feat(authz): fix rebase issues

.github/CODEOWNERS

@@ -127,15 +127,12 @@
 /frontend/src/pages/DashboardsListPage/ @SigNoz/pulse-frontend
 /frontend/src/container/ListOfDashboard/ @SigNoz/pulse-frontend
 
-# Dashboard Widget Page
-/frontend/src/pages/DashboardWidget/ @SigNoz/pulse-frontend
-/frontend/src/container/NewWidget/ @SigNoz/pulse-frontend
-
 ## Dashboard Page
 
 /frontend/src/pages/DashboardPage/ @SigNoz/pulse-frontend
 /frontend/src/container/DashboardContainer/ @SigNoz/pulse-frontend
 /frontend/src/container/GridCardLayout/ @SigNoz/pulse-frontend
+/frontend/src/container/NewWidget/ @SigNoz/pulse-frontend
 
 ## Public Dashboard Page
 

cmd/enterprise/server.go

@@ -9,12 +9,12 @@ import (
 	"github.com/SigNoz/signoz/ee/authn/callbackauthn/oidccallbackauthn"
 	"github.com/SigNoz/signoz/ee/authn/callbackauthn/samlcallbackauthn"
 	"github.com/SigNoz/signoz/ee/authz/openfgaauthz"
-	eequerier "github.com/SigNoz/signoz/ee/querier"
 	"github.com/SigNoz/signoz/ee/authz/openfgaschema"
 	"github.com/SigNoz/signoz/ee/gateway/httpgateway"
 	enterpriselicensing "github.com/SigNoz/signoz/ee/licensing"
 	"github.com/SigNoz/signoz/ee/licensing/httplicensing"
 	"github.com/SigNoz/signoz/ee/modules/dashboard/impldashboard"
+	eequerier "github.com/SigNoz/signoz/ee/querier"
 	enterpriseapp "github.com/SigNoz/signoz/ee/query-service/app"
 	"github.com/SigNoz/signoz/ee/sqlschema/postgressqlschema"
 	"github.com/SigNoz/signoz/ee/sqlstore/postgressqlstore"

docs/api/openapi.yml

@@ -1993,43 +1993,6 @@ components:
         userId:
           type: string
       type: object
-    TypesGettableAPIKey:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        createdBy:
-          type: string
-        createdByUser:
-          $ref: '#/components/schemas/TypesUser'
-        expiresAt:
-          format: int64
-          type: integer
-        id:
-          type: string
-        lastUsed:
-          format: int64
-          type: integer
-        name:
-          type: string
-        revoked:
-          type: boolean
-        role:
-          type: string
-        token:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-        updatedBy:
-          type: string
-        updatedByUser:
-          $ref: '#/components/schemas/TypesUser'
-        userId:
-          type: string
-      required:
-      - id
-      type: object
     TypesGettableGlobalConfig:
       properties:
         external_url:
@@ -2091,16 +2054,6 @@ components:
       required:
       - id
       type: object
-    TypesPostableAPIKey:
-      properties:
-        expiresInDays:
-          format: int64
-          type: integer
-        name:
-          type: string
-        role:
-          type: string
-      type: object
     TypesPostableAcceptInvite:
       properties:
         displayName:
@@ -2165,33 +2118,6 @@ components:
       required:
       - id
       type: object
-    TypesStorableAPIKey:
-      properties:
-        createdAt:
-          format: date-time
-          type: string
-        createdBy:
-          type: string
-        id:
-          type: string
-        name:
-          type: string
-        revoked:
-          type: boolean
-        role:
-          type: string
-        token:
-          type: string
-        updatedAt:
-          format: date-time
-          type: string
-        updatedBy:
-          type: string
-        userId:
-          type: string
-      required:
-      - id
-      type: object
     TypesUser:
       properties:
         createdAt:
@@ -3865,222 +3791,6 @@ paths:
       summary: Update org preference
       tags:
       - preferences
-  /api/v1/pats:
-    get:
-      deprecated: false
-      description: This endpoint lists all api keys
-      operationId: ListAPIKeys
-      responses:
-        "200":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    items:
-                      $ref: '#/components/schemas/TypesGettableAPIKey'
-                    type: array
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: OK
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: List api keys
-      tags:
-      - users
-    post:
-      deprecated: false
-      description: This endpoint creates an api key
-      operationId: CreateAPIKey
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/TypesPostableAPIKey'
-      responses:
-        "201":
-          content:
-            application/json:
-              schema:
-                properties:
-                  data:
-                    $ref: '#/components/schemas/TypesGettableAPIKey'
-                  status:
-                    type: string
-                required:
-                - status
-                - data
-                type: object
-          description: Created
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "409":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Conflict
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Create api key
-      tags:
-      - users
-  /api/v1/pats/{id}:
-    delete:
-      deprecated: false
-      description: This endpoint revokes an api key
-      operationId: RevokeAPIKey
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      responses:
-        "204":
-          description: No Content
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Revoke api key
-      tags:
-      - users
-    put:
-      deprecated: false
-      description: This endpoint updates an api key
-      operationId: UpdateAPIKey
-      parameters:
-      - in: path
-        name: id
-        required: true
-        schema:
-          type: string
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/TypesStorableAPIKey'
-      responses:
-        "204":
-          content:
-            application/json:
-              schema:
-                type: string
-          description: No Content
-        "400":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Bad Request
-        "401":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Unauthorized
-        "403":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Forbidden
-        "404":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Not Found
-        "500":
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/RenderErrorResponse'
-          description: Internal Server Error
-      security:
-      - api_key:
-        - ADMIN
-      - tokenizer:
-        - ADMIN
-      summary: Update api key
-      tags:
-      - users
   /api/v1/public/dashboards/{id}:
     get:
       deprecated: false

ee/authz/openfgaserver/server.go

@@ -31,9 +31,22 @@ func (server *Server) Stop(ctx context.Context) error {
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
-	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-	if err != nil {
-		return err
+	subject := ""
+	switch claims.Principal {
+	case authtypes.PrincipalUser.StringValue():
+		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = user
+	case authtypes.PrincipalServiceAccount.StringValue():
+		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = serviceAccount
 	}
 
 	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)

ee/modules/dashboard/impldashboard/module.go

@@ -214,8 +214,8 @@ func (module *module) Update(ctx context.Context, orgID valuer.UUID, id valuer.U
 	return module.pkgDashboardModule.Update(ctx, orgID, id, updatedBy, data, diff)
 }
 
-func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error {
-	return module.pkgDashboardModule.LockUnlock(ctx, orgID, id, updatedBy, role, lock)
+func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, lock bool) error {
+	return module.pkgDashboardModule.LockUnlock(ctx, orgID, id, updatedBy, lock)
 }
 
 func (module *module) MustGetTypeables() []authtypes.Typeable {

ee/querier/handler.go

@@ -63,6 +63,8 @@ func (h *handler) QueryRange(rw http.ResponseWriter, req *http.Request) {
 			h.set.Logger.ErrorContext(ctx, "panic in QueryRange",
 				"error", r,
 				"user", claims.UserID,
+				"principal", claims.Principal,
+				"service_account", claims.ServiceAccountID,
 				"payload", string(queryJSON),
 				"stacktrace", stackTrace,
 			)

ee/query-service/app/api/cloudIntegrations.go

@@ -12,10 +12,10 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	basemodel "github.com/SigNoz/signoz/pkg/query-service/model"
-	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 	"go.uber.org/zap"
@@ -49,7 +49,7 @@ func (ah *APIHandler) CloudIntegrationsGenerateConnectionParams(w http.ResponseW
 		return
 	}
 
-	apiKey, apiErr := ah.getOrCreateCloudIntegrationPAT(r.Context(), claims.OrgID, cloudProvider)
+	apiKey, apiErr := ah.getOrCreateCloudIntegrationAPIKey(r.Context(), claims.OrgID, cloudProvider)
 	if apiErr != nil {
 		RespondError(w, basemodel.WrapApiError(
 			apiErr, "couldn't provision PAT for cloud integration:",
@@ -109,32 +109,28 @@ func (ah *APIHandler) CloudIntegrationsGenerateConnectionParams(w http.ResponseW
 	ah.Respond(w, result)
 }
 
-func (ah *APIHandler) getOrCreateCloudIntegrationPAT(ctx context.Context, orgId string, cloudProvider string) (
+func (ah *APIHandler) getOrCreateCloudIntegrationAPIKey(ctx context.Context, orgId string, cloudProvider string) (
 	string, *basemodel.ApiError,
 ) {
 	integrationPATName := fmt.Sprintf("%s integration", cloudProvider)
-
-	integrationUser, apiErr := ah.getOrCreateCloudIntegrationUser(ctx, orgId, cloudProvider)
+	integrationServiceAccount, apiErr := ah.getOrCreateCloudIntegrationServiceAccount(ctx, orgId, cloudProvider)
 	if apiErr != nil {
 		return "", apiErr
 	}
 
-	orgIdUUID, err := valuer.NewUUID(orgId)
+	keys, err := ah.Signoz.Modules.ServiceAccount.ListFactorAPIKey(ctx, integrationServiceAccount.ID)
 	if err != nil {
 		return "", basemodel.InternalError(fmt.Errorf(
-			"couldn't parse orgId: %w", err,
+			"couldn't list api keys: %w", err,
 		))
 	}
 
-	allPats, err := ah.Signoz.Modules.User.ListAPIKeys(ctx, orgIdUUID)
-	if err != nil {
-		return "", basemodel.InternalError(fmt.Errorf(
-			"couldn't list PATs: %w", err,
-		))
-	}
-	for _, p := range allPats {
-		if p.UserID == integrationUser.ID && p.Name == integrationPATName {
-			return p.Token, nil
+	for _, key := range keys {
+		if key.Name == integrationPATName {
+			err := key.IsExpired()
+			if err == nil {
+				return key.Key, nil
+			}
 		}
 	}
 
@@ -143,46 +139,35 @@ func (ah *APIHandler) getOrCreateCloudIntegrationPAT(ctx context.Context, orgId
 		zap.String("cloudProvider", cloudProvider),
 	)
 
-	newPAT, err := types.NewStorableAPIKey(
-		integrationPATName,
-		integrationUser.ID,
-		types.RoleViewer,
-		0,
-	)
+	apiKey, err := integrationServiceAccount.NewFactorAPIKey(integrationPATName, 0)
 	if err != nil {
 		return "", basemodel.InternalError(fmt.Errorf(
 			"couldn't create cloud integration PAT: %w", err,
 		))
 	}
 
-	err = ah.Signoz.Modules.User.CreateAPIKey(ctx, newPAT)
+	err = ah.Signoz.Modules.ServiceAccount.CreateFactorAPIKey(ctx, apiKey)
 	if err != nil {
 		return "", basemodel.InternalError(fmt.Errorf(
-			"couldn't create cloud integration PAT: %w", err,
+			"couldn't create cloud integration api key: %w", err,
 		))
 	}
-	return newPAT.Token, nil
+	return apiKey.Key, nil
 }
 
-func (ah *APIHandler) getOrCreateCloudIntegrationUser(
+func (ah *APIHandler) getOrCreateCloudIntegrationServiceAccount(
 	ctx context.Context, orgId string, cloudProvider string,
-) (*types.User, *basemodel.ApiError) {
-	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
-	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))
+) (*serviceaccounttypes.ServiceAccount, *basemodel.ApiError) {
+	serviceAccountName := fmt.Sprintf("%s-integration", cloudProvider)
+	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", serviceAccountName))
 
-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
+	serviceAccount := serviceaccounttypes.NewServiceAccount(serviceAccountName, email, []string{roletypes.SigNozViewerRoleName}, serviceaccounttypes.StatusActive, valuer.MustNewUUID(orgId))
+	serviceAccount, err := ah.Signoz.Modules.ServiceAccount.GetOrCreate(ctx, serviceAccount)
 	if err != nil {
-		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
+		return nil, basemodel.InternalError(fmt.Errorf("couldn't look for integration service account: %w", err))
 	}
 
-	password := types.MustGenerateFactorPassword(cloudIntegrationUser.ID.StringValue())
-
-	cloudIntegrationUser, err = ah.Signoz.Modules.User.GetOrCreateUser(ctx, cloudIntegrationUser, user.WithFactorPassword(password))
-	if err != nil {
-		return nil, basemodel.InternalError(fmt.Errorf("couldn't look for integration user: %w", err))
-	}
-
-	return cloudIntegrationUser, nil
+	return serviceAccount, nil
 }
 
 func (ah *APIHandler) getIngestionUrlAndSigNozAPIUrl(ctx context.Context, licenseKey string) (

ee/query-service/app/server.go

@@ -216,8 +216,7 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h
 		}),
 		otelmux.WithPublicEndpoint(),
 	))
-	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.Instrumentation.Logger()).Wrap)
-	r.Use(middleware.NewAPIKey(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
+	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ-API-KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap)
 	r.Use(middleware.NewTimeout(s.signoz.Instrumentation.Logger(),
 		s.config.APIServer.Timeout.ExcludedRoutes,
 		s.config.APIServer.Timeout.Default,

frontend/src/AppRoutes/index.tsx

@@ -29,6 +29,7 @@ import posthog from 'posthog-js';
 import { useAppContext } from 'providers/App/App';
 import { IUser } from 'providers/App/types';
 import { CmdKProvider } from 'providers/cmdKProvider';
+import { DashboardProvider } from 'providers/Dashboard/Dashboard';
 import { ErrorModalProvider } from 'providers/ErrorModalProvider';
 import { PreferenceContextProvider } from 'providers/preferences/context/PreferenceContextProvider';
 import { QueryBuilderProvider } from 'providers/QueryBuilder';
@@ -383,26 +384,28 @@ function App(): JSX.Element {
 									<PrivateRoute>
 										<ResourceProvider>
 											<QueryBuilderProvider>
-												<KeyboardHotkeysProvider>
-													<AppLayout>
-														<PreferenceContextProvider>
-															<Suspense fallback={<Spinner size="large" tip="Loading..." />}>
-																<Switch>
-																	{routes.map(({ path, component, exact }) => (
-																		<Route
-																			key={`${path}`}
-																			exact={exact}
-																			path={path}
-																			component={component}
-																		/>
-																	))}
-																	<Route exact path="/" component={Home} />
-																	<Route path="*" component={NotFound} />
-																</Switch>
-															</Suspense>
-														</PreferenceContextProvider>
-													</AppLayout>
-												</KeyboardHotkeysProvider>
+												<DashboardProvider>
+													<KeyboardHotkeysProvider>
+														<AppLayout>
+															<PreferenceContextProvider>
+																<Suspense fallback={<Spinner size="large" tip="Loading..." />}>
+																	<Switch>
+																		{routes.map(({ path, component, exact }) => (
+																			<Route
+																				key={`${path}`}
+																				exact={exact}
+																				path={path}
+																				component={component}
+																			/>
+																		))}
+																		<Route exact path="/" component={Home} />
+																		<Route path="*" component={NotFound} />
+																	</Switch>
+																</Suspense>
+															</PreferenceContextProvider>
+														</AppLayout>
+													</KeyboardHotkeysProvider>
+												</DashboardProvider>
 											</QueryBuilderProvider>
 										</ResourceProvider>
 									</PrivateRoute>

