort on every call.
+func SortSpanChildren(span *tracedetailtypes.Span) {
+	sort.Slice(span.Children, func(i, j int) bool {
+		if span.Children[i].TimeUnixNano == span.Children[j].TimeUnixNano {
+			return span.Children[i].Name < span.Children[j].Name
+		}
+		return span.Children[i].TimeUnixNano < span.Children[j].TimeUnixNano
+	})
+	for _, child := range span.Children {
+		SortSpanChildren(child)
+	}
+}

pkg/modules/tracedetail/impltracedetail/waterfall_test.go

@@ -0,0 +1,580 @@
+// Package impltracedetail tests — waterfall
+//
+// # Background
+//
+// The waterfall view renders a trace as a scrollable list of spans in
+// pre-order (parent before children, siblings left-to-right). Because a trace
+// can have thousands of spans, only a window of ~500 is returned per request.
+// The window is centred on the selected span.
+//
+// # Key concepts
+//
+// uncollapsedSpans
+//
+//	The set of span IDs the user has manually expanded in the UI.
+//	Only the direct children of an uncollapsed span are included in the
+//	output; grandchildren stay hidden until their parent is also uncollapsed.
+//	When multiple spans are uncollapsed their children are all visible at once.
+//
+// selectedSpanID
+//
+//	The span currently focused — set when the user clicks a span in the
+//	waterfall or selects one from the flamegraph.  The output window is always
+//	centred on this span.  The path from the trace root down to the selected
+//	span is automatically uncollapsed so ancestors are visible even if they are
+//	not in uncollapsedSpans.
+//
+// isSelectedSpanIDUnCollapsed
+//
+//	Controls whether the selected span's own children are shown:
+//	  true  — user expanded the span (click-to-open in waterfall or flamegraph);
+//	          direct children of the selected span are included.
+//	  false — user selected without expanding;
+//	          the span is visible but its children remain hidden.
+//
+// traceRoots
+//
+//	Root spans of the trace — spans with no parent in the current dataset.
+//	Normally one, but multiple roots are common when upstream services are
+//	not instrumented or their spans were not sampled/exported.
+
+package impltracedetail
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/SigNoz/signoz/pkg/types/tracedetailtypes"
+	"github.com/stretchr/testify/assert"
+)
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────────────────────────
+
+func mkSpan(id, service string, children ...*tracedetailtypes.Span) *tracedetailtypes.Span {
+	return &tracedetailtypes.Span{
+		SpanID:      id,
+		ServiceName: service,
+		Name:        id + "-op",
+		Children:    children,
+	}
+}
+
+func spanIDs(spans []*tracedetailtypes.Span) []string {
+	ids := make([]string, len(spans))
+	for i, s := range spans {
+		ids[i] = s.SpanID
+	}
+	return ids
+}
+
+func buildSpanMap(roots ...*tracedetailtypes.Span) map[string]*tracedetailtypes.Span {
+	m := map[string]*tracedetailtypes.Span{}
+	var walk func(*tracedetailtypes.Span)
+	walk = func(s *tracedetailtypes.Span) {
+		m[s.SpanID] = s
+		for _, c := range s.Children {
+			walk(c)
+		}
+	}
+	for _, r := range roots {
+		SortSpanChildren(r)
+		walk(r)
+	}
+	return m
+}
+
+// makeChain builds a linear trace: span0 → span1 → … → span(n-1).
+func makeChain(n int) (*tracedetailtypes.Span, map[string]*tracedetailtypes.Span, []string) {
+	spans := make([]*tracedetailtypes.Span, n)
+	for i := n - 1; i >= 0; i-- {
+		if i == n-1 {
+			spans[i] = mkSpan(fmt.Sprintf("span%d", i), "svc")
+		} else {
+			spans[i] = mkSpan(fmt.Sprintf("span%d", i), "svc", spans[i+1])
+		}
+	}
+	uncollapsed := make([]string, n)
+	for i := range spans {
+		uncollapsed[i] = fmt.Sprintf("span%d", i)
+	}
+	return spans[0], buildSpanMap(spans[0]), uncollapsed
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GetSelectedSpans — span ordering and visibility
+// ─────────────────────────────────────────────────────────────────────────────
+
+func TestGetSelectedSpans_SpanOrdering(t *testing.T) {
+	tests := []struct {
+		name                        string
+		buildRoots                  func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span)
+		uncollapsedSpans            []string
+		selectedSpanID              string
+		isSelectedSpanIDUnCollapsed bool
+		wantSpanIDs                 []string
+	}{
+		{
+			// Pre-order traversal is preserved: parent before children, siblings left-to-right.
+			name: "pre_order_traversal",
+			buildRoots: func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("child1", "svc", mkSpan("grandchild", "svc")),
+					mkSpan("child2", "svc"),
+				)
+				return []*tracedetailtypes.Span{root}, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{"root", "child1"},
+			selectedSpanID:              "root",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root", "child1", "grandchild", "child2"},
+		},
+		{
+			// Multiple spans uncollapsed simultaneously: children of all uncollapsed spans are visible at once.
+			//
+			//	root
+			//	  ├─ childA (uncollapsed) → grandchildA ✓
+			//	  └─ childB (uncollapsed) → grandchildB ✓
+			name: "multiple_uncollapsed",
+			buildRoots: func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("childA", "svc", mkSpan("grandchildA", "svc")),
+					mkSpan("childB", "svc", mkSpan("grandchildB", "svc")),
+				)
+				return []*tracedetailtypes.Span{root}, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{"root", "childA", "childB"},
+			selectedSpanID:              "root",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root", "childA", "grandchildA", "childB", "grandchildB"},
+		},
+		{
+			// Collapsing a span with other uncollapsed spans.
+			//
+			// root
+			// ├─ childA  (previously expanded — in uncollapsedSpans)
+			// │    ├─ grandchild1 ✓
+			// │    │    └─ greatGrandchild ✗  (grandchild1 not in uncollapsedSpans)
+			// │    └─ grandchild2 ✓
+			// └─ childB                        ← selected (not expanded)
+			name: "manual_uncollapse",
+			buildRoots: func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("childA", "svc",
+						mkSpan("grandchild1", "svc", mkSpan("greatGrandchild", "svc")),
+						mkSpan("grandchild2", "svc"),
+					),
+					mkSpan("childB", "svc"),
+				)
+				return []*tracedetailtypes.Span{root}, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{"childA"},
+			selectedSpanID:              "childB",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root", "childA", "grandchild1", "grandchild2", "childB"},
+		},
+		{
+			// A collapsed span hides all children.
+			name: "collapsed_span_hides_children",
+			buildRoots: func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("child1", "svc"),
+					mkSpan("child2", "svc"),
+				)
+				return []*tracedetailtypes.Span{root}, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{},
+			selectedSpanID:              "root",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root"},
+		},
+		{
+			// Selecting a span auto-uncollpases the path from root to that span so it is visible.