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2345,63 +2345,6 @@ export interface TypesChangePasswordRequestDTO {
 	userId?: string;
 }
 
-export interface TypesGettableAPIKeyDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
-	/**
-	 * @type string
-	 */
-	createdBy?: string;
-	createdByUser?: TypesUserDTO;
-	/**
-	 * @type integer
-	 * @format int64
-	 */
-	expiresAt?: number;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type integer
-	 * @format int64
-	 */
-	lastUsed?: number;
-	/**
-	 * @type string
-	 */
-	name?: string;
-	/**
-	 * @type boolean
-	 */
-	revoked?: boolean;
-	/**
-	 * @type string
-	 */
-	role?: string;
-	/**
-	 * @type string
-	 */
-	token?: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: Date;
-	/**
-	 * @type string
-	 */
-	updatedBy?: string;
-	updatedByUser?: TypesUserDTO;
-	/**
-	 * @type string
-	 */
-	userId?: string;
-}
-
 export interface TypesGettableGlobalConfigDTO {
 	/**
 	 * @type string
@@ -2495,22 +2438,6 @@ export interface TypesOrganizationDTO {
 	updatedAt?: Date;
 }
 
-export interface TypesPostableAPIKeyDTO {
-	/**
-	 * @type integer
-	 * @format int64
-	 */
-	expiresInDays?: number;
-	/**
-	 * @type string
-	 */
-	name?: string;
-	/**
-	 * @type string
-	 */
-	role?: string;
-}
-
 export interface TypesPostableAcceptInviteDTO {
 	/**
 	 * @type string
@@ -2602,51 +2529,6 @@ export interface TypesResetPasswordTokenDTO {
 	token?: string;
 }
 
-export interface TypesStorableAPIKeyDTO {
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	createdAt?: Date;
-	/**
-	 * @type string
-	 */
-	createdBy?: string;
-	/**
-	 * @type string
-	 */
-	id: string;
-	/**
-	 * @type string
-	 */
-	name?: string;
-	/**
-	 * @type boolean
-	 */
-	revoked?: boolean;
-	/**
-	 * @type string
-	 */
-	role?: string;
-	/**
-	 * @type string
-	 */
-	token?: string;
-	/**
-	 * @type string
-	 * @format date-time
-	 */
-	updatedAt?: Date;
-	/**
-	 * @type string
-	 */
-	updatedBy?: string;
-	/**
-	 * @type string
-	 */
-	userId?: string;
-}
-
 export interface TypesUserDTO {
 	/**
 	 * @type string
@@ -3111,31 +2993,6 @@ export type GetOrgPreference200 = {
 export type UpdateOrgPreferencePathParameters = {
 	name: string;
 };
-export type ListAPIKeys200 = {
-	/**
-	 * @type array
-	 */
-	data: TypesGettableAPIKeyDTO[];
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type CreateAPIKey201 = {
-	data: TypesGettableAPIKeyDTO;
-	/**
-	 * @type string
-	 */
-	status: string;
-};
-
-export type RevokeAPIKeyPathParameters = {
-	id: string;
-};
-export type UpdateAPIKeyPathParameters = {
-	id: string;
-};
 export type GetPublicDashboardDataPathParameters = {
 	id: string;
 };

frontend/src/api/generated/services/users/index.ts

@@ -22,7 +22,6 @@ import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
 import type {
 	AcceptInvite201,
 	ChangePasswordPathParameters,
-	CreateAPIKey201,
 	CreateInvite201,
 	DeleteInvitePathParameters,
 	DeleteUserPathParameters,
@@ -33,21 +32,16 @@ import type {
 	GetResetPasswordTokenPathParameters,
 	GetUser200,
 	GetUserPathParameters,
-	ListAPIKeys200,
 	ListInvite200,
 	ListUsers200,
 	RenderErrorResponseDTO,
-	RevokeAPIKeyPathParameters,
 	TypesChangePasswordRequestDTO,
 	TypesPostableAcceptInviteDTO,
-	TypesPostableAPIKeyDTO,
 	TypesPostableBulkInviteRequestDTO,
 	TypesPostableForgotPasswordDTO,
 	TypesPostableInviteDTO,
 	TypesPostableResetPasswordDTO,
-	TypesStorableAPIKeyDTO,
 	TypesUserDTO,
-	UpdateAPIKeyPathParameters,
 	UpdateUser200,
 	UpdateUserPathParameters,
 } from '../sigNoz.schemas';
@@ -750,349 +744,6 @@ export const useCreateBulkInvite = <
 
 	return useMutation(mutationOptions);
 };
-/**
- * This endpoint lists all api keys
- * @summary List api keys
- */
-export const listAPIKeys = (signal?: AbortSignal) => {
-	return GeneratedAPIInstance<ListAPIKeys200>({
-		url: `/api/v1/pats`,
-		method: 'GET',
-		signal,
-	});
-};
-
-export const getListAPIKeysQueryKey = () => {
-	return [`/api/v1/pats`] as const;
-};
-
-export const getListAPIKeysQueryOptions = <
-	TData = Awaited<ReturnType<typeof listAPIKeys>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(options?: {
-	query?: UseQueryOptions<
-		Awaited<ReturnType<typeof listAPIKeys>>,
-		TError,
-		TData
-	>;
-}) => {
-	const { query: queryOptions } = options ?? {};
-
-	const queryKey = queryOptions?.queryKey ?? getListAPIKeysQueryKey();
-
-	const queryFn: QueryFunction<Awaited<ReturnType<typeof listAPIKeys>>> = ({
-		signal,
-	}) => listAPIKeys(signal);
-
-	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
-		Awaited<ReturnType<typeof listAPIKeys>>,
-		TError,
-		TData
-	> & { queryKey: QueryKey };
-};
-
-export type ListAPIKeysQueryResult = NonNullable<
-	Awaited<ReturnType<typeof listAPIKeys>>
->;
-export type ListAPIKeysQueryError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary List api keys
- */
-
-export function useListAPIKeys<
-	TData = Awaited<ReturnType<typeof listAPIKeys>>,
-	TError = ErrorType<RenderErrorResponseDTO>
->(options?: {
-	query?: UseQueryOptions<
-		Awaited<ReturnType<typeof listAPIKeys>>,
-		TError,
-		TData
-	>;
-}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
-	const queryOptions = getListAPIKeysQueryOptions(options);
-
-	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
-		queryKey: QueryKey;
-	};
-
-	query.queryKey = queryOptions.queryKey;
-
-	return query;
-}
-
-/**
- * @summary List api keys
- */
-export const invalidateListAPIKeys = async (
-	queryClient: QueryClient,
-	options?: InvalidateOptions,
-): Promise<QueryClient> => {
-	await queryClient.invalidateQueries(
-		{ queryKey: getListAPIKeysQueryKey() },
-		options,
-	);
-
-	return queryClient;
-};
-
-/**
- * This endpoint creates an api key
- * @summary Create api key
- */
-export const createAPIKey = (
-	typesPostableAPIKeyDTO: BodyType<TypesPostableAPIKeyDTO>,
-	signal?: AbortSignal,
-) => {
-	return GeneratedAPIInstance<CreateAPIKey201>({
-		url: `/api/v1/pats`,
-		method: 'POST',
-		headers: { 'Content-Type': 'application/json' },
-		data: typesPostableAPIKeyDTO,
-		signal,
-	});
-};
-
-export const getCreateAPIKeyMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createAPIKey>>,
-		TError,
-		{ data: BodyType<TypesPostableAPIKeyDTO> },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof createAPIKey>>,
-	TError,
-	{ data: BodyType<TypesPostableAPIKeyDTO> },
-	TContext
-> => {
-	const mutationKey = ['createAPIKey'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof createAPIKey>>,
-		{ data: BodyType<TypesPostableAPIKeyDTO> }
-	> = (props) => {
-		const { data } = props ?? {};
-
-		return createAPIKey(data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type CreateAPIKeyMutationResult = NonNullable<
-	Awaited<ReturnType<typeof createAPIKey>>
->;
-export type CreateAPIKeyMutationBody = BodyType<TypesPostableAPIKeyDTO>;
-export type CreateAPIKeyMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Create api key
- */
-export const useCreateAPIKey = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof createAPIKey>>,
-		TError,
-		{ data: BodyType<TypesPostableAPIKeyDTO> },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof createAPIKey>>,
-	TError,
-	{ data: BodyType<TypesPostableAPIKeyDTO> },
-	TContext
-> => {
-	const mutationOptions = getCreateAPIKeyMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint revokes an api key
- * @summary Revoke api key
- */
-export const revokeAPIKey = ({ id }: RevokeAPIKeyPathParameters) => {
-	return GeneratedAPIInstance<void>({
-		url: `/api/v1/pats/${id}`,
-		method: 'DELETE',
-	});
-};
-
-export const getRevokeAPIKeyMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof revokeAPIKey>>,
-		TError,
-		{ pathParams: RevokeAPIKeyPathParameters },
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof revokeAPIKey>>,
-	TError,
-	{ pathParams: RevokeAPIKeyPathParameters },
-	TContext
-> => {
-	const mutationKey = ['revokeAPIKey'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof revokeAPIKey>>,
-		{ pathParams: RevokeAPIKeyPathParameters }
-	> = (props) => {
-		const { pathParams } = props ?? {};
-
-		return revokeAPIKey(pathParams);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type RevokeAPIKeyMutationResult = NonNullable<
-	Awaited<ReturnType<typeof revokeAPIKey>>
->;
-
-export type RevokeAPIKeyMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Revoke api key
- */
-export const useRevokeAPIKey = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof revokeAPIKey>>,
-		TError,
-		{ pathParams: RevokeAPIKeyPathParameters },
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof revokeAPIKey>>,
-	TError,
-	{ pathParams: RevokeAPIKeyPathParameters },
-	TContext
-> => {
-	const mutationOptions = getRevokeAPIKeyMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
-/**
- * This endpoint updates an api key
- * @summary Update api key
- */
-export const updateAPIKey = (
-	{ id }: UpdateAPIKeyPathParameters,
-	typesStorableAPIKeyDTO: BodyType<TypesStorableAPIKeyDTO>,
-) => {
-	return GeneratedAPIInstance<string>({
-		url: `/api/v1/pats/${id}`,
-		method: 'PUT',
-		headers: { 'Content-Type': 'application/json' },
-		data: typesStorableAPIKeyDTO,
-	});
-};
-
-export const getUpdateAPIKeyMutationOptions = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateAPIKey>>,
-		TError,
-		{
-			pathParams: UpdateAPIKeyPathParameters;
-			data: BodyType<TypesStorableAPIKeyDTO>;
-		},
-		TContext
-	>;
-}): UseMutationOptions<
-	Awaited<ReturnType<typeof updateAPIKey>>,
-	TError,
-	{
-		pathParams: UpdateAPIKeyPathParameters;
-		data: BodyType<TypesStorableAPIKeyDTO>;
-	},
-	TContext
-> => {
-	const mutationKey = ['updateAPIKey'];
-	const { mutation: mutationOptions } = options
-		? options.mutation &&
-		  'mutationKey' in options.mutation &&
-		  options.mutation.mutationKey
-			? options
-			: { ...options, mutation: { ...options.mutation, mutationKey } }
-		: { mutation: { mutationKey } };
-
-	const mutationFn: MutationFunction<
-		Awaited<ReturnType<typeof updateAPIKey>>,
-		{
-			pathParams: UpdateAPIKeyPathParameters;
-			data: BodyType<TypesStorableAPIKeyDTO>;
-		}
-	> = (props) => {
-		const { pathParams, data } = props ?? {};
-
-		return updateAPIKey(pathParams, data);
-	};
-
-	return { mutationFn, ...mutationOptions };
-};
-
-export type UpdateAPIKeyMutationResult = NonNullable<
-	Awaited<ReturnType<typeof updateAPIKey>>
->;
-export type UpdateAPIKeyMutationBody = BodyType<TypesStorableAPIKeyDTO>;
-export type UpdateAPIKeyMutationError = ErrorType<RenderErrorResponseDTO>;
-
-/**
- * @summary Update api key
- */
-export const useUpdateAPIKey = <
-	TError = ErrorType<RenderErrorResponseDTO>,
-	TContext = unknown
->(options?: {
-	mutation?: UseMutationOptions<
-		Awaited<ReturnType<typeof updateAPIKey>>,
-		TError,
-		{
-			pathParams: UpdateAPIKeyPathParameters;
-			data: BodyType<TypesStorableAPIKeyDTO>;
-		},
-		TContext
-	>;
-}): UseMutationResult<
-	Awaited<ReturnType<typeof updateAPIKey>>,
-	TError,
-	{
-		pathParams: UpdateAPIKeyPathParameters;
-		data: BodyType<TypesStorableAPIKeyDTO>;
-	},
-	TContext
-> => {
-	const mutationOptions = getUpdateAPIKeyMutationOptions(options);
-
-	return useMutation(mutationOptions);
-};
 /**
  * This endpoint resets the password by token
  * @summary Reset password

frontend/src/components/CustomTimePicker/CustomTimePicker.styles.scss

@@ -1,6 +1,31 @@
 .custom-time-picker {
 	display: flex;
-	flex-direction: column;
+	flex-direction: row;
+	align-items: center;
+	gap: 4px;
+
+	.zoom-out-btn {
+		display: flex;
+		align-items: center;
+		justify-content: center;
+		flex-shrink: 0;
+		color: var(--foreground);
+		border: 1px solid var(--border);
+		border-radius: 2px;
+		box-shadow: none;
+		padding: 10px;
+		height: 33px;
+
+		&:hover:not(:disabled) {
+			color: var(--bg-vanilla-100);
+			background: var(--primary);
+		}
+
+		&:disabled {
+			opacity: 0.5;
+			cursor: not-allowed;
+		}
+	}
 
 	.timeSelection-input {
 		&:hover {

frontend/src/components/CustomTimePicker/CustomTimePicker.test.tsx

@@ -16,6 +16,15 @@ jest.mock('react-router-dom', () => {
 	};
 });
 
+jest.mock('react-redux', () => ({
+	...jest.requireActual('react-redux'),
+	useDispatch: jest.fn(() => jest.fn()),
+	useSelector: jest.fn(() => ({
+		minTime: 0,
+		maxTime: Date.now(),
+	})),
+}));
+
 jest.mock('providers/Timezone', () => {
 	const actual = jest.requireActual('providers/Timezone');
 

frontend/src/components/CustomTimePicker/CustomTimePicker.tsx

@@ -7,9 +7,11 @@ import {
 	useState,
 } from 'react';
 import { useLocation } from 'react-router-dom';
+import { Button } from '@signozhq/button';
 import { Input, InputRef, Popover, Tooltip } from 'antd';
 import cx from 'classnames';
 import { DATE_TIME_FORMATS } from 'constants/dateTimeFormats';
+import { QueryParams } from 'constants/query';
 import { DateTimeRangeType } from 'container/TopNav/CustomDateTimeModal';
 import {
 	FixedDurationSuggestionOptions,
@@ -17,9 +19,11 @@ import {
 	RelativeDurationSuggestionOptions,
 } from 'container/TopNav/DateTimeSelectionV2/constants';
 import dayjs from 'dayjs';
+import { useZoomOut } from 'hooks/useZoomOut';
 import { isValidShortHandDateTimeFormat } from 'lib/getMinMax';
+import { isZoomOutDisabled } from 'lib/zoomOutUtils';
 import { defaultTo, isFunction, noop } from 'lodash-es';
-import { ChevronDown, ChevronUp } from 'lucide-react';
+import { ChevronDown, ChevronUp, ZoomOut } from 'lucide-react';
 import { useTimezone } from 'providers/Timezone';
 import { getTimeDifference, validateEpochRange } from 'utils/epochUtils';
 import { popupContainer } from 'utils/selectPopupContainer';
@@ -66,6 +70,8 @@ interface CustomTimePickerProps {
 	showRecentlyUsed?: boolean;
 	minTime: number;
 	maxTime: number;
+	/** When true, zoom-out button is hidden (e.g. in drawer/modal time selection) */
+	isModalTimeSelection?: boolean;
 }
 
 function CustomTimePicker({
@@ -88,6 +94,7 @@ function CustomTimePicker({
 	showRecentlyUsed = true,
 	minTime,
 	maxTime,
+	isModalTimeSelection = false,
 }: CustomTimePickerProps): JSX.Element {
 	const [
 		selectedTimePlaceholderValue,
@@ -116,6 +123,14 @@ function CustomTimePicker({
 
 	const [isOpenedFromFooter, setIsOpenedFromFooter] = useState(false);
 
+	const durationMs = (maxTime - minTime) / 1e6;
+	const zoomOutDisabled = showLiveLogs || isZoomOutDisabled(durationMs);
+
+	const handleZoomOut = useZoomOut({
+		isDisabled: zoomOutDisabled,
+		urlParamsToDelete: [QueryParams.activeLogId],
+	});
+
 	// function to get selected time in Last 1m, Last 2h, Last 3d, Last 4w format
 	// 1m, 2h, 3d, 4w -> Last 1 minute, Last 2 hours, Last 3 days, Last 4 weeks
 	const getSelectedTimeRangeLabelInRelativeFormat = (
@@ -631,6 +646,23 @@ function CustomTimePicker({
 					/>
 				</Popover>
 			</Tooltip>
+			{!showLiveLogs && !isModalTimeSelection && (
+				<Tooltip
+					title={
+						zoomOutDisabled ? 'Zoom out time range is limited to 1 month' : 'Zoom out'
+					}
+				>
+					<span>
+						<Button
+							className="zoom-out-btn"
+							onClick={handleZoomOut}
+							disabled={zoomOutDisabled}
+							data-testid="zoom-out-btn"
+							prefixIcon={<ZoomOut size={14} />}
+						/>
+					</span>
+				</Tooltip>
+			)}
 		</div>
 	);
 }

frontend/src/components/CustomTimePicker/__tests__/customTimePickerZoomOut.test.tsx

@@ -0,0 +1,169 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { QueryParams } from 'constants/query';
+import { GlobalReducer } from 'types/reducer/globalTime';
+
+import CustomTimePicker from '../CustomTimePicker';
+
+const MS_PER_MIN = 60 * 1000;
+const NOW_MS = 1705312800000;
+
+const mockDispatch = jest.fn();
+const mockSafeNavigate = jest.fn();
+const mockUrlQueryDelete = jest.fn();
+const mockUrlQuerySet = jest.fn();
+
+interface MockAppState {
+	globalTime: Pick<GlobalReducer, 'minTime' | 'maxTime'>;
+}
+
+jest.mock('react-redux', () => ({
+	useDispatch: (): jest.Mock => mockDispatch,
+	useSelector: (selector: (state: MockAppState) => unknown): unknown => {
+		const mockState: MockAppState = {
+			globalTime: {
+				minTime: (NOW_MS - 15 * MS_PER_MIN) * 1e6,
+				maxTime: NOW_MS * 1e6,
+			},
+		};
+		return selector(mockState);
+	},
+}));
+
+jest.mock('hooks/useSafeNavigate', () => ({
+	useSafeNavigate: (): { safeNavigate: jest.Mock } => ({
+		safeNavigate: mockSafeNavigate,
+	}),
+}));
+
+interface MockUrlQuery {
+	delete: typeof mockUrlQueryDelete;
+	set: typeof mockUrlQuerySet;
+	get: () => null;
+	toString: () => string;
+}
+
+jest.mock('hooks/useUrlQuery', () => ({
+	__esModule: true,
+	default: (): MockUrlQuery => ({
+		delete: mockUrlQueryDelete,
+		set: mockUrlQuerySet,
+		get: (): null => null,
+		toString: (): string => 'relativeTime=45m',
+	}),
+}));
+
+jest.mock('providers/Timezone', () => ({
+	useTimezone: (): { timezone: { value: string; offset: string } } => ({
+		timezone: { value: 'UTC', offset: 'UTC' },
+	}),
+}));
+
+jest.mock('react-router-dom', () => ({
+	useLocation: (): { pathname: string } => ({ pathname: '/logs-explorer' }),
+}));
+
+const MS_PER_DAY = 24 * 60 * 60 * 1000;
+const now = Date.now();
+const defaultProps = {
+	onSelect: jest.fn(),
+	onError: jest.fn(),
+	selectedValue: '15m',
+	selectedTime: '15m',
+	onValidCustomDateChange: jest.fn(),
+	open: false,
+	setOpen: jest.fn(),
+	items: [
+		{ value: '15m', label: 'Last 15 minutes' },
+		{ value: '1h', label: 'Last 1 hour' },
+	],
+	minTime: (now - 15 * 60 * 1000) * 1e6,
+	maxTime: now * 1e6,
+};
+
+describe('CustomTimePicker - zoom out button', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		jest.spyOn(Date, 'now').mockReturnValue(NOW_MS);
+	});
+
+	afterEach(() => {
+		jest.restoreAllMocks();
+	});
+
+	it('should render zoom out button when showLiveLogs is false', () => {
+		render(<CustomTimePicker {...defaultProps} showLiveLogs={false} />);
+
+		expect(screen.getByTestId('zoom-out-btn')).toBeInTheDocument();
+	});
+
+	it('should not render zoom out button when showLiveLogs is true', () => {
+		render(<CustomTimePicker {...defaultProps} showLiveLogs={true} />);
+
+		expect(screen.queryByTestId('zoom-out-btn')).not.toBeInTheDocument();
+	});
+
+	it('should not render zoom out button when isModalTimeSelection is true', () => {
+		render(
+			<CustomTimePicker
+				{...defaultProps}
+				showLiveLogs={false}
+				isModalTimeSelection={true}
+			/>,
+		);
+
+		expect(screen.queryByTestId('zoom-out-btn')).not.toBeInTheDocument();
+	});
+
+	it('should call handleZoomOut when zoom out button is clicked', async () => {
+		render(<CustomTimePicker {...defaultProps} showLiveLogs={false} />);
+
+		const zoomOutBtn = screen.getByTestId('zoom-out-btn');
+		await userEvent.click(zoomOutBtn);
+
+		expect(mockDispatch).toHaveBeenCalled();
+		expect(mockUrlQuerySet).toHaveBeenCalledWith(QueryParams.relativeTime, '45m');
+		expect(mockSafeNavigate).toHaveBeenCalledWith(
+			expect.stringMatching(/\/logs-explorer\?relativeTime=45m/),
+		);
+	});
+
+	it('should use real ladder logic: 15m range zooms to 45m preset and updates URL', async () => {
+		render(<CustomTimePicker {...defaultProps} showLiveLogs={false} />);
+
+		const zoomOutBtn = screen.getByTestId('zoom-out-btn');
+		await userEvent.click(zoomOutBtn);
+
+		expect(mockUrlQueryDelete).toHaveBeenCalledWith(QueryParams.startTime);
+		expect(mockUrlQueryDelete).toHaveBeenCalledWith(QueryParams.endTime);
+		expect(mockUrlQuerySet).toHaveBeenCalledWith(QueryParams.relativeTime, '45m');
+		expect(mockSafeNavigate).toHaveBeenCalledWith(
+			expect.stringMatching(/\/logs-explorer\?relativeTime=45m/),
+		);
+		expect(mockDispatch).toHaveBeenCalled();
+	});
+
+	it('should delete activeLogId when zoom out is clicked', async () => {
+		render(<CustomTimePicker {...defaultProps} showLiveLogs={false} />);
+
+		const zoomOutBtn = screen.getByTestId('zoom-out-btn');
+		await userEvent.click(zoomOutBtn);
+
+		expect(mockUrlQueryDelete).toHaveBeenCalledWith(QueryParams.activeLogId);
+	});
+
+	it('should disable zoom button when time range is >= 1 month', () => {
+		const now = Date.now();
+		render(
+			<CustomTimePicker
+				{...defaultProps}
+				minTime={(now - 31 * MS_PER_DAY) * 1e6}
+				maxTime={now * 1e6}
+				showLiveLogs={false}
+			/>,
+		);
+
+		const zoomOutBtn = screen.getByTestId('zoom-out-btn');
+		expect(zoomOutBtn).toBeDisabled();
+	});
+});

frontend/src/container/DashboardContainer/DashboardDescription/__tests__/DashboardDescription.test.tsx

@@ -34,6 +34,11 @@ const mockSafeNavigate = jest.fn();
 jest.mock('react-router-dom', () => ({
 	...jest.requireActual('react-router-dom'),
 	useLocation: jest.fn(),
+	useRouteMatch: jest.fn().mockReturnValue({
+		params: {
+			dashboardId: 4,
+		},
+	}),
 }));
 
 jest.mock(
@@ -64,7 +69,7 @@ describe('Dashboard landing page actions header tests', () => {
 		(useLocation as jest.Mock).mockReturnValue(mockLocation);
 		const { getByTestId } = render(
 			<MemoryRouter initialEntries={[DASHBOARD_PATH]}>
-				<DashboardProvider dashboardId="4">
+				<DashboardProvider>
 					<DashboardDescription
 						handle={{
 							active: false,
@@ -105,7 +110,7 @@ describe('Dashboard landing page actions header tests', () => {
 		);
 		const { getByTestId } = render(
 			<MemoryRouter initialEntries={[DASHBOARD_PATH]}>
-				<DashboardProvider dashboardId="4">
+				<DashboardProvider>
 					<DashboardDescription
 						handle={{
 							active: false,
@@ -144,7 +149,7 @@ describe('Dashboard landing page actions header tests', () => {
 
 		const { getByText } = render(
 			<MemoryRouter initialEntries={[DASHBOARD_PATH]}>
-				<DashboardProvider dashboardId="4">
+				<DashboardProvider>
 					<DashboardDescription
 						handle={{
 							active: false,

frontend/src/container/DashboardContainer/DashboardVariablesSelection/DashboardVariableSelection.tsx

@@ -9,6 +9,7 @@ import {
 } from 'hooks/dashboard/useDashboardVariables';
 import useVariablesFromUrl from 'hooks/dashboard/useVariablesFromUrl';
 import { useDashboard } from 'providers/Dashboard/Dashboard';
+import { initializeDefaultVariables } from 'providers/Dashboard/initializeDefaultVariables';
 import { updateDashboardVariablesStore } from 'providers/Dashboard/store/dashboardVariables/dashboardVariablesStore';
 import {
 	enqueueDescendantsOfVariable,
@@ -29,7 +30,7 @@ function DashboardVariableSelection(): JSX.Element | null {
 		updateLocalStorageDashboardVariables,
 	} = useDashboard();
 