+			//
+			//	root → parent → selected
+			name: "path_to_selected_is_uncollapsed",
+			buildRoots: func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("parent", "svc",
+						mkSpan("selected", "svc"),
+					),
+				)
+				return []*tracedetailtypes.Span{root}, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{},
+			selectedSpanID:              "selected",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root", "parent", "selected"},
+		},
+		{
+			// Siblings of ancestors are rendered as collapsed nodes but their subtrees must NOT be expanded.
+			//
+			//	root
+			//	  ├─ unrelated → unrelated-child (✗)
+			//	  └─ parent → selected
+			name: "siblings_not_expanded",
+			buildRoots: func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("unrelated", "svc", mkSpan("unrelated-child", "svc")),
+					mkSpan("parent", "svc",
+						mkSpan("selected", "svc"),
+					),
+				)
+				return []*tracedetailtypes.Span{root}, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{},
+			selectedSpanID:              "selected",
+			isSelectedSpanIDUnCollapsed: false,
+			// children of root sort alphabetically: parent < unrelated; unrelated-child stays hidden
+			wantSpanIDs: []string{"root", "parent", "selected", "unrelated"},
+		},
+		{
+			// An unknown selectedSpanID must not panic; returns a window from index 0.
+			name: "unknown_selected_span",
+			buildRoots: func() ([]*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc", mkSpan("child", "svc"))
+				return []*tracedetailtypes.Span{root}, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{},
+			selectedSpanID:              "nonexistent",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root"},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			roots, spanMap := tc.buildRoots()
+			spans, _, _, _ := GetSelectedSpans(tc.uncollapsedSpans, tc.selectedSpanID, roots, spanMap, tc.isSelectedSpanIDUnCollapsed)
+			assert.Equal(t, tc.wantSpanIDs, spanIDs(spans))
+		})
+	}
+}
+
+// Multiple roots: both trees are flattened into a single pre-order list with
+// root1's subtree before root2's. Service/entry-point come from the first root.
+//
+//	root1 svc-a          ← selected
+//	  └─ child1
+//	root2 svc-b
+//	  └─ child2
+//
+// Expected output order: root1 → child1 → root2 → child2
+func TestGetSelectedSpans_MultipleRoots(t *testing.T) {
+	root1 := mkSpan("root1", "svc-a", mkSpan("child1", "svc-a"))
+	root2 := mkSpan("root2", "svc-b", mkSpan("child2", "svc-b"))
+	spanMap := buildSpanMap(root1, root2)
+
+	spans, _, svcName, entryPoint := GetSelectedSpans([]string{"root1", "root2"}, "root1", []*tracedetailtypes.Span{root1, root2}, spanMap, false)
+
+	assert.Equal(t, []string{"root1", "child1", "root2", "child2"}, spanIDs(spans), "root1 subtree must precede root2 subtree")
+	assert.Equal(t, "svc-a", svcName, "metadata comes from first root")
+	assert.Equal(t, "root1-op", entryPoint, "metadata comes from first root")
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GetSelectedSpans — uncollapsed span tracking
+// ─────────────────────────────────────────────────────────────────────────────
+
+func TestGetSelectedSpans_UncollapsedTracking(t *testing.T) {
+	tests := []struct {
+		name                        string
+		buildRoot                   func() (*tracedetailtypes.Span, map[string]*tracedetailtypes.Span)
+		uncollapsedSpans            []string
+		selectedSpanID              string
+		isSelectedSpanIDUnCollapsed bool
+		wantSpanIDs                 []string
+		checkUncollapsed            func(t *testing.T, uncollapsed []string)
+	}{
+		{
+			// The path-to-selected spans are returned in updatedUncollapsedSpans.
+			name: "path_returned_in_uncollapsed",
+			buildRoot: func() (*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("parent", "svc",
+						mkSpan("selected", "svc"),
+					),
+				)
+				return root, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{},
+			selectedSpanID:              "selected",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root", "parent", "selected"},
+			checkUncollapsed: func(t *testing.T, uncollapsed []string) {
+				assert.ElementsMatch(t, []string{"root", "parent"}, uncollapsed)
+			},
+		},
+		{
+			// Siblings of ancestors are not tracked as uncollapsed.
+			name: "siblings_not_in_uncollapsed",
+			buildRoot: func() (*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("unrelated", "svc", mkSpan("unrelated-child", "svc")),
+					mkSpan("parent", "svc",
+						mkSpan("selected", "svc"),
+					),
+				)
+				return root, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{},
+			selectedSpanID:              "selected",
+			isSelectedSpanIDUnCollapsed: false,
+			wantSpanIDs:                 []string{"root", "parent", "selected", "unrelated"},
+			checkUncollapsed: func(t *testing.T, uncollapsed []string) {
+				assert.ElementsMatch(t, []string{"root", "parent"}, uncollapsed)
+			},
+		},
+		{
+			// Auto-expanded span IDs from ALL branches are returned in updatedUncollapsedSpans.
+			// Only internal nodes (spans with children) are tracked — leaf spans are never added.
+			//
+			//	root (selected, expanded)
+			//	  ├─ childA (internal ✓)
+			//	  │    └─ grandchildA (internal ✓)
+			//	  │         └─ leafA (leaf ✗)
+			//	  └─ childB (internal ✓)
+			//	       └─ grandchildB (internal ✓)
+			//	            └─ leafB (leaf ✗)
+			name: "auto_expanded_spans_returned",
+			buildRoot: func() (*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("childA", "svc",
+						mkSpan("grandchildA", "svc",
+							mkSpan("leafA", "svc"),
+						),
+					),
+					mkSpan("childB", "svc",
+						mkSpan("grandchildB", "svc",
+							mkSpan("leafB", "svc"),
+						),
+					),
+				)
+				return root, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{},
+			selectedSpanID:              "root",
+			isSelectedSpanIDUnCollapsed: true,
+			checkUncollapsed: func(t *testing.T, uncollapsed []string) {
+				assert.Contains(t, uncollapsed, "root")
+				assert.Contains(t, uncollapsed, "childA", "internal node depth 1, branch A")
+				assert.Contains(t, uncollapsed, "childB", "internal node depth 1, branch B")
+				assert.Contains(t, uncollapsed, "grandchildA", "internal node depth 2, branch A")
+				assert.Contains(t, uncollapsed, "grandchildB", "internal node depth 2, branch B")
+				assert.NotContains(t, uncollapsed, "leafA", "leaf spans are never added to uncollapsedSpans")
+				assert.NotContains(t, uncollapsed, "leafB", "leaf spans are never added to uncollapsedSpans")
+			},
+		},
+		{
+			// If the selected span is already in uncollapsedSpans AND isSelectedSpanIDUnCollapsed=true,
+			// it should appear exactly once in the result.
+			name: "duplicate_in_uncollapsed",
+			buildRoot: func() (*tracedetailtypes.Span, map[string]*tracedetailtypes.Span) {
+				root := mkSpan("root", "svc",
+					mkSpan("selected", "svc", mkSpan("child", "svc")),
+				)
+				return root, buildSpanMap(root)
+			},