-	const { updateUrlVariable } = useVariablesFromUrl();
+	const { updateUrlVariable, getUrlVariables } = useVariablesFromUrl();
 
 	const { dashboardVariables } = useDashboardVariables();
 	const dashboardId = useDashboardVariablesSelector(
@@ -49,6 +50,15 @@ function DashboardVariableSelection(): JSX.Element | null {
 		(state) => state.globalTime,
 	);
 
+	useEffect(() => {
+		// Initialize variables with default values if not in URL
+		initializeDefaultVariables(
+			dashboardVariables,
+			getUrlVariables,
+			updateUrlVariable,
+		);
+	}, [getUrlVariables, updateUrlVariable, dashboardVariables]);
+
 	// Memoize the order key to avoid unnecessary triggers
 	const variableOrderKey = useMemo(() => {
 		const queryVariableOrderKey = dependencyData?.order?.join(',') ?? '';

frontend/src/container/LogsPanelTable/__tests__/LogsPanelComponent.test.tsx

@@ -5,6 +5,7 @@ import NewWidget from 'container/NewWidget';
 import { logsPaginationQueryRangeSuccessResponse } from 'mocks-server/__mockdata__/logs_query_range';
 import { server } from 'mocks-server/server';
 import { rest } from 'msw';
+import { DashboardProvider } from 'providers/Dashboard/Dashboard';
 import { PreferenceContextProvider } from 'providers/preferences/context/PreferenceContextProvider';
 import i18n from 'ReactI18';
 import { act, fireEvent, render, screen, waitFor } from 'tests/test-utils';
@@ -103,13 +104,15 @@ describe('LogsPanelComponent', () => {
 	const renderComponent = async (): Promise<void> => {
 		render(
 			<I18nextProvider i18n={i18n}>
-				<PreferenceContextProvider>
-					<NewWidget
-						dashboardId=""
-						selectedDashboard={undefined}
-						selectedGraph={PANEL_TYPES.LIST}
-					/>
-				</PreferenceContextProvider>
+				<DashboardProvider>
+					<PreferenceContextProvider>
+						<NewWidget
+							selectedGraph={PANEL_TYPES.LIST}
+							fillSpans={undefined}
+							yAxisUnit={undefined}
+						/>
+					</PreferenceContextProvider>
+				</DashboardProvider>
 			</I18nextProvider>,
 		);
 

frontend/src/container/NewWidget/LeftContainer/QuerySection/index.tsx

@@ -8,15 +8,28 @@ import { QueryBuilderV2 } from 'components/QueryBuilderV2/QueryBuilderV2';
 import TextToolTip from 'components/TextToolTip';
 import { PANEL_TYPES } from 'constants/queryBuilder';
 import { QBShortcuts } from 'constants/shortcuts/QBShortcuts';
-import { PANEL_TYPE_TO_QUERY_TYPES } from 'container/NewWidget/utils';
+import {
+	getDefaultWidgetData,
+	PANEL_TYPE_TO_QUERY_TYPES,
+} from 'container/NewWidget/utils';
 import RunQueryBtn from 'container/QueryBuilder/components/RunQueryBtn/RunQueryBtn';
+// import { QueryBuilder } from 'container/QueryBuilder';
 import { QueryBuilderProps } from 'container/QueryBuilder/QueryBuilder.interfaces';
 import { useKeyboardHotkeys } from 'hooks/hotkeys/useKeyboardHotkeys';
 import { useQueryBuilder } from 'hooks/queryBuilder/useQueryBuilder';
 import { useShareBuilderUrl } from 'hooks/queryBuilder/useShareBuilderUrl';
 import { useIsDarkMode } from 'hooks/useDarkMode';
+import useUrlQuery from 'hooks/useUrlQuery';
+import { defaultTo, isUndefined } from 'lodash-es';
 import { Atom, Terminal } from 'lucide-react';
+import { useDashboard } from 'providers/Dashboard/Dashboard';
+import {
+	getNextWidgets,
+	getPreviousWidgets,
+	getSelectedWidgetIndex,
+} from 'providers/Dashboard/util';
 import { Widgets } from 'types/api/dashboard/getAll';
+import { Query } from 'types/api/queryBuilder/queryBuilderData';
 import { EQueryType } from 'types/common/dashboard';
 
 import ClickHouseQueryContainer from './QueryBuilder/clickHouse';
@@ -27,25 +40,77 @@ function QuerySection({
 	selectedGraph,
 	queryRangeKey,
 	isLoadingQueries,
-	selectedWidget,
-	dashboardVersion,
-	dashboardId,
-	dashboardName,
-	isNewPanel,
 }: QueryProps): JSX.Element {
 	const {
 		currentQuery,
 		handleRunQuery: handleRunQueryFromQueryBuilder,
 		redirectWithQueryBuilderData,
 	} = useQueryBuilder();
+	const urlQuery = useUrlQuery();
 	const { registerShortcut, deregisterShortcut } = useKeyboardHotkeys();
 
+	const { selectedDashboard, setSelectedDashboard } = useDashboard();
+
 	const isDarkMode = useIsDarkMode();
 
+	const { widgets } = selectedDashboard?.data || {};
+
+	const getWidget = useCallback(() => {
+		const widgetId = urlQuery.get('widgetId');
+		return defaultTo(
+			widgets?.find((e) => e.id === widgetId),
+			getDefaultWidgetData(widgetId || '', selectedGraph),
+		);
+	}, [urlQuery, widgets, selectedGraph]);
+
+	const selectedWidget = getWidget() as Widgets;
+
 	const { query } = selectedWidget;
 
 	useShareBuilderUrl({ defaultValue: query });
 
+	const handleStageQuery = useCallback(
+		(query: Query): void => {
+			if (selectedDashboard === undefined) {
+				return;
+			}
+
+			const selectedWidgetIndex = getSelectedWidgetIndex(
+				selectedDashboard,
+				selectedWidget.id,
+			);
+
+			const previousWidgets = getPreviousWidgets(
+				selectedDashboard,
+				selectedWidgetIndex,
+			);
+
+			const nextWidgets = getNextWidgets(selectedDashboard, selectedWidgetIndex);
+
+			setSelectedDashboard({
+				...selectedDashboard,
+				data: {
+					...selectedDashboard?.data,
+					widgets: [
+						...previousWidgets,
+						{
+							...selectedWidget,
+							query,
+						},
+						...nextWidgets,
+					],
+				},
+			});
+			handleRunQueryFromQueryBuilder();
+		},
+		[
+			selectedDashboard,
+			selectedWidget,
+			setSelectedDashboard,
+			handleRunQueryFromQueryBuilder,
+		],
+	);
+
 	const handleQueryCategoryChange = useCallback(
 		(qCategory: string): void => {
 			const currentQueryType = qCategory as EQueryType;
@@ -58,16 +123,19 @@ function QuerySection({
 	);
 
 	const handleRunQuery = (): void => {
+		const widgetId = urlQuery.get('widgetId');
+		const isNewPanel = isUndefined(widgets?.find((e) => e.id === widgetId));
+
 		logEvent('Panel Edit: Stage and run query', {
 			dataSource: currentQuery.builder?.queryData?.[0]?.dataSource,
 			panelType: selectedWidget.panelTypes,
 			queryType: currentQuery.queryType,
 			widgetId: selectedWidget.id,
-			dashboardId,
-			dashboardName,
+			dashboardId: selectedDashboard?.id,
+			dashboardName: selectedDashboard?.data.title,
 			isNewPanel,
 		});
-		handleRunQueryFromQueryBuilder();
+		handleStageQuery(currentQuery);
 	};
 
 	const filterConfigs: QueryBuilderProps['filterConfigs'] = useMemo(() => {
@@ -96,7 +164,7 @@ function QuerySection({
 							panelType={selectedGraph}
 							filterConfigs={filterConfigs}
 							showTraceOperator={selectedGraph !== PANEL_TYPES.LIST}
-							version={dashboardVersion || 'v3'}
+							version={selectedDashboard?.data?.version || 'v3'}
 							isListViewPanel={selectedGraph === PANEL_TYPES.LIST}
 							queryComponents={queryComponents}
 							signalSourceChangeEnabled
@@ -136,7 +204,7 @@ function QuerySection({
 		queryComponents,
 		selectedGraph,
 		filterConfigs,
-		dashboardVersion,
+		selectedDashboard?.data?.version,
 		isDarkMode,
 	]);
 
@@ -193,11 +261,6 @@ interface QueryProps {
 	selectedGraph: PANEL_TYPES;
 	queryRangeKey?: QueryKey;
 	isLoadingQueries?: boolean;
-	selectedWidget: Widgets;
-	dashboardVersion?: string;
-	dashboardId?: string;
-	dashboardName?: string;
-	isNewPanel?: boolean;
 }
 
 export default QuerySection;

frontend/src/container/NewWidget/LeftContainer/index.tsx

@@ -30,8 +30,6 @@ function LeftContainer({
 	setRequestData,
 	setQueryResponse,
 	enableDrillDown = false,
-	selectedDashboard,
-	isNewPanel = false,
 }: WidgetGraphProps): JSX.Element {
 	const { stagedQuery } = useQueryBuilder();
 
@@ -77,11 +75,6 @@ function LeftContainer({
 					selectedGraph={selectedGraph}
 					queryRangeKey={queryRangeKey}
 					isLoadingQueries={queryResponse.isFetching}
-					selectedWidget={selectedWidget}
-					dashboardVersion={ENTITY_VERSION_V5}
-					dashboardId={selectedDashboard?.id}
-					dashboardName={selectedDashboard?.data.title}
-					isNewPanel={isNewPanel}
 				/>
 				{selectedGraph === PANEL_TYPES.LIST && (
 					<ExplorerColumnsRenderer

frontend/src/container/NewWidget/RightContainer/__tests__/RightContainer.test.tsx

@@ -8,6 +8,7 @@ import userEvent from '@testing-library/user-event';
 import { PANEL_TYPES } from 'constants/queryBuilder';
 import { AppContext } from 'providers/App/App';
 import { IAppContext } from 'providers/App/types';
+import { DashboardProvider } from 'providers/Dashboard/Dashboard';
 import { ErrorModalProvider } from 'providers/ErrorModalProvider';
 import { QueryBuilderProvider } from 'providers/QueryBuilder';
 import configureStore from 'redux-mock-store';
@@ -95,7 +96,9 @@ const render = (ui: React.ReactElement): ReturnType<typeof rtlRender> =>
 				<Provider store={createMockStore()}>
 					<AppContext.Provider value={createMockAppContext() as IAppContext}>
 						<ErrorModalProvider>
-							<QueryBuilderProvider>{ui}</QueryBuilderProvider>
+							<DashboardProvider>
+								<QueryBuilderProvider>{ui}</QueryBuilderProvider>
+							</DashboardProvider>
 						</ErrorModalProvider>
 					</AppContext.Provider>
 				</Provider>

frontend/src/container/NewWidget/__test__/NewWidget.test.tsx

@@ -310,12 +310,12 @@ describe('Stacking bar in new panel', () => {
 
 		const { container, getByText } = render(
 			<I18nextProvider i18n={i18n}>
-				<DashboardProvider dashboardId="">
+				<DashboardProvider>
 					<PreferenceContextProvider>
 						<NewWidget
-							dashboardId=""
-							selectedDashboard={undefined}
 							selectedGraph={PANEL_TYPES.BAR}
+							fillSpans={undefined}
+							yAxisUnit={undefined}
 						/>
 					</PreferenceContextProvider>
 				</DashboardProvider>
@@ -356,11 +356,11 @@ describe('when switching to BAR panel type', () => {
 
 	it('should preserve saved stacking value of true', async () => {
 		const { getByTestId, getByText, container } = render(
-			<DashboardProvider dashboardId="">
+			<DashboardProvider>
 				<NewWidget
-					dashboardId=""
-					selectedDashboard={undefined}
 					selectedGraph={PANEL_TYPES.BAR}
+					fillSpans={undefined}
+					yAxisUnit={undefined}
 				/>
 			</DashboardProvider>,
 		);

frontend/src/container/NewWidget/index.tsx

@@ -4,7 +4,7 @@ import { useTranslation } from 'react-i18next';
 import { UseQueryResult } from 'react-query';
 // eslint-disable-next-line no-restricted-imports
 import { useSelector } from 'react-redux';
-import { generatePath } from 'react-router-dom';
+import { generatePath, useParams } from 'react-router-dom';
 import { WarningOutlined } from '@ant-design/icons';
 import { Button, Flex, Modal, Space, Typography } from 'antd';
 import logEvent from 'api/common/logEvent';
@@ -32,6 +32,8 @@ import { GetQueryResultsProps } from 'lib/dashboard/getQueryResults';
 import { getDashboardVariables } from 'lib/dashboardVariables/getDashboardVariables';
 import { cloneDeep, defaultTo, isEmpty, isUndefined } from 'lodash-es';
 import { Check, X } from 'lucide-react';
+import { DashboardWidgetPageParams } from 'pages/DashboardWidget';
+import { useDashboard } from 'providers/Dashboard/Dashboard';
 import { useScrollToWidgetIdStore } from 'providers/Dashboard/helpers/scrollToWidgetIdHelper';
 import {
 	clearSelectedRowWidgetId,
@@ -81,8 +83,6 @@ import {
 import './NewWidget.styles.scss';
 
 function NewWidget({
-	selectedDashboard,
-	dashboardId,
 	selectedGraph,
 	enableDrillDown = false,
 }: NewWidgetProps): JSX.Element {
@@ -90,6 +90,11 @@ function NewWidget({
 	const setToScrollWidgetId = useScrollToWidgetIdStore(
 		(s) => s.setToScrollWidgetId,
 	);
+	const {
+		selectedDashboard,
+		setSelectedDashboard,
+		columnWidths,
+	} = useDashboard();
 
 	const { dashboardVariables } = useDashboardVariables();
 
@@ -134,6 +139,8 @@ function NewWidget({
 
 	const query = useUrlQuery();
 
+	const { dashboardId } = useParams<DashboardWidgetPageParams>();
+
 	const [isNewDashboard, setIsNewDashboard] = useState<boolean>(false);
 
 	const logEventCalledRef = useRef(false);
@@ -279,10 +286,11 @@ function NewWidget({
 				isLogScale,
 				legendPosition,
 				customLegendColors,
-				columnWidths: selectedWidget.columnWidths,
+				columnWidths: columnWidths?.[selectedWidget?.id],
 				contextLinks,
 			};
 		});
+		// eslint-disable-next-line react-hooks/exhaustive-deps
 	}, [
 		columnUnits,
 		currentQuery,
@@ -305,8 +313,8 @@ function NewWidget({
 		isLogScale,
 		legendPosition,
 		customLegendColors,
+		columnWidths,
 		contextLinks,
-		selectedWidget.columnWidths,
 	]);
 
 	const closeModal = (): void => {
@@ -439,19 +447,6 @@ function NewWidget({
 		globalSelectedInterval,
 	]);
 
-	const navigateToDashboardPage = useCallback(() => {
-		const params = new URLSearchParams();
-
-		const urlVariablesQueryString = query.get(QueryParams.variables);
-		if (urlVariablesQueryString) {
-			params.set(QueryParams.variables, urlVariablesQueryString);
-		}
-
-		const search = params.toString() ? `?${params.toString()}` : '';
-
-		safeNavigate(generatePath(ROUTES.DASHBOARD, { dashboardId }) + search);
-	}, [dashboardId, query, safeNavigate]);
-
 	const onClickSaveHandler = useCallback(() => {
 		if (!selectedDashboard) {
 			return;
@@ -565,9 +560,12 @@ function NewWidget({
 		};
 
 		updateDashboardMutation.mutateAsync(dashboard, {
-			onSuccess: () => {
+			onSuccess: (updatedDashboard) => {
+				setSelectedDashboard(updatedDashboard.data);
 				setToScrollWidgetId(selectedWidget?.id || '');
-				navigateToDashboardPage();
+				safeNavigate({
+					pathname: generatePath(ROUTES.DASHBOARD, { dashboardId }),
+				});
 			},
 		});
 	}, [
@@ -582,8 +580,9 @@ function NewWidget({
 		preWidgets,
 		updateDashboardMutation,
 		widgets,
+		setSelectedDashboard,
 		setToScrollWidgetId,
-		navigateToDashboardPage,
+		safeNavigate,
 		dashboardId,
 	]);
 
@@ -592,12 +591,12 @@ function NewWidget({
 			setDiscardModal(true);
 			return;
 		}
-		navigateToDashboardPage();
-	}, [isQueryModified, navigateToDashboardPage]);
+		safeNavigate(generatePath(ROUTES.DASHBOARD, { dashboardId }));
+	}, [dashboardId, isQueryModified, safeNavigate]);
 
 	const discardChanges = useCallback(() => {
-		navigateToDashboardPage();
-	}, [navigateToDashboardPage]);
+		safeNavigate(generatePath(ROUTES.DASHBOARD, { dashboardId }));
+	}, [dashboardId, safeNavigate]);
 
 	const setGraphHandler = (type: PANEL_TYPES): void => {
 		setIsLoadingPanelData(true);
@@ -631,25 +630,22 @@ function NewWidget({
 		// eslint-disable-next-line react-hooks/exhaustive-deps
 	}, [query]);
 
-	const isNewPanel = useMemo(() => {
-		const widgetId = query.get('widgetId');
-		const selectedWidget = widgets?.find((e) => e.id === widgetId);
-		return isUndefined(selectedWidget);
-	}, [query, widgets]);
-
 	const onSaveDashboard = useCallback((): void => {
+		const widgetId = query.get('widgetId');
+		const selectWidget = widgets?.find((e) => e.id === widgetId);
+
 		logEvent('Panel Edit: Save changes', {
 			panelType: selectedWidget.panelTypes,
 			dashboardId: selectedDashboard?.id,
 			widgetId: selectedWidget.id,
 			dashboardName: selectedDashboard?.data.title,
 			queryType: currentQuery.queryType,
-			isNewPanel,
+			isNewPanel: isUndefined(selectWidget),
 			dataSource: currentQuery?.builder?.queryData?.[0]?.dataSource,
 		});
 		setSaveModal(true);
 		// eslint-disable-next-line react-hooks/exhaustive-deps
-	}, [isNewPanel]);
+	}, []);
 
 	const isNewTraceLogsAvailable =
 		currentQuery.queryType === EQueryType.QUERY_BUILDER &&
@@ -739,14 +735,12 @@ function NewWidget({
 		}
 		const widgetId = query.get('widgetId') || '';
 		const graphType = query.get('graphType') || '';
-		const variables = query.get(QueryParams.variables) || '';
 		const queryParams = {
 			[QueryParams.expandedWidgetId]: widgetId,
 			[QueryParams.graphType]: graphType,
 			[QueryParams.compositeQuery]: encodeURIComponent(
 				JSON.stringify(currentQuery),
 			),
-			[QueryParams.variables]: variables,
 		};
 
 		const updatedSearch = createQueryParams(queryParams);
@@ -827,8 +821,6 @@ function NewWidget({
 								isLoadingPanelData={isLoadingPanelData}
 								setQueryResponse={setQueryResponse}
 								enableDrillDown={enableDrillDown}
-								selectedDashboard={selectedDashboard}
-								isNewPanel={isNewPanel}
 							/>
 						)}
 					</OverlayScrollbar>

frontend/src/container/NewWidget/types.ts

@@ -2,7 +2,6 @@ import { Dispatch, SetStateAction } from 'react';
 import { UseQueryResult } from 'react-query';
 import { PANEL_TYPES } from 'constants/queryBuilder';
 import { GetQueryResultsProps } from 'lib/dashboard/getQueryResults';
-import { IDashboardContext } from 'providers/Dashboard/types';
 import { SuccessResponse, Warning } from 'types/api';
 import { Widgets } from 'types/api/dashboard/getAll';
 import { MetricRangePayloadProps } from 'types/api/metrics/getQueryRange';
@@ -10,9 +9,9 @@ import { MetricRangePayloadProps } from 'types/api/metrics/getQueryRange';
 import { timePreferance } from './RightContainer/timeItems';
 
 export interface NewWidgetProps {
-	dashboardId: string;
-	selectedDashboard: IDashboardContext['selectedDashboard'];
 	selectedGraph: PANEL_TYPES;
+	yAxisUnit: Widgets['yAxisUnit'];
+	fillSpans: Widgets['fillSpans'];
 	enableDrillDown?: boolean;
 }
 
@@ -35,8 +34,6 @@ export interface WidgetGraphProps {
 		>
 	>;
 	enableDrillDown?: boolean;
-	selectedDashboard: IDashboardContext['selectedDashboard'];
-	isNewPanel?: boolean;
 }
 
 export type WidgetGraphContainerProps = {

frontend/src/container/TopNav/DateTimeSelectionV2/index.tsx

@@ -30,6 +30,7 @@ import { AppState } from 'store/reducers';
 import AppActions from 'types/actions';
 import { GlobalReducer } from 'types/reducer/globalTime';
 import { addCustomTimeRange } from 'utils/customTimeRangeUtils';
+import { persistTimeDurationForRoute } from 'utils/metricsTimeStorageUtils';
 import { normalizeTimeToMs } from 'utils/timeUtils';
 import { v4 as uuid } from 'uuid';
 
@@ -234,20 +235,7 @@ function DateTimeSelection({
 
 	const updateLocalStorageForRoutes = useCallback(
 		(value: Time | string): void => {
-			const preRoutes = getLocalStorageKey(LOCALSTORAGE.METRICS_TIME_IN_DURATION);
-			if (preRoutes !== null) {
-				const preRoutesObject = JSON.parse(preRoutes);
-
-				const preRoute = {
-					...preRoutesObject,
-				};
-				preRoute[location.pathname] = value;
-
-				setLocalStorageKey(
-					LOCALSTORAGE.METRICS_TIME_IN_DURATION,
-					JSON.stringify(preRoute),
-				);
-			}
+			persistTimeDurationForRoute(location.pathname, String(value));
 		},
 		[location.pathname],
 	);
@@ -738,6 +726,7 @@ function DateTimeSelection({
 						showRecentlyUsed={showRecentlyUsed}
 						minTime={minTimeForDateTimePicker}
 						maxTime={maxTimeForDateTimePicker}
+						isModalTimeSelection={isModalTimeSelection}
 					/>
 
 					{showAutoRefresh && selectedTime !== 'custom' && (

frontend/src/hooks/__tests__/useZoomOut.test.ts

@@ -0,0 +1,160 @@
+import { act, renderHook } from '@testing-library/react';
+import { QueryParams } from 'constants/query';
+import { GlobalReducer } from 'types/reducer/globalTime';
+
+import { useZoomOut } from '../useZoomOut';
+
+const mockDispatch = jest.fn();
+const mockSafeNavigate = jest.fn();
+const mockUrlQueryDelete = jest.fn();
+const mockUrlQuerySet = jest.fn();
+const mockUrlQueryToString = jest.fn(() => '');
+
+interface MockAppState {
+	globalTime: Pick<GlobalReducer, 'minTime' | 'maxTime'>;
+}
+
+jest.mock('react-redux', () => ({
+	useDispatch: (): jest.Mock => mockDispatch,
+	useSelector: <T>(selector: (state: MockAppState) => T): T => {
+		const mockState: MockAppState = {
+			globalTime: {
+				minTime: 15 * 60 * 1000 * 1e6, // 15 min in nanoseconds
+				maxTime: 30 * 60 * 1000 * 1e6, // 30 min in nanoseconds (mock for getNextZoomOutRange)
+			},
+		};
+		return selector(mockState);
+	},
+}));
+
+jest.mock('react-router-dom', () => ({
+	useLocation: (): { pathname: string } => ({ pathname: '/logs-explorer' }),
+}));
+
+jest.mock('hooks/useSafeNavigate', () => ({
+	useSafeNavigate: (): { safeNavigate: typeof mockSafeNavigate } => ({
+		safeNavigate: mockSafeNavigate,
+	}),
+}));
+
+interface MockUrlQuery {
+	delete: typeof mockUrlQueryDelete;
+	set: typeof mockUrlQuerySet;
+	get: () => null;
+	toString: typeof mockUrlQueryToString;
+}
+
+jest.mock('hooks/useUrlQuery', () => ({
+	__esModule: true,
+	default: (): MockUrlQuery => ({
+		delete: mockUrlQueryDelete,
+		set: mockUrlQuerySet,
+		get: (): null => null,
+		toString: mockUrlQueryToString,
+	}),
+}));
+
+const mockGetNextZoomOutRange = jest.fn();
+jest.mock('lib/zoomOutUtils', () => ({
+	getNextZoomOutRange: (
+		...args: unknown[]
+	): ReturnType<typeof mockGetNextZoomOutRange> =>
+		mockGetNextZoomOutRange(...args),
+}));
+
+describe('useZoomOut', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		mockUrlQueryToString.mockReturnValue('relativeTime=45m');
+	});
+
+	it('should do nothing when isDisabled is true', () => {
+		const { result } = renderHook(() => useZoomOut({ isDisabled: true }));
+
+		act(() => {
+			result.current();
+		});
+
+		expect(mockGetNextZoomOutRange).not.toHaveBeenCalled();
+		expect(mockDispatch).not.toHaveBeenCalled();
+		expect(mockSafeNavigate).not.toHaveBeenCalled();
+	});
+
+	it('should do nothing when getNextZoomOutRange returns null', () => {
+		mockGetNextZoomOutRange.mockReturnValue(null);
+
+		const { result } = renderHook(() => useZoomOut());
+
+		act(() => {
+			result.current();
+		});
+
+		expect(mockGetNextZoomOutRange).toHaveBeenCalled();
+		expect(mockDispatch).not.toHaveBeenCalled();
+		expect(mockSafeNavigate).not.toHaveBeenCalled();
+	});
+
+	it('should dispatch preset and update URL when result has preset', () => {
+		mockGetNextZoomOutRange.mockReturnValue({
+			range: [1000, 2000],
+			preset: '45m',
+		});
+
+		const { result } = renderHook(() => useZoomOut());
+
+		act(() => {
+			result.current();
+		});
+
+		expect(mockDispatch).toHaveBeenCalledWith(expect.any(Function));
+		expect(mockUrlQueryDelete).toHaveBeenCalledWith(QueryParams.startTime);
+		expect(mockUrlQueryDelete).toHaveBeenCalledWith(QueryParams.endTime);
+		expect(mockUrlQuerySet).toHaveBeenCalledWith(QueryParams.relativeTime, '45m');
+		expect(mockSafeNavigate).toHaveBeenCalledWith(
+			expect.stringContaining('/logs-explorer'),
+		);
+	});
+
+	it('should dispatch custom range and update URL when result has no preset', () => {
+		mockGetNextZoomOutRange.mockReturnValue({
+			range: [1000000, 2000000],
+			preset: null,
+		});
+
+		const { result } = renderHook(() => useZoomOut());
+
+		act(() => {
+			result.current();
+		});
+
+		expect(mockDispatch).toHaveBeenCalledWith(expect.any(Function));
+		expect(mockUrlQuerySet).toHaveBeenCalledWith(
+			QueryParams.startTime,
+			'1000000',
+		);
+		expect(mockUrlQuerySet).toHaveBeenCalledWith(QueryParams.endTime, '2000000');
+		expect(mockUrlQueryDelete).toHaveBeenCalledWith(QueryParams.relativeTime);
+		expect(mockSafeNavigate).toHaveBeenCalledWith(
+			expect.stringContaining('/logs-explorer'),
+		);
+	});
+
+	it('should delete urlParamsToDelete when provided', () => {
+		mockGetNextZoomOutRange.mockReturnValue({
+			range: [1000, 2000],
+			preset: '45m',
+		});
+
+		const { result } = renderHook(() =>
+			useZoomOut({
+				urlParamsToDelete: [QueryParams.activeLogId],
+			}),
+		);
+
+		act(() => {
+			result.current();
+		});
+
+		expect(mockUrlQueryDelete).toHaveBeenCalledWith(QueryParams.activeLogId);
+	});
+});