+			uncollapsedSpans:            []string{"selected"}, // already present
+			selectedSpanID:              "selected",
+			isSelectedSpanIDUnCollapsed: true,
+			checkUncollapsed: func(t *testing.T, uncollapsed []string) {
+				count := 0
+				for _, id := range uncollapsed {
+					if id == "selected" {
+						count++
+					}
+				}
+				assert.Equal(t, 1, count, "should appear once")
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			root, spanMap := tc.buildRoot()
+			spans, uncollapsed, _, _ := GetSelectedSpans(tc.uncollapsedSpans, tc.selectedSpanID, []*tracedetailtypes.Span{root}, spanMap, tc.isSelectedSpanIDUnCollapsed)
+			if tc.wantSpanIDs != nil {
+				assert.Equal(t, tc.wantSpanIDs, spanIDs(spans))
+			}
+			if tc.checkUncollapsed != nil {
+				tc.checkUncollapsed(t, uncollapsed)
+			}
+		})
+	}
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GetSelectedSpans — span metadata
+// ─────────────────────────────────────────────────────────────────────────────
+
+// Test to check if Level, HasChildren, HasSiblings, and SubTreeNodeCount are populated correctly.
+//
+//	root          level=0, hasChildren=true,  hasSiblings=false, subTree=4
+//	  child1      level=1, hasChildren=true,  hasSiblings=true,  subTree=2
+//	    grandchild level=2, hasChildren=false, hasSiblings=false, subTree=1
+//	  child2      level=1, hasChildren=false, hasSiblings=false, subTree=1
+func TestGetSelectedSpans_SpanMetadata(t *testing.T) {
+	root := mkSpan("root", "svc",
+		mkSpan("child1", "svc", mkSpan("grandchild", "svc")),
+		mkSpan("child2", "svc"),
+	)
+	spanMap := buildSpanMap(root)
+	spans, _, _, _ := GetSelectedSpans([]string{"root", "child1"}, "root", []*tracedetailtypes.Span{root}, spanMap, false)
+
+	byID := map[string]*tracedetailtypes.Span{}
+	for _, s := range spans {
+		byID[s.SpanID] = s
+	}
+
+	tests := []struct {
+		spanID          string
+		wantLevel       uint64
+		wantHasChildren bool
+		wantHasSiblings bool
+		wantSubTree     uint64
+	}{
+		{"root", 0, true, false, 4},
+		{"child1", 1, true, true, 2},
+		{"child2", 1, false, false, 1},
+		{"grandchild", 2, false, false, 1},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.spanID, func(t *testing.T) {
+			s := byID[tc.spanID]
+			assert.Equal(t, tc.wantLevel, s.Level)
+			assert.Equal(t, tc.wantHasChildren, s.HasChildren)
+			assert.Equal(t, tc.wantHasSiblings, s.HasSiblings)
+			assert.Equal(t, tc.wantSubTree, s.SubTreeNodeCount)
+		})
+	}
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GetSelectedSpans — windowing
+// ─────────────────────────────────────────────────────────────────────────────
+
+func TestGetSelectedSpans_Window(t *testing.T) {
+	tests := []struct {
+		name            string
+		selectedSpanID  string
+		wantLen         int
+		wantFirst       string
+		wantLast        string
+		wantSelectedPos int
+	}{
+		{
+			// The selected span is centred: 200 spans before it, 300 after (0.4 / 0.6 split).
+			name:            "centred_on_selected",
+			selectedSpanID:  "span300",
+			wantLen:         500,
+			wantFirst:       "span100",
+			wantLast:        "span599",
+			wantSelectedPos: 200,
+		},
+		{
+			// When the selected span is near the start, the window shifts right so no
+			// negative index is used — the result is still 500 spans.
+			name:            "shifts_at_start",
+			selectedSpanID:  "span10",
+			wantLen:         500,
+			wantFirst:       "span0",
+			wantSelectedPos: 10,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			root, spanMap, uncollapsed := makeChain(600)
+			spans, _, _, _ := GetSelectedSpans(uncollapsed, tc.selectedSpanID, []*tracedetailtypes.Span{root}, spanMap, false)
+
+			assert.Equal(t, tc.wantLen, len(spans), "window size")
+			assert.Equal(t, tc.wantFirst, spans[0].SpanID, "first span in window")
+			if tc.wantLast != "" {
+				assert.Equal(t, tc.wantLast, spans[len(spans)-1].SpanID, "last span in window")
+			}
+			assert.Equal(t, tc.selectedSpanID, spans[tc.wantSelectedPos].SpanID, "selected span position")
+		})
+	}
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GetSelectedSpans — depth limit
+// ─────────────────────────────────────────────────────────────────────────────
+
+// Depth is measured from the selected span, not the trace root.
+// Ancestors appear via the path-to-root logic, not the depth limit.
+// Each depth level has two children to confirm the limit is enforced on all
+// branches, not just the first.
+//
+//	root
+//	  └─ A                           ancestor ✓ (path-to-root)
+//	       └─ selected
+//	            ├─ d1a               depth 1 ✓
+//	            │    ├─ d2a          depth 2 ✓
+//	            │    │    ├─ d3a     depth 3 ✓
+//	            │    │    │    ├─ d4a   depth 4 ✓
+//	            │    │    │    │    ├─ d5a  depth 5 ✓
+//	            │    │    │    │    │    └─ d6a  depth 6 ✗
+//	            │    │    │    │    └─ d5b  depth 5 ✓
+//	            │    │    │    └─ d4b   depth 4 ✓
+//	            │    │    └─ d3b     depth 3 ✓
+//	            │    └─ d2b          depth 2 ✓
+//	            └─ d1b               depth 1 ✓
+func TestGetSelectedSpans_DepthCountedFromSelectedSpan(t *testing.T) {
+	selected := mkSpan("selected", "svc",
+		mkSpan("d1a", "svc",
+			mkSpan("d2a", "svc",
+				mkSpan("d3a", "svc",
+					mkSpan("d4a", "svc",
+						mkSpan("d5a", "svc",
+							mkSpan("d6a", "svc"), // depth 6 — excluded
+						),
+						mkSpan("d5b", "svc"), // depth 5 — included
+					),
+					mkSpan("d4b", "svc"), // depth 4 — included
+				),
+				mkSpan("d3b", "svc"), // depth 3 — included
+			),
+			mkSpan("d2b", "svc"), // depth 2 — included
+		),
+		mkSpan("d1b", "svc"), // depth 1 — included
+	)
+	root := mkSpan("root", "svc", mkSpan("A", "svc", selected))
+
+	spanMap := buildSpanMap(root)
+	spans, _, _, _ := GetSelectedSpans([]string{}, "selected", []*tracedetailtypes.Span{root}, spanMap, true)
+	ids := spanIDs(spans)
+
+	assert.Contains(t, ids, "root", "ancestor shown via path-to-root")
+	assert.Contains(t, ids, "A", "ancestor shown via path-to-root")
+	for _, id := range []string{"d1a", "d1b", "d2a", "d2b", "d3a", "d3b", "d4a", "d4b", "d5a", "d5b"} {
+		assert.Contains(t, ids, id, "depth ≤ 5 — must be included")
+	}
+	assert.NotContains(t, ids, "d6a", "depth 6 > limit — excluded")
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// GetAllSpans
+// ─────────────────────────────────────────────────────────────────────────────
+
+func TestGetAllSpans(t *testing.T) {
+	root := mkSpan("root", "svc",
+		mkSpan("childA", "svc",
+			mkSpan("grandchildA", "svc",
+				mkSpan("leafA", "svc2"),
+			),
+		),
+		mkSpan("childB", "svc3",
+			mkSpan("grandchildB", "svc",
+				mkSpan("leafB", "svc2"),
+			),
+		),
+	)
+	spans, rootServiceName, rootEntryPoint := GetAllSpans([]*tracedetailtypes.Span{root})
+	assert.ElementsMatch(t, spanIDs(spans), []string{"root", "childA", "grandchildA", "leafA", "childB", "grandchildB", "leafB"})
+	assert.Equal(t, "svc", rootServiceName)
+	assert.Equal(t, "root-op", rootEntryPoint)
+}