frontend/src/hooks/dashboard/__test__/useTransformDashboardVariables.test.tsx

@@ -1,339 +0,0 @@
-import { renderHook } from '@testing-library/react';
-import { useDashboardVariablesFromLocalStorage } from 'hooks/dashboard/useDashboardFromLocalStorage';
-import { useTransformDashboardVariables } from 'hooks/dashboard/useTransformDashboardVariables';
-import useVariablesFromUrl from 'hooks/dashboard/useVariablesFromUrl';
-import { Dashboard, IDashboardVariable } from 'types/api/dashboard/getAll';
-
-jest.mock('hooks/dashboard/useDashboardFromLocalStorage');
-jest.mock('hooks/dashboard/useVariablesFromUrl');
-
-const mockUseDashboardVariablesFromLocalStorage = useDashboardVariablesFromLocalStorage as jest.MockedFunction<
-	typeof useDashboardVariablesFromLocalStorage
->;
-const mockUseVariablesFromUrl = useVariablesFromUrl as jest.MockedFunction<
-	typeof useVariablesFromUrl
->;
-
-const makeVariable = (
-	overrides: Partial<IDashboardVariable> = {},
-): IDashboardVariable => ({
-	id: 'existing-id',
-	name: 'env',
-	description: '',
-	type: 'QUERY',
-	sort: 'DISABLED',
-	multiSelect: false,
-	showALLOption: false,
-	selectedValue: 'prod',
-	...overrides,
-});
-
-const makeDashboard = (
-	variables: Record<string, IDashboardVariable>,
-): Dashboard => ({
-	id: 'dash-1',
-	createdAt: '',
-	updatedAt: '',
-	createdBy: '',
-	updatedBy: '',
-	data: {
-		title: 'Test',
-		variables,
-	},
-});
-
-const setupHook = (
-	currentDashboard: Record<string, any> = {},
-	urlVariables: Record<string, any> = {},
-): ReturnType<typeof useTransformDashboardVariables> => {
-	mockUseDashboardVariablesFromLocalStorage.mockReturnValue({
-		currentDashboard,
-		updateLocalStorageDashboardVariables: jest.fn(),
-	});
-	mockUseVariablesFromUrl.mockReturnValue({
-		getUrlVariables: () => urlVariables,
-		setUrlVariables: jest.fn(),
-		updateUrlVariable: jest.fn(),
-	});
-
-	const { result } = renderHook(() => useTransformDashboardVariables('dash-1'));
-	return result.current;
-};
-
-describe('useTransformDashboardVariables', () => {
-	beforeEach(() => jest.clearAllMocks());
-
-	describe('order assignment', () => {
-		it('assigns order starting from 0 to variables that have none', () => {
-			const { transformDashboardVariables } = setupHook();
-			const dashboard = makeDashboard({
-				v1: makeVariable({ id: 'id1', name: 'v1', order: undefined }),
-				v2: makeVariable({ id: 'id2', name: 'v2', order: undefined }),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			const orders = Object.values(result.data.variables).map((v) => v.order);
-			expect(orders).toContain(0);
-			expect(orders).toContain(1);
-		});
-
-		it('preserves existing order values', () => {
-			const { transformDashboardVariables } = setupHook();
-			const dashboard = makeDashboard({
-				v1: makeVariable({ id: 'id1', name: 'v1', order: 5 }),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.order).toBe(5);
-		});
-
-		it('assigns unique orders across multiple variables that all lack an order', () => {
-			const { transformDashboardVariables } = setupHook();
-			const dashboard = makeDashboard({
-				v1: makeVariable({ id: 'id1', name: 'v1', order: undefined }),
-				v2: makeVariable({ id: 'id2', name: 'v2', order: undefined }),
-				v3: makeVariable({ id: 'id3', name: 'v3', order: undefined }),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			const orders = Object.values(result.data.variables).map((v) => v.order);
-			// All three newly assigned orders must be distinct
-			expect(new Set(orders).size).toBe(3);
-		});
-	});
-
-	describe('ID assignment', () => {
-		it('assigns a UUID to variables that have no id', () => {
-			const { transformDashboardVariables } = setupHook();
-			const variable = makeVariable({ name: 'v1' });
-			(variable as any).id = undefined;
-			const dashboard = makeDashboard({ v1: variable });
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.id).toMatch(
-				/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,
-			);
-		});
-
-		it('preserves existing IDs', () => {
-			const { transformDashboardVariables } = setupHook();
-			const dashboard = makeDashboard({
-				v1: makeVariable({ id: 'keep-me', name: 'v1' }),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.id).toBe('keep-me');
-		});
-	});
-
-	describe('TEXTBOX backward compatibility', () => {
-		it('copies textboxValue to defaultValue when defaultValue is missing', () => {
-			const { transformDashboardVariables } = setupHook();
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'v1',
-					type: 'TEXTBOX',
-					textboxValue: 'hello',
-					defaultValue: undefined,
-					order: undefined,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.defaultValue).toBe('hello');
-		});
-
-		it('does not overwrite an existing defaultValue', () => {
-			const { transformDashboardVariables } = setupHook();
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'v1',
-					type: 'TEXTBOX',
-					textboxValue: 'old',
-					defaultValue: 'keep',
-					order: undefined,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.defaultValue).toBe('keep');
-		});
-	});
-
-	describe('localStorage merge', () => {
-		it('applies localStorage selectedValue over DB value', () => {
-			const { transformDashboardVariables } = setupHook({
-				env: { selectedValue: 'staging', allSelected: false },
-			});
-			const dashboard = makeDashboard({
-				v1: makeVariable({ id: 'id1', name: 'env', selectedValue: 'prod' }),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.selectedValue).toBe('staging');
-		});
-
-		it('applies localStorage allSelected over DB value', () => {
-			const { transformDashboardVariables } = setupHook({
-				env: { selectedValue: undefined, allSelected: true },
-			});
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'env',
-					allSelected: false,
-					showALLOption: true,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.allSelected).toBe(true);
-		});
-	});
-
-	describe('URL variable override', () => {
-		it('sets allSelected=true when URL value is __ALL__', () => {
-			const { transformDashboardVariables } = setupHook(
-				{ env: { selectedValue: 'prod', allSelected: false } },
-				{ env: '__ALL__' },
-			);
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'env',
-					showALLOption: true,
-					allSelected: false,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.allSelected).toBe(true);
-		});
-
-		it('sets selectedValue from URL and clears allSelected when showALLOption is true', () => {
-			const { transformDashboardVariables } = setupHook(
-				{ env: { selectedValue: undefined, allSelected: true } },
-				{ env: 'dev' },
-			);
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'env',
-					showALLOption: true,
-					allSelected: true,
-					multiSelect: false,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.selectedValue).toBe('dev');
-			expect(result.data.variables.v1.allSelected).toBe(false);
-		});
-
-		it('does not set allSelected=false when showALLOption is false', () => {
-			const { transformDashboardVariables } = setupHook(
-				{ env: { selectedValue: undefined, allSelected: true } },
-				{ env: 'dev' },
-			);
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'env',
-					showALLOption: false,
-					allSelected: true,
-					multiSelect: false,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.selectedValue).toBe('dev');
-			expect(result.data.variables.v1.allSelected).toBe(true);
-		});
-
-		it('normalizes array URL value to single value for single-select variable', () => {
-			const { transformDashboardVariables } = setupHook(
-				{},
-				{ env: ['prod', 'dev'] },
-			);
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'env',
-					multiSelect: false,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.selectedValue).toBe('prod');
-		});
-
-		it('wraps single URL value in array for multi-select variable', () => {
-			const { transformDashboardVariables } = setupHook({}, { env: 'prod' });
-			const dashboard = makeDashboard({
-				v1: makeVariable({
-					id: 'id1',
-					name: 'env',
-					multiSelect: true,
-				}),
-			});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.selectedValue).toEqual(['prod']);
-		});
-
-		it('looks up URL variable by variable id when name is absent', () => {
-			const { transformDashboardVariables } = setupHook(
-				{},
-				{ 'var-uuid': 'fallback' },
-			);
-			const variable = makeVariable({ id: 'var-uuid', multiSelect: false });
-			delete variable.name;
-			const dashboard = makeDashboard({ v1: variable });
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables.v1.selectedValue).toBe('fallback');
-		});
-	});
-
-	describe('edge cases', () => {
-		it('returns data unchanged when there are no variables', () => {
-			const { transformDashboardVariables } = setupHook();
-			const dashboard = makeDashboard({});
-
-			const result = transformDashboardVariables(dashboard);
-
-			expect(result.data.variables).toEqual({});
-		});
-
-		it('does not mutate the original dashboard', () => {
-			const { transformDashboardVariables } = setupHook({
-				env: { selectedValue: 'staging', allSelected: false },
-			});
-			const dashboard = makeDashboard({
-				v1: makeVariable({ id: 'id1', name: 'env', selectedValue: 'prod' }),
-			});
-			const originalValue = dashboard.data.variables.v1.selectedValue;
-
-			transformDashboardVariables(dashboard);
-
-			expect(dashboard.data.variables.v1.selectedValue).toBe(originalValue);
-		});
-	});
-});

frontend/src/hooks/dashboard/useDashboardFromLocalStorage.tsx

@@ -15,7 +15,7 @@ interface DashboardLocalStorageVariables {
 	[id: string]: LocalStoreDashboardVariables;
 }
 
-export interface UseDashboardVariablesFromLocalStorageReturn {
+interface UseDashboardVariablesFromLocalStorageReturn {
 	currentDashboard: LocalStoreDashboardVariables;
 	updateLocalStorageDashboardVariables: (
 		id: string,

frontend/src/hooks/dashboard/useTransformDashboardVariables.ts

@@ -1,128 +0,0 @@
-import { ALL_SELECTED_VALUE } from 'components/NewSelect/utils';
-import {
-	useDashboardVariablesFromLocalStorage,
-	UseDashboardVariablesFromLocalStorageReturn,
-} from 'hooks/dashboard/useDashboardFromLocalStorage';
-import useVariablesFromUrl, {
-	UseVariablesFromUrlReturn,
-} from 'hooks/dashboard/useVariablesFromUrl';
-import { isEmpty } from 'lodash-es';
-import { normalizeUrlValueForVariable } from 'providers/Dashboard/normalizeUrlValue';
-import { Dashboard, IDashboardVariable } from 'types/api/dashboard/getAll';
-import { v4 as generateUUID } from 'uuid';
-
-export function useTransformDashboardVariables(
-	dashboardId: string,
-): Pick<UseVariablesFromUrlReturn, 'getUrlVariables' | 'updateUrlVariable'> &
-	UseDashboardVariablesFromLocalStorageReturn & {
-		transformDashboardVariables: (data: Dashboard) => Dashboard;
-	} {
-	const {
-		currentDashboard,
-		updateLocalStorageDashboardVariables,
-	} = useDashboardVariablesFromLocalStorage(dashboardId);
-	const { getUrlVariables, updateUrlVariable } = useVariablesFromUrl();
-
-	const mergeDBWithLocalStorage = (
-		data: Dashboard,
-		localStorageVariables: any,
-	): Dashboard => {
-		const updatedData = data;
-		if (data && localStorageVariables) {
-			const updatedVariables = data.data.variables;
-			const variablesFromUrl = getUrlVariables();
-			Object.keys(data.data.variables).forEach((variable) => {
-				const variableData = data.data.variables[variable];
-
-				// values from url
-				const urlVariable = variableData?.name
-					? variablesFromUrl[variableData?.name] || variablesFromUrl[variableData.id]
-					: variablesFromUrl[variableData.id];
-
-				let updatedVariable = {
-					...data.data.variables[variable],
-					...localStorageVariables[variableData.name as any],
-				};
-
-				// respect the url variable if it is set, override the others
-				if (!isEmpty(urlVariable)) {
-					if (urlVariable === ALL_SELECTED_VALUE) {
-						updatedVariable = {
-							...updatedVariable,
-							allSelected: true,
-						};
-					} else {
-						// Normalize URL value to match variable's multiSelect configuration
-						const normalizedValue = normalizeUrlValueForVariable(
-							urlVariable,
-							variableData,
-						);
-
-						updatedVariable = {
-							...updatedVariable,
-							selectedValue: normalizedValue,
-							// Only set allSelected to false if showALLOption is available
-							...(updatedVariable?.showALLOption && { allSelected: false }),
-						};
-					}
-				}
-
-				updatedVariables[variable] = updatedVariable;
-			});
-			updatedData.data.variables = updatedVariables;
-		}
-		return updatedData;
-	};
-
-	// As we do not have order and ID's in the variables object, we have to process variables to add order and ID if they do not exist in the variables object
-	// eslint-disable-next-line sonarjs/cognitive-complexity
-	const transformDashboardVariables = (data: Dashboard): Dashboard => {
-		if (data && data.data && data.data.variables) {
-			const clonedDashboardData = mergeDBWithLocalStorage(
-				JSON.parse(JSON.stringify(data)),
-				currentDashboard,
-			);
-			const { variables } = clonedDashboardData.data;
-			const existingOrders: Set<number> = new Set();
-
-			for (const key in variables) {
-				// eslint-disable-next-line no-prototype-builtins
-				if (variables.hasOwnProperty(key)) {
-					const variable: IDashboardVariable = variables[key];
-
-					// Check if 'order' property doesn't exist or is undefined
-					if (variable.order === undefined) {
-						// Find a unique order starting from 0
-						let order = 0;
-						while (existingOrders.has(order)) {
-							order += 1;
-						}
-
-						variable.order = order;
-						existingOrders.add(order);
-						// ! BWC - Specific case for backward compatibility where textboxValue was used instead of defaultValue
-						if (variable.type === 'TEXTBOX' && !variable.defaultValue) {
-							variable.defaultValue = variable.textboxValue || '';
-						}
-					}
-
-					if (variable.id === undefined) {
-						variable.id = generateUUID();
-					}
-				}
-			}
-
-			return clonedDashboardData;
-		}
-
-		return data;
-	};
-
-	return {
-		transformDashboardVariables,
-		getUrlVariables,
-		updateUrlVariable,
-		currentDashboard,
-		updateLocalStorageDashboardVariables,
-	};
-}

frontend/src/hooks/dashboard/useVariablesFromUrl.tsx

@@ -11,7 +11,7 @@ export interface LocalStoreDashboardVariables {
 		| IDashboardVariable['selectedValue'];
 }
 
-export interface UseVariablesFromUrlReturn {
+interface UseVariablesFromUrlReturn {
 	getUrlVariables: () => LocalStoreDashboardVariables;
 	setUrlVariables: (variables: LocalStoreDashboardVariables) => void;
 	updateUrlVariable: (

frontend/src/hooks/queryBuilder/useCreateAlerts.tsx

@@ -107,6 +107,7 @@ const useCreateAlerts = (widget?: Widgets, caller?: string): VoidFunction => {
 		queryRangeMutation,
 		dashboardVariables,
 		dashboardDynamicVariables,
+		selectedDashboard?.data.version,
 		widget,
 	]);
 };

frontend/src/hooks/useZoomOut.ts

@@ -0,0 +1,79 @@
+import { useCallback, useRef } from 'react';
+// eslint-disable-next-line no-restricted-imports
+import { useDispatch, useSelector } from 'react-redux';
+import { useLocation } from 'react-router-dom';
+import { QueryParams } from 'constants/query';
+import { useSafeNavigate } from 'hooks/useSafeNavigate';
+import useUrlQuery from 'hooks/useUrlQuery';
+import { getNextZoomOutRange } from 'lib/zoomOutUtils';
+import { UpdateTimeInterval } from 'store/actions';
+import { AppState } from 'store/reducers';
+import { GlobalReducer } from 'types/reducer/globalTime';
+import { persistTimeDurationForRoute } from 'utils/metricsTimeStorageUtils';
+
+export interface UseZoomOutOptions {
+	/** When true, the zoom out handler does nothing (e.g. when live logs are enabled) */
+	isDisabled?: boolean;
+	/** URL params to delete when zooming out (e.g. [QueryParams.activeLogId] for logs) */
+	urlParamsToDelete?: string[];
+}
+
+/**
+ * Reusable hook for zoom-out functionality in explorers (logs, traces, etc.).
+ * Computes the next time range using the zoom-out ladder, updates Redux global time,
+ * and navigates with the new URL params.
+ */
+const EMPTY_PARAMS: string[] = [];
+
+export function useZoomOut(options: UseZoomOutOptions = {}): () => void {
+	const { isDisabled = false, urlParamsToDelete = EMPTY_PARAMS } = options;
+	const urlParamsToDeleteRef = useRef(urlParamsToDelete);
+	urlParamsToDeleteRef.current = urlParamsToDelete;
+
+	const dispatch = useDispatch();
+	const { minTime, maxTime } = useSelector<AppState, GlobalReducer>(
+		(state) => state.globalTime,
+	);
+	const urlQuery = useUrlQuery();
+	const location = useLocation();
+	const { safeNavigate } = useSafeNavigate();
+
+	return useCallback((): void => {
+		if (isDisabled) {
+			return;
+		}
+		const minMs = Math.floor((minTime ?? 0) / 1e6);
+		const maxMs = Math.floor((maxTime ?? 0) / 1e6);
+		const result = getNextZoomOutRange(minMs, maxMs);
+		if (!result) {
+			return;
+		}
+		const [newStartMs, newEndMs] = result.range;
+		const { preset } = result;
+
+		if (preset) {
+			dispatch(UpdateTimeInterval(preset));
+			urlQuery.delete(QueryParams.startTime);
+			urlQuery.delete(QueryParams.endTime);
+			urlQuery.set(QueryParams.relativeTime, preset);
+			persistTimeDurationForRoute(location.pathname, preset);
+		} else {
+			dispatch(UpdateTimeInterval('custom', [newStartMs, newEndMs]));
+			urlQuery.set(QueryParams.startTime, String(newStartMs));
+			urlQuery.set(QueryParams.endTime, String(newEndMs));
+			urlQuery.delete(QueryParams.relativeTime);
+		}
+		for (const param of urlParamsToDeleteRef.current) {
+			urlQuery.delete(param);
+		}
+		safeNavigate(`${location.pathname}?${urlQuery.toString()}`);
+	}, [
+		dispatch,
+		isDisabled,
+		location.pathname,
+		maxTime,
+		minTime,
+		safeNavigate,
+		urlQuery,
+	]);
+}

frontend/src/lib/__tests__/zoomOutUtils.test.ts

@@ -0,0 +1,147 @@
+import {
+	getNextDurationInLadder,
+	getNextZoomOutRange,
+	isZoomOutDisabled,
+	ZoomOutResult,
+} from '../zoomOutUtils';
+
+const MS_PER_MIN = 60 * 1000;
+const MS_PER_HOUR = 60 * MS_PER_MIN;
+const MS_PER_DAY = 24 * MS_PER_HOUR;
+const MS_PER_WEEK = 7 * MS_PER_DAY;
+
+// Fixed "now" for deterministic tests: 2024-01-15 12:00:00 UTC
+const NOW_MS = 1705312800000;
+
+describe('zoomOutUtils', () => {
+	beforeEach(() => {
+		jest.spyOn(Date, 'now').mockReturnValue(NOW_MS);
+	});
+
+	afterEach(() => {
+		jest.restoreAllMocks();
+	});
+
+	describe('getNextDurationInLadder', () => {
+		it('should use 3x zoom out below 15m until reaching 15m', () => {
+			expect(getNextDurationInLadder(1 * MS_PER_MIN)).toBe(3 * MS_PER_MIN);
+			expect(getNextDurationInLadder(2 * MS_PER_MIN)).toBe(6 * MS_PER_MIN);
+			expect(getNextDurationInLadder(3 * MS_PER_MIN)).toBe(9 * MS_PER_MIN);
+			expect(getNextDurationInLadder(4 * MS_PER_MIN)).toBe(12 * MS_PER_MIN);
+			expect(getNextDurationInLadder(5 * MS_PER_MIN)).toBe(15 * MS_PER_MIN); // cap at 15m
+			expect(getNextDurationInLadder(6 * MS_PER_MIN)).toBe(15 * MS_PER_MIN); // 18m capped
+		});
+
+		it('should return next step for each ladder rung from 15m onward', () => {
+			expect(getNextDurationInLadder(10 * MS_PER_MIN)).toBe(15 * MS_PER_MIN);
+			expect(getNextDurationInLadder(15 * MS_PER_MIN)).toBe(45 * MS_PER_MIN);
+			expect(getNextDurationInLadder(45 * MS_PER_MIN)).toBe(2 * MS_PER_HOUR);
+			expect(getNextDurationInLadder(2 * MS_PER_HOUR)).toBe(7 * MS_PER_HOUR);
+			expect(getNextDurationInLadder(7 * MS_PER_HOUR)).toBe(21 * MS_PER_HOUR);
+			expect(getNextDurationInLadder(21 * MS_PER_HOUR)).toBe(1 * MS_PER_DAY);
+			expect(getNextDurationInLadder(1 * MS_PER_DAY)).toBe(2 * MS_PER_DAY);
+			expect(getNextDurationInLadder(2 * MS_PER_DAY)).toBe(3 * MS_PER_DAY);
+			expect(getNextDurationInLadder(3 * MS_PER_DAY)).toBe(1 * MS_PER_WEEK);
+			expect(getNextDurationInLadder(1 * MS_PER_WEEK)).toBe(2 * MS_PER_WEEK);
+			expect(getNextDurationInLadder(2 * MS_PER_WEEK)).toBe(30 * MS_PER_DAY);
+		});
+
+		it('should return MAX when at or past 1 month (no wrap)', () => {
+			expect(getNextDurationInLadder(30 * MS_PER_DAY)).toBe(30 * MS_PER_DAY);
+			expect(getNextDurationInLadder(31 * MS_PER_DAY)).toBe(30 * MS_PER_DAY);
+		});
+
+		it('should return next step for duration between ladder rungs', () => {
+			expect(getNextDurationInLadder(1 * MS_PER_HOUR)).toBe(2 * MS_PER_HOUR);
+			expect(getNextDurationInLadder(5 * MS_PER_HOUR)).toBe(7 * MS_PER_HOUR);
+			expect(getNextDurationInLadder(12 * MS_PER_HOUR)).toBe(21 * MS_PER_HOUR);
+		});
+	});
+
+	describe('getNextZoomOutRange', () => {
+		it('should return null when duration is zero or negative', () => {
+			expect(getNextZoomOutRange(NOW_MS, NOW_MS)).toBeNull();
+			expect(getNextZoomOutRange(NOW_MS, NOW_MS - 1000)).toBeNull();
+		});
+
+		it('should return center-anchored range and preset=null when new end does not exceed now (Phase 1)', () => {
+			// 15m range centered well before now so zoom to 45m keeps end <= now
+			// Center at now-30m: end = center + 22.5m = now - 7.5m <= now
+			const centerMs = NOW_MS - 30 * MS_PER_MIN;
+			const start15m = centerMs - 7.5 * MS_PER_MIN;
+			const end15m = centerMs + 7.5 * MS_PER_MIN;
+			const result = getNextZoomOutRange(start15m, end15m) as ZoomOutResult;
+
+			expect(result).not.toBeNull();
+			expect(result.preset).toBeNull(); // Phase 1: preserve center-anchored range, avoid GetMinMax "last X from now"
+			const [newStart, newEnd] = result.range;
+			expect(newEnd - newStart).toBe(45 * MS_PER_MIN);
+			const newCenter = (newStart + newEnd) / 2;
+			expect(Math.abs(newCenter - centerMs)).toBeLessThan(2000);
+			expect(newEnd).toBeLessThanOrEqual(NOW_MS + 1000);
+		});
+
+		it('should return end-anchored range when new end would exceed now (Phase 2)', () => {
+			// 22hr range ending at now - zoom to 1d (24hr) would push end past now
+			// Next ladder step from 22hr is 1d
+			const start22h = NOW_MS - 22 * MS_PER_HOUR;
+			const end22h = NOW_MS;
+			const result = getNextZoomOutRange(start22h, end22h) as ZoomOutResult;
+
+			expect(result).not.toBeNull();
+			expect(result.preset).toBe('1d');
+			const [newStart, newEnd] = result.range;
+			expect(newEnd).toBe(NOW_MS); // End anchored at now
+			expect(newStart).toBe(NOW_MS - 1 * MS_PER_DAY);
+		});
+
+		it('should return correct preset for each ladder step', () => {
+			const presets: [number, number, string][] = [
+				[15 * MS_PER_MIN, 0, '45m'],
+				[45 * MS_PER_MIN, 0, '2h'],
+				[2 * MS_PER_HOUR, 0, '7h'],
+				[7 * MS_PER_HOUR, 0, '21h'],
+				[21 * MS_PER_HOUR, 0, '1d'],
+				[1 * MS_PER_DAY, 0, '2d'],
+				[2 * MS_PER_DAY, 0, '3d'],
+				[3 * MS_PER_DAY, 0, '1w'],
+				[1 * MS_PER_WEEK, 0, '2w'],
+				[2 * MS_PER_WEEK, 0, '1month'],
+			];
+
+			presets.forEach(([durationMs, offset, expectedPreset]) => {
+				const end = NOW_MS - offset;
+				const start = end - durationMs;
+				const result = getNextZoomOutRange(start, end);
+				expect(result?.preset).toBe(expectedPreset);
+			});
+		});
+
+		it('isZoomOutDisabled returns true when duration >= 1 month', () => {
+			expect(isZoomOutDisabled(30 * MS_PER_DAY)).toBe(true);
+			expect(isZoomOutDisabled(31 * MS_PER_DAY)).toBe(true);
+			expect(isZoomOutDisabled(29 * MS_PER_DAY)).toBe(false);
+			expect(isZoomOutDisabled(15 * MS_PER_MIN)).toBe(false);
+		});
+
+		it('should return null when at 1 month (no zoom out beyond max)', () => {
+			const start1m = NOW_MS - 30 * MS_PER_DAY;
+			const end1m = NOW_MS;
+			const result = getNextZoomOutRange(start1m, end1m);
+
+			expect(result).toBeNull();
+		});
+
+		it('should zoom out 3x from 5m range to 15m then continue with ladder', () => {
+			// 5m range ending at now → 3x = 15m
+			const start5m = NOW_MS - 5 * MS_PER_MIN;
+			const end5m = NOW_MS;
+			const result = getNextZoomOutRange(start5m, end5m) as ZoomOutResult;
+
+			expect(result).not.toBeNull();
+			expect(result.preset).toBe('15m');
+			const [newStart, newEnd] = result.range;
+			expect(newEnd - newStart).toBe(15 * MS_PER_MIN);
+		});
+	});
+});