pkg/modules/tracedetail/tracedetail.go

@@ -0,0 +1,19 @@
+package tracedetail
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/types/tracedetailtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+// Handler exposes HTTP handlers for trace detail APIs.
+type Handler interface {
+	GetWaterfall(http.ResponseWriter, *http.Request)
+}
+
+// Module defines the business logic for trace detail operations.
+type Module interface {
+	GetWaterfall(ctx context.Context, orgID valuer.UUID, traceID string, req *tracedetailtypes.WaterfallRequest) (*tracedetailtypes.WaterfallResponse, error)
+}

pkg/modules/user/impluser/handler.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"slices"
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
@@ -12,6 +13,7 @@ import (
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -41,7 +43,7 @@ func (h *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	invites, err := h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.IdentityID()), valuer.MustNewEmail(claims.Email), &types.PostableBulkInviteRequest{
+	invites, err := h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), &types.PostableBulkInviteRequest{
 		Invites: []types.PostableInvite{req},
 	})
 	if err != nil {
@@ -74,7 +76,7 @@ func (h *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	_, err = h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.IdentityID()), valuer.MustNewEmail(claims.Email), &req)
+	_, err = h.setter.CreateBulkInvite(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), &req)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -266,7 +268,7 @@ func (h *handler) UpdateUserDeprecated(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	updatedUser, err := h.setter.UpdateUserDeprecated(ctx, valuer.MustNewUUID(claims.OrgID), id, &user)
+	updatedUser, err := h.setter.UpdateUserDeprecated(ctx, valuer.MustNewUUID(claims.OrgID), id, &user, claims.UserID)
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -319,7 +321,7 @@ func (h *handler) DeleteUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := h.setter.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.IdentityID()); err != nil {
+	if err := h.setter.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.UserID); err != nil {
 		render.Error(w, err)
 		return
 	}
@@ -411,6 +413,175 @@ func (h *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
 	render.Success(w, http.StatusNoContent, nil)
 }
 
+func (h *handler) CreateAPIKey(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	req := new(types.PostableAPIKey)
+	if err := json.NewDecoder(r.Body).Decode(req); err != nil {
+		render.Error(w, errors.Wrapf(err, errors.TypeInvalidInput, errors.CodeInvalidInput, "failed to decode api key"))
+		return
+	}
+
+	apiKey, err := types.NewStorableAPIKey(
+		req.Name,
+		valuer.MustNewUUID(claims.UserID),
+		req.Role,
+		req.ExpiresInDays,
+	)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	err = h.setter.CreateAPIKey(ctx, apiKey)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	createdApiKey, err := h.setter.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), apiKey.ID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	// just corrected the status code, response is same,
+	render.Success(w, http.StatusCreated, createdApiKey)
+}
+
+func (h *handler) ListAPIKeys(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	apiKeys, err := h.setter.ListAPIKeys(ctx, valuer.MustNewUUID(claims.OrgID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	// for backward compatibility
+	if len(apiKeys) == 0 {
+		render.Success(w, http.StatusOK, []types.GettableAPIKey{})
+		return
+	}
+
+	result := make([]*types.GettableAPIKey, len(apiKeys))
+	for i, apiKey := range apiKeys {
+		result[i] = types.NewGettableAPIKeyFromStorableAPIKey(apiKey)
+	}
+
+	render.Success(w, http.StatusOK, result)
+
+}
+
+func (h *handler) UpdateAPIKey(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	req := types.StorableAPIKey{}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		render.Error(w, errors.Wrapf(err, errors.TypeInvalidInput, errors.CodeInvalidInput, "failed to decode api key"))
+		return
+	}
+
+	idStr := mux.Vars(r)["id"]
+	id, err := valuer.NewUUID(idStr)
+	if err != nil {
+		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "id is not a valid uuid-v7"))
+		return
+	}
+
+	//get the API Key
+	existingAPIKey, err := h.setter.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	// get the user
+	createdByUser, err := h.getter.Get(ctx, existingAPIKey.UserID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
+		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
+		return
+	}
+
+	err = h.setter.UpdateAPIKey(ctx, id, &req, valuer.MustNewUUID(claims.UserID))
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusNoContent, nil)
+}
+
+func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	idStr := mux.Vars(r)["id"]
+	id, err := valuer.NewUUID(idStr)
+	if err != nil {
+		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "id is not a valid uuid-v7"))
+		return
+	}
+
+	//get the API Key
+	existingAPIKey, err := h.setter.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	// get the user
+	createdByUser, err := h.getter.Get(ctx, existingAPIKey.UserID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
+		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
+		return
+	}
+
+	if err := h.setter.RevokeAPIKey(ctx, id, valuer.MustNewUUID(claims.UserID)); err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusNoContent, nil)
+}
+
 func (h *handler) GetRolesByUserID(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

pkg/modules/user/impluser/setter.go

@@ -55,7 +55,12 @@ func NewSetter(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing em
 }
 
 // CreateBulk implements invite.Module.
-func (module *setter) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, identityID valuer.UUID, identityEmail valuer.Email, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error) {
+func (module *setter) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error) {
+	creator, err := module.store.GetUser(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
 	// validate all emails to be invited
 	emails := make([]string, len(bulkInvites.Invites))
 	for idx, invite := range bulkInvites.Invites {
@@ -122,7 +127,7 @@ func (module *setter) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, i
 
 	// send password reset emails to all the invited users
 	for idx, userWithToken := range newUsersWithResetToken {
-		module.analytics.TrackUser(ctx, orgID.String(), identityID.String(), "Invite Sent", map[string]any{
+		module.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
 			"invitee_email": userWithToken.User.Email,
 			"invitee_role":  userWithToken.Role,
 		})
@@ -156,7 +161,7 @@ func (module *setter) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, i
 		humanizedTokenLifetime := strings.TrimSpace(humanize.RelTime(time.Now(), time.Now().Add(tokenLifetime), "", ""))
 
 		if err := module.emailing.SendHTML(ctx, userWithToken.User.Email.String(), "You're Invited to Join SigNoz", emailtypes.TemplateNameInvitationEmail, map[string]any{
-			"inviter_email": identityEmail.StringValue(),
+			"inviter_email": creator.Email,
 			"link":          resetLink,
 			"Expiry":        humanizedTokenLifetime,
 		}); err != nil {
@@ -214,12 +219,7 @@ func (module *setter) CreateUser(ctx context.Context, user *types.User, opts ...
 	return nil
 }
 
-func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser) (*types.DeprecatedUser, error) {
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-
+func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error) {
 	existingUser, err := module.getter.GetDeprecatedUserByOrgIDAndID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
@@ -233,29 +233,19 @@ func (module *setter) UpdateUserDeprecated(ctx context.Context, orgID valuer.UUI
 		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
 	}
 
+	requestor, err := module.getter.GetDeprecatedUserByOrgIDAndID(ctx, orgID, valuer.MustNewUUID(updatedBy))
+	if err != nil {
+		return nil, err
+	}
+
 	roleChange := user.Role != "" && user.Role != existingUser.Role
 
-	if roleChange {
-		selectors := []authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, authtypes.SigNozAdminRoleName),
-		}
-		err = module.authz.CheckWithTupleCreation(
-			ctx,
-			claims,
-			valuer.MustNewUUID(claims.OrgID),
-			authtypes.RelationAssignee,
-			authtypes.TypeableRole,
-			selectors,
-			selectors,
-		)
-
-		if err != nil {
-			return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
-		}
+	if roleChange && requestor.Role != types.RoleAdmin {
+		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}
 
 	// make sure the user is not demoting self from admin
-	if roleChange && existingUser.ID == valuer.MustNewUUID(claims.IdentityID()) && existingUser.Role == types.RoleAdmin && user.Role != types.RoleAdmin {
+	if roleChange && existingUser.ID == requestor.ID && existingUser.Role == types.RoleAdmin && user.Role != types.RoleAdmin {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot change self role")
 	}
 
@@ -676,6 +666,26 @@ func (module *setter) GetOrCreateUser(ctx context.Context, user *types.User, opt
 	return user, nil
 }
 
+func (module *setter) CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error {
+	return module.store.CreateAPIKey(ctx, apiKey)
+}
+
+func (module *setter) UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error {
+	return module.store.UpdateAPIKey(ctx, id, apiKey, updaterID)
+}
+
+func (module *setter) ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error) {
+	return module.store.ListAPIKeys(ctx, orgID)
+}
+
+func (module *setter) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*types.StorableAPIKeyUser, error) {
+	return module.store.GetAPIKey(ctx, orgID, id)
+}
+
+func (module *setter) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error {
+	return module.store.RevokeAPIKey(ctx, id, removedByUserID)
+}
+
 func (module *setter) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
 	user, err := types.NewRootUser(name, email, organization.ID)
 	if err != nil {
@@ -731,6 +741,11 @@ func (module *setter) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 		stats["user.count.pending_invite"] = counts[types.UserStatusPendingInvite]
 	}
 
+	count, err := module.store.CountAPIKeyByOrgID(ctx, orgID)
+	if err == nil {
+		stats["factor.api_key.count"] = count
+	}
+
 	return stats, nil
 }
 

pkg/modules/user/impluser/store.go

@@ -3,6 +3,7 @@ package impluser
 import (
 	"context"
 	"database/sql"
+	"sort"
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
@@ -181,6 +182,15 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err
 		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete factor password")
 	}
 
+	// delete api keys
+	_, err = tx.NewDelete().
+		Model(&types.StorableAPIKey{}).
+		Where("user_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete API keys")
+	}
+
 	// delete user_preference
 	_, err = tx.NewDelete().
 		Model(new(preferencetypes.StorableUserPreference)).
@@ -256,6 +266,15 @@ func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string)
 		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete factor password")
 	}
 
+	// delete api keys
+	_, err = tx.NewDelete().
+		Model(&types.StorableAPIKey{}).
+		Where("user_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete API keys")
+	}
+
 	// delete user_preference
 	_, err = tx.NewDelete().
 		Model(new(preferencetypes.StorableUserPreference)).
@@ -402,6 +421,111 @@ func (store *store) UpdatePassword(ctx context.Context, factorPassword *types.Fa
 	return nil
 }
 
+// CreateAPIKey creates a new API key.
+func (store *store) CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error {
+	_, err := store.sqlstore.BunDB().NewInsert().
+		Model(apiKey).
+		Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, types.ErrAPIKeyAlreadyExists, "API key with token: %s already exists", apiKey.Token)
+	}
+
+	return nil
+}
+
+func (store *store) UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error {
+	apiKey.UpdatedBy = updaterID.String()
+	apiKey.UpdatedAt = time.Now()
+	_, err := store.sqlstore.BunDB().NewUpdate().
+		Model(apiKey).
+		Column("role", "name", "updated_at", "updated_by").
+		Where("id = ?", id).
+		Where("revoked = false").
+		Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapNotFoundErrf(err, types.ErrAPIKeyNotFound, "API key with id: %s does not exist", id)
+	}
+	return nil
+}
+
+func (store *store) ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error) {
+	orgUserAPIKeys := new(types.OrgUserAPIKey)
+
+	if err := store.sqlstore.BunDB().NewSelect().
+		Model(orgUserAPIKeys).
+		Relation("Users").
+		Relation("Users.APIKeys", func(q *bun.SelectQuery) *bun.SelectQuery {
+			return q.Where("revoked = false")
+		},
+		).
+		Relation("Users.APIKeys.CreatedByUser").
+		Relation("Users.APIKeys.UpdatedByUser").
+		Where("id = ?", orgID).
+		Scan(ctx); err != nil {
+		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to fetch API keys")
+	}
+
+	// Flatten the API keys from all users
+	var allAPIKeys []*types.StorableAPIKeyUser
+	for _, user := range orgUserAPIKeys.Users {
+		if user.APIKeys != nil {
+			allAPIKeys = append(allAPIKeys, user.APIKeys...)
+		}
+	}
+
+	// sort the API keys by updated_at
+	sort.Slice(allAPIKeys, func(i, j int) bool {
+		return allAPIKeys[i].UpdatedAt.After(allAPIKeys[j].UpdatedAt)
+	})
+
+	return allAPIKeys, nil
+}
+
+func (store *store) RevokeAPIKey(ctx context.Context, id, revokedByUserID valuer.UUID) error {
+	updatedAt := time.Now().Unix()
+	_, err := store.sqlstore.BunDB().NewUpdate().
+		Model(&types.StorableAPIKey{}).
+		Set("revoked = ?", true).
+		Set("updated_by = ?", revokedByUserID).
+		Set("updated_at = ?", updatedAt).
+		Where("id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to revoke API key")
+	}
+	return nil
+}
+
+func (store *store) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*types.StorableAPIKeyUser, error) {
+	apiKey := new(types.OrgUserAPIKey)
+	if err := store.sqlstore.BunDB().NewSelect().
+		Model(apiKey).
+		Relation("Users").
+		Relation("Users.APIKeys", func(q *bun.SelectQuery) *bun.SelectQuery {
+			return q.Where("revoked = false").Where("storable_api_key.id = ?", id).
+				OrderExpr("storable_api_key.updated_at DESC").Limit(1)
+		},
+		).
+		Relation("Users.APIKeys.CreatedByUser").
+		Relation("Users.APIKeys.UpdatedByUser").
+		Scan(ctx); err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrAPIKeyNotFound, "API key with id: %s does not exist", id)
+	}
+
+	// flatten the API keys
+	flattenedAPIKeys := []*types.StorableAPIKeyUser{}
+	for _, user := range apiKey.Users {
+		if user.APIKeys != nil {
+			flattenedAPIKeys = append(flattenedAPIKeys, user.APIKeys...)
+		}
+	}
+	if len(flattenedAPIKeys) == 0 {
+		return nil, store.sqlstore.WrapNotFoundErrf(errors.New(errors.TypeNotFound, errors.CodeNotFound, "API key with id: %s does not exist"), types.ErrAPIKeyNotFound, "API key with id: %s does not exist", id)
+	}
+
+	return flattenedAPIKeys[0], nil
+}
+
 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
 	user := new(types.User)
 
@@ -449,6 +573,24 @@ func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UU
 	return counts, nil
 }
 
+func (store *store) CountAPIKeyByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
+	apiKey := new(types.StorableAPIKey)
+
+	count, err := store.
+		sqlstore.
+		BunDB().
+		NewSelect().
+		Model(apiKey).
+		Join("JOIN users ON users.id = storable_api_key.user_id").
+		Where("org_id = ?", orgID).
+		Count(ctx)
+	if err != nil {
+		return 0, err
+	}
+
+	return int64(count), nil
+}
+
 func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) error) error {
 	return store.sqlstore.RunInTxCtx(ctx, nil, func(ctx context.Context) error {
 		return cb(ctx)

pkg/modules/user/user.go

@@ -34,7 +34,7 @@ type Setter interface {
 	// Initiate forgot password flow for a user
 	ForgotPassword(ctx context.Context, orgID valuer.UUID, email valuer.Email, frontendBaseURL string) error
 
-	UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser) (*types.DeprecatedUser, error)
+	UpdateUserDeprecated(ctx context.Context, orgID valuer.UUID, id string, user *types.DeprecatedUser, updatedBy string) (*types.DeprecatedUser, error)
 	UpdateUser(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, updatable *types.UpdatableUser) (*types.User, error)
 
 	// UpdateAnyUser updates a user and persists the changes to the database along with the analytics and identity deletion.
@@ -43,7 +43,14 @@ type Setter interface {
 	DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error
 
 	// invite
-	CreateBulkInvite(ctx context.Context, orgID valuer.UUID, identityID valuer.UUID, identityEmail valuer.Email, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error)
+	CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error)
+
+	// API KEY
+	CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error
+	UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error
+	ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error)
+	RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error
+	GetAPIKey(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableAPIKeyUser, error)
 
 	// Roles
 	UpdateUserRoles(ctx context.Context, orgID, userID valuer.UUID, finalRoleNames []string) error
@@ -116,4 +123,10 @@ type Handler interface {
 	ResetPassword(http.ResponseWriter, *http.Request)
 	ChangePassword(http.ResponseWriter, *http.Request)
 	ForgotPassword(http.ResponseWriter, *http.Request)
+
+	// API KEY
+	CreateAPIKey(http.ResponseWriter, *http.Request)
+	ListAPIKeys(http.ResponseWriter, *http.Request)
+	UpdateAPIKey(http.ResponseWriter, *http.Request)
+	RevokeAPIKey(http.ResponseWriter, *http.Request)
 }

pkg/querier/api.go

@@ -268,9 +268,9 @@ func (handler *handler) logEvent(ctx context.Context, referrer string, event *qb
 	}
 
 	if !event.HasData {
-		handler.analytics.TrackUser(ctx, claims.OrgID, claims.IdentityID(), "Telemetry Query Returned Empty", properties)
+		handler.analytics.TrackUser(ctx, claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
 		return
 	}
 
-	handler.analytics.TrackUser(ctx, claims.OrgID, claims.IdentityID(), "Telemetry Query Returned Results", properties)
+	handler.analytics.TrackUser(ctx, claims.OrgID, claims.UserID, "Telemetry Query Returned Results", properties)
 }

pkg/query-service/app/http_handler.go

@@ -1533,7 +1533,7 @@ func (aH *APIHandler) registerEvent(w http.ResponseWriter, r *http.Request) {
 	if errv2 == nil {
 		switch request.EventType {
 		case model.TrackEvent:
-			aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.IdentityID(), request.EventName, request.Attributes)
+			aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, request.EventName, request.Attributes)
 		}
 		aH.WriteJSON(w, r, map[string]string{"data": "Event Processed Successfully"})
 	} else {
@@ -4636,7 +4636,7 @@ func (aH *APIHandler) sendQueryResultEvents(r *http.Request, result []*v3.Result
 
 	// Check if result is empty or has no data
 	if len(result) == 0 {
-		aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.IdentityID(), "Telemetry Query Returned Empty", properties)
+		aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
 		return
 	}
 
@@ -4646,18 +4646,18 @@ func (aH *APIHandler) sendQueryResultEvents(r *http.Request, result []*v3.Result
 		if len(result[0].List) == 0 {
 			// Check if first result has no table data
 			if result[0].Table == nil {
-				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.IdentityID(), "Telemetry Query Returned Empty", properties)
+				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
 				return
 			}
 
 			if len(result[0].Table.Rows) == 0 {
-				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.IdentityID(), "Telemetry Query Returned Empty", properties)
+				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
 				return
 			}
 		}
 	}
 
-	aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.IdentityID(), "Telemetry Query Returned Results", properties)
+	aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Results", properties)
 
 }
 

pkg/querybuilder/fallback_expr.go

@@ -277,18 +277,6 @@ func DataTypeCollisionHandledFieldName(key *telemetrytypes.TelemetryFieldKey, va
 				tblFieldName, value = castString(tblFieldName), toStrings(v)
 			}
 		}
-	case telemetrytypes.FieldDataTypeArrayDynamic:
-		switch v := value.(type) {
-		case string:
-			tblFieldName = castString(tblFieldName)
-		case float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64:
-			tblFieldName = accurateCastFloat(tblFieldName)
-		case bool:
-			tblFieldName = castBool(tblFieldName)
-		case []any:
-			// dynamic array elements will be default casted to string
-			tblFieldName, value = castString(tblFieldName), toStrings(v)
-		}
 	}
 	return tblFieldName, value
 }
@@ -296,10 +284,6 @@ func DataTypeCollisionHandledFieldName(key *telemetrytypes.TelemetryFieldKey, va
 func castFloat(col string) string     { return fmt.Sprintf("toFloat64OrNull(%s)", col) }
 func castFloatHack(col string) string { return fmt.Sprintf("toFloat64(%s)", col) }
 func castString(col string) string    { return fmt.Sprintf("toString(%s)", col) }
-func castBool(col string) string      { return fmt.Sprintf("accurateCastOrNull(%s, 'Bool')", col) }
-func accurateCastFloat(col string) string {
-	return fmt.Sprintf("accurateCastOrNull(%s, 'Float64')", col)
-}
 
 func allFloats(in []any) bool {
 	for _, x := range in {

pkg/signoz/config.go

@@ -22,7 +22,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/identn"
 	"github.com/SigNoz/signoz/pkg/instrumentation"
 	"github.com/SigNoz/signoz/pkg/modules/metricsexplorer"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/pprof"
 	"github.com/SigNoz/signoz/pkg/prometheus"
@@ -120,9 +119,6 @@ type Config struct {
 
 	// IdentN config
 	IdentN identn.Config `mapstructure:"identn"`
-
-	// ServiceAccount config
-	ServiceAccount serviceaccount.Config `mapstructure:"serviceaccount"`
 }
 
 func NewConfig(ctx context.Context, logger *slog.Logger, resolverConfig config.ResolverConfig) (Config, error) {
@@ -152,7 +148,6 @@ func NewConfig(ctx context.Context, logger *slog.Logger, resolverConfig config.R
 		flagger.NewConfigFactory(),
 		user.NewConfigFactory(),
 		identn.NewConfigFactory(),
-		serviceaccount.NewConfigFactory(),
 	}
 
 	conf, err := config.New(ctx, resolverConfig, configFactories)

pkg/signoz/handler.go

@@ -34,6 +34,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/services/implservices"
 	"github.com/SigNoz/signoz/pkg/modules/spanpercentile"
 	"github.com/SigNoz/signoz/pkg/modules/spanpercentile/implspanpercentile"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail/impltracedetail"
 	"github.com/SigNoz/signoz/pkg/modules/tracefunnel"
 	"github.com/SigNoz/signoz/pkg/modules/tracefunnel/impltracefunnel"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -62,6 +64,7 @@ type Handlers struct {
 	RegistryHandler         factory.Handler
 	CloudIntegrationHandler cloudintegration.Handler
 	RuleStateHistory        rulestatehistory.Handler
+	TraceDetail             tracedetail.Handler
 }
 
 func NewHandlers(
@@ -81,7 +84,7 @@ func NewHandlers(
 	return Handlers{
 		SavedView:               implsavedview.NewHandler(modules.SavedView),
 		Apdex:                   implapdex.NewHandler(modules.Apdex),
-		Dashboard:               impldashboard.NewHandler(modules.Dashboard, providerSettings, authz),
+		Dashboard:               impldashboard.NewHandler(modules.Dashboard, providerSettings),
 		QuickFilter:             implquickfilter.NewHandler(modules.QuickFilter),
 		TraceFunnel:             impltracefunnel.NewHandler(modules.TraceFunnel),
 		RawDataExport:           implrawdataexport.NewHandler(modules.RawDataExport),
@@ -99,5 +102,6 @@ func NewHandlers(
 		RegistryHandler:         registryHandler,
 		CloudIntegrationHandler: implcloudintegration.NewHandler(),
 		RuleStateHistory:        implrulestatehistory.NewHandler(modules.RuleStateHistory),
+		TraceDetail:             impltracedetail.NewHandler(modules.TraceDetail),
 	}
 }

pkg/signoz/module.go

@@ -37,6 +37,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/session/implsession"
 	"github.com/SigNoz/signoz/pkg/modules/spanpercentile"
 	"github.com/SigNoz/signoz/pkg/modules/spanpercentile/implspanpercentile"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail/impltracedetail"
 	"github.com/SigNoz/signoz/pkg/modules/tracefunnel"
 	"github.com/SigNoz/signoz/pkg/modules/tracefunnel/impltracefunnel"
 	"github.com/SigNoz/signoz/pkg/modules/user"
@@ -72,6 +74,7 @@ type Modules struct {
 	Promote          promote.Module
 	ServiceAccount   serviceaccount.Module
 	RuleStateHistory rulestatehistory.Module
+	TraceDetail      tracedetail.Module
 }
 
 func NewModules(
@@ -117,7 +120,8 @@ func NewModules(
 		Services:         implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer:  implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
 		Promote:          implpromote.NewModule(telemetryMetadataStore, telemetryStore),
-		ServiceAccount:   implserviceaccount.NewModule(implserviceaccount.NewStore(sqlstore), authz, cache, analytics, providerSettings, config.ServiceAccount),
+		ServiceAccount:   implserviceaccount.NewModule(implserviceaccount.NewStore(sqlstore), authz, emailing, providerSettings),
 		RuleStateHistory: implrulestatehistory.NewModule(implrulestatehistory.NewStore(telemetryStore, telemetryMetadataStore, providerSettings.Logger)),
+		TraceDetail:      impltracedetail.NewModule(telemetryStore, cache, providerSettings),
 	}
 }

pkg/signoz/openapi.go

@@ -28,6 +28,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/rulestatehistory"
 	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session"
+	"github.com/SigNoz/signoz/pkg/modules/tracedetail"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
@@ -69,6 +70,7 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ factory.Handler }{},
 		struct{ cloudintegration.Handler }{},
 		struct{ rulestatehistory.Handler }{},
+		struct{ tracedetail.Handler }{},
 	).New(ctx, instrumentation.ToProviderSettings(), apiserver.Config{})
 	if err != nil {
 		return nil, err

pkg/signoz/provider.go

@@ -31,7 +31,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/preference/implpreference"
 	"github.com/SigNoz/signoz/pkg/modules/promote/implpromote"
-	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session/implsession"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -191,9 +190,6 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewUpdatePlannedMaintenanceRuleFactory(sqlstore, sqlschema),
 		sqlmigration.NewAddUserRoleFactory(sqlstore, sqlschema),
 		sqlmigration.NewDropUserRoleColumnFactory(sqlstore, sqlschema),
-		sqlmigration.NewAddServiceAccountFactory(sqlstore, sqlschema),
-		sqlmigration.NewDeprecateAPIKeyFactory(sqlstore, sqlschema),
-		sqlmigration.NewServiceAccountAuthzactory(sqlstore),
 	)
 }
 
@@ -285,6 +281,7 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			handlers.RegistryHandler,
 			handlers.CloudIntegrationHandler,
 			handlers.RuleStateHistory,
+			handlers.TraceDetail,
 		),
 	)
 }
@@ -297,11 +294,11 @@ func NewTokenizerProviderFactories(cache cache.Cache, sqlstore sqlstore.SQLStore
 	)
 }
 
-func NewIdentNProviderFactories(tokenizer tokenizer.Tokenizer, serviceAccount serviceaccount.Module, orgGetter organization.Getter, userGetter user.Getter, userConfig user.Config) factory.NamedMap[factory.ProviderFactory[identn.IdentN, identn.Config]] {
+func NewIdentNProviderFactories(sqlstore sqlstore.SQLStore, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter, userGetter user.Getter, userConfig user.Config) factory.NamedMap[factory.ProviderFactory[identn.IdentN, identn.Config]] {
 	return factory.MustNewNamedMap(
 		impersonationidentn.NewFactory(orgGetter, userGetter, userConfig),
 		tokenizeridentn.NewFactory(tokenizer),
-		apikeyidentn.NewFactory(serviceAccount),
+		apikeyidentn.NewFactory(sqlstore),
 	)
 }