frontend/src/lib/zoomOutUtils.ts

@@ -0,0 +1,139 @@
+/**
+ * Custom Time Picker zoom-out ladder:
+ * - Until 1 day: 15m → 45m → 2hr → 7hr → 21hr
+ * - Then fixed: 1d → 2d → 3d → 1w → 2w → 1m
+ * - At 1 month: zoom out is disabled (max range)
+ */
+
+import type {
+	CustomTimeType,
+	Time,
+} from 'container/TopNav/DateTimeSelectionV2/types';
+
+const MS_PER_MIN = 60 * 1000;
+const MS_PER_HOUR = 60 * MS_PER_MIN;
+const MS_PER_DAY = 24 * MS_PER_HOUR;
+const MS_PER_WEEK = 7 * MS_PER_DAY;
+
+const ZOOM_OUT_LADDER_MS: number[] = [
+	15 * MS_PER_MIN, // 15m
+	45 * MS_PER_MIN, // 45m
+	2 * MS_PER_HOUR, // 2hr
+	7 * MS_PER_HOUR, // 7hr
+	21 * MS_PER_HOUR, // 21hr
+	1 * MS_PER_DAY, // 1d
+	2 * MS_PER_DAY, // 2d
+	3 * MS_PER_DAY, // 3d
+	1 * MS_PER_WEEK, // 1w
+	2 * MS_PER_WEEK, // 2w
+	30 * MS_PER_DAY, // 1m
+];
+
+const LADDER_LAST_INDEX = ZOOM_OUT_LADDER_MS.length - 1;
+const MAX_DURATION = ZOOM_OUT_LADDER_MS[LADDER_LAST_INDEX];
+const MIN_LADDER_DURATION_MS = ZOOM_OUT_LADDER_MS[0]; // 15m - below this we use 3x
+
+export const MAX_ZOOM_OUT_DURATION_MS = MAX_DURATION;
+
+/** Returns true when zoom out should be disabled (range at or beyond 1 month) */
+export function isZoomOutDisabled(durationMs: number): boolean {
+	return durationMs >= MAX_ZOOM_OUT_DURATION_MS;
+}
+
+/** Preset labels for ladder steps supported by GetMinMax (shows "Last 15 minutes" etc. instead of "Custom") */
+const PRESET_FOR_DURATION_MS: Record<number, Time | CustomTimeType> = {
+	[15 * MS_PER_MIN]: '15m',
+	[45 * MS_PER_MIN]: '45m',
+	[2 * MS_PER_HOUR]: '2h',
+	[7 * MS_PER_HOUR]: '7h',
+	[21 * MS_PER_HOUR]: '21h',
+	[1 * MS_PER_DAY]: '1d',
+	[2 * MS_PER_DAY]: '2d',
+	[3 * MS_PER_DAY]: '3d',
+	[1 * MS_PER_WEEK]: '1w',
+	[2 * MS_PER_WEEK]: '2w',
+	[30 * MS_PER_DAY]: '1month',
+};
+
+/**
+ * Returns the next duration in the zoom-out ladder for the given current duration.
+ * Below 15m: zoom out 3x until we reach 15m, then continue with the ladder.
+ * If at or past 1 month, returns MAX_DURATION (no zoom out - button is disabled).
+ */
+export function getNextDurationInLadder(durationMs: number): number {
+	if (durationMs >= MAX_DURATION) {
+		return MAX_DURATION; // No zoom out beyond 1 month
+	}
+
+	// Below 15m: zoom out 3x until we reach 15m
+	if (durationMs < MIN_LADDER_DURATION_MS) {
+		const next = durationMs * 3;
+		return Math.min(next, MIN_LADDER_DURATION_MS);
+	}
+
+	// At or above 15m: use the fixed ladder
+	for (let i = 0; i < ZOOM_OUT_LADDER_MS.length; i++) {
+		if (ZOOM_OUT_LADDER_MS[i] > durationMs) {
+			return ZOOM_OUT_LADDER_MS[i];
+		}
+	}
+
+	return MAX_DURATION;
+}
+
+export interface ZoomOutResult {
+	range: [number, number];
+	/** Preset key (e.g. '15m') when range matches a preset - use for display instead of "Custom Date Range" */
+	preset: Time | CustomTimeType | null;
+}
+
+/**
+ * Computes the next zoomed-out time range.
+ * Phase 1 (center-anchored): While new end <= now, expand from center.
+ * Phase 2 (end-anchored at now): When new end would exceed now, anchor end at now and move start backward.
+ *
+ * @returns ZoomOutResult with range and preset (or null if no change)
+ */
+export function getNextZoomOutRange(
+	startMs: number,
+	endMs: number,
+): ZoomOutResult | null {
+	const nowMs = Date.now();
+	const durationMs = endMs - startMs;
+
+	if (durationMs <= 0) {
+		return null;
+	}
+
+	const newDurationMs = getNextDurationInLadder(durationMs);
+
+	// No zoom out when already at max (1 month)
+	if (newDurationMs <= durationMs) {
+		return null;
+	}
+	const centerMs = startMs + durationMs / 2;
+	const computedEndMs = centerMs + newDurationMs / 2;
+
+	let newStartMs: number;
+	let newEndMs: number;
+
+	const isPhase1 = computedEndMs <= nowMs;
+	if (isPhase1) {
+		// Phase 1: center-anchored (historical range not ending at now)
+		newStartMs = centerMs - newDurationMs / 2;
+		newEndMs = computedEndMs;
+	} else {
+		// Phase 2: end-anchored at now
+		newStartMs = nowMs - newDurationMs;
+		newEndMs = nowMs;
+	}
+
+	// Phase 2 only: use preset so GetMinMax produces "last X from now".
+	// Phase 1: preset=null so the center-anchored range is preserved (GetMinMax would discard it).
+	const preset = isPhase1 ? null : PRESET_FOR_DURATION_MS[newDurationMs] ?? null;
+
+	return {
+		range: [Math.round(newStartMs), Math.round(newEndMs)],
+		preset,
+	};
+}

frontend/src/pages/DashboardPage/index.tsx

@@ -1,16 +1,3 @@
-import { useParams } from 'react-router-dom';
-import { DashboardProvider } from 'providers/Dashboard/Dashboard';
-
 import DashboardPage from './DashboardPage';
 
-function DashboardPageWithProvider(): JSX.Element {
-	const { dashboardId } = useParams<{ dashboardId: string }>();
-
-	return (
-		<DashboardProvider dashboardId={dashboardId}>
-			<DashboardPage />
-		</DashboardProvider>
-	);
-}
-
-export default DashboardPageWithProvider;
+export default DashboardPage;

frontend/src/pages/DashboardWidget/__tests__/DashboardWidget.test.tsx

@@ -1,146 +0,0 @@
-import { Route } from 'react-router-dom';
-import { PANEL_TYPES } from 'constants/queryBuilder';
-import { rest, server } from 'mocks-server/server';
-import { render, screen, waitFor } from 'tests/test-utils';
-
-import DashboardWidget from '../index';
-
-const DASHBOARD_ID = 'dash-1';
-const WIDGET_ID = 'widget-abc';
-
-const mockDashboardResponse = {
-	status: 'success',
-	data: {
-		id: DASHBOARD_ID,
-		createdAt: '2024-01-01T00:00:00Z',
-		createdBy: 'test',
-		updatedAt: '2024-01-01T00:00:00Z',
-		updatedBy: 'test',
-		isLocked: false,
-		data: {
-			collapsableRowsMigrated: true,
-			description: '',
-			name: '',
-			panelMap: {},
-			tags: [],
-			title: 'Test Dashboard',
-			uploadedGrafana: false,
-			uuid: '',
-			version: '',
-			variables: {},
-			widgets: [],
-			layout: [],
-		},
-	},
-};
-
-const mockSafeNavigate = jest.fn();
-
-jest.mock('hooks/useSafeNavigate', () => ({
-	useSafeNavigate: (): { safeNavigate: jest.Mock } => ({
-		safeNavigate: mockSafeNavigate,
-	}),
-}));
-
-jest.mock('container/NewWidget', () => ({
-	__esModule: true,
-	default: (): JSX.Element => <div data-testid="new-widget">NewWidget</div>,
-}));
-
-// nuqs's useQueryState doesn't read from MemoryRouter, so we mock it to return
-// controlled values via the `mockQueryState` map below.
-const mockQueryState: Record<string, string | null> = {};
-
-jest.mock('nuqs', () => ({
-	...jest.requireActual('nuqs'),
-	useQueryState: (key: string): [string | null, jest.Mock] => [
-		mockQueryState[key] ?? null,
-		jest.fn(),
-	],
-}));
-
-// Wrap component in a Route so useParams can resolve dashboardId
-function renderAtRoute(
-	queryState: Record<string, string | null> = {},
-): ReturnType<typeof render> {
-	Object.assign(mockQueryState, queryState);
-	return render(
-		<Route path="/dashboard/:dashboardId/new">
-			<DashboardWidget />
-		</Route>,
-		undefined,
-		{ initialRoute: `/dashboard/${DASHBOARD_ID}/new` },
-	);
-}
-
-beforeEach(() => {
-	mockSafeNavigate.mockClear();
-	Object.keys(mockQueryState).forEach((k) => delete mockQueryState[k]);
-});
-
-describe('DashboardWidget', () => {
-	it('redirects to dashboard when widgetId is missing', async () => {
-		renderAtRoute({ graphType: PANEL_TYPES.TIME_SERIES });
-
-		await waitFor(() => {
-			expect(mockSafeNavigate).toHaveBeenCalled();
-		});
-
-		const [navigatedTo] = mockSafeNavigate.mock.calls[0];
-		expect(navigatedTo).toContain(`/dashboard/${DASHBOARD_ID}`);
-	});
-
-	it('redirects to dashboard when graphType is missing', async () => {
-		renderAtRoute({ widgetId: WIDGET_ID });
-
-		await waitFor(() => {
-			expect(mockSafeNavigate).toHaveBeenCalled();
-		});
-
-		const [navigatedTo] = mockSafeNavigate.mock.calls[0];
-		expect(navigatedTo).toContain(`/dashboard/${DASHBOARD_ID}`);
-	});
-
-	it('shows spinner while dashboard is loading', () => {
-		server.use(
-			rest.get(
-				`http://localhost/api/v1/dashboards/${DASHBOARD_ID}`,
-				(_req, res, ctx) => res(ctx.delay('infinite')),
-			),
-		);
-
-		renderAtRoute({ widgetId: WIDGET_ID, graphType: PANEL_TYPES.TIME_SERIES });
-
-		expect(screen.getByRole('img', { name: 'loading' })).toBeInTheDocument();
-	});
-
-	it('shows error message when dashboard fetch fails', async () => {
-		server.use(
-			rest.get(
-				`http://localhost/api/v1/dashboards/${DASHBOARD_ID}`,
-				(_req, res, ctx) => res(ctx.status(500), ctx.json({ status: 'error' })),
-			),
-		);
-
-		renderAtRoute({ widgetId: WIDGET_ID, graphType: PANEL_TYPES.TIME_SERIES });
-
-		await waitFor(() => {
-			expect(screen.getByText('Something went wrong')).toBeInTheDocument();
-		});
-	});
-
-	it('renders NewWidget when dashboard loads successfully', async () => {
-		server.use(
-			rest.get(
-				`http://localhost/api/v1/dashboards/${DASHBOARD_ID}`,
-				(_req, res, ctx) => res(ctx.status(200), ctx.json(mockDashboardResponse)),
-			),
-		);
-
-		renderAtRoute({ widgetId: WIDGET_ID, graphType: PANEL_TYPES.TIME_SERIES });
-
-		await waitFor(() => {
-			expect(screen.getByTestId('new-widget')).toBeInTheDocument();
-		});
-	});
-});

frontend/src/pages/DashboardWidget/index.tsx

@@ -1,98 +1,50 @@
 import { useEffect, useState } from 'react';
-import { useQuery } from 'react-query';
-import { generatePath, useParams } from 'react-router-dom';
+import { generatePath, useLocation, useParams } from 'react-router-dom';
 import { Card, Typography } from 'antd';
-import getDashboard from 'api/v1/dashboards/id/get';
 import Spinner from 'components/Spinner';
 import { SOMETHING_WENT_WRONG } from 'constants/api';
 import { PANEL_TYPES } from 'constants/queryBuilder';
-import { DASHBOARD_CACHE_TIME } from 'constants/queryCacheTime';
-import { REACT_QUERY_KEY } from 'constants/reactQueryKeys';
 import ROUTES from 'constants/routes';
 import NewWidget from 'container/NewWidget';
 import { isDrilldownEnabled } from 'container/QueryTable/Drilldown/drilldownUtils';
-import { useTransformDashboardVariables } from 'hooks/dashboard/useTransformDashboardVariables';
 import { useSafeNavigate } from 'hooks/useSafeNavigate';
-import { parseAsStringEnum, useQueryState } from 'nuqs';
-import { setDashboardVariablesStore } from 'providers/Dashboard/store/dashboardVariables/dashboardVariablesStore';
-import { Dashboard } from 'types/api/dashboard/getAll';
+import useUrlQuery from 'hooks/useUrlQuery';
+import { useDashboard } from 'providers/Dashboard/Dashboard';
+import { Widgets } from 'types/api/dashboard/getAll';
 
 function DashboardWidget(): JSX.Element | null {
-	const { dashboardId } = useParams<{
-		dashboardId: string;
-	}>();
-	const [widgetId] = useQueryState('widgetId');
-	const [graphType] = useQueryState(
-		'graphType',
-		parseAsStringEnum<PANEL_TYPES>(Object.values(PANEL_TYPES)),
-	);
-
+	const { search } = useLocation();
+	const { dashboardId } = useParams<DashboardWidgetPageParams>();
 	const { safeNavigate } = useSafeNavigate();
 
+	const [selectedGraph, setSelectedGraph] = useState<PANEL_TYPES>();
+
+	const { selectedDashboard, dashboardResponse } = useDashboard();
+
+	const params = useUrlQuery();
+
+	const widgetId = params.get('widgetId');
+	const { data } = selectedDashboard || {};
+	const { widgets } = data || {};
+
+	const selectedWidget = widgets?.find((e) => e.id === widgetId) as Widgets;
+
 	useEffect(() => {
-		if (!graphType || !widgetId) {
+		const params = new URLSearchParams(search);
+		const graphType = params.get('graphType') as PANEL_TYPES | null;
+
+		if (graphType === null) {
 			safeNavigate(generatePath(ROUTES.DASHBOARD, { dashboardId }));
-		} else if (!dashboardId) {
-			safeNavigate(ROUTES.HOME);
+		} else {
+			setSelectedGraph(graphType);
 		}
-	}, [graphType, widgetId, dashboardId, safeNavigate]);
+	}, [dashboardId, safeNavigate, search]);
 
-	if (!widgetId || !graphType) {
-		return null;
-	}
-
-	return (
-		<DashboardWidgetInternal
-			dashboardId={dashboardId}
-			widgetId={widgetId}
-			graphType={graphType}
-		/>
-	);
-}
-
-function DashboardWidgetInternal({
-	dashboardId,
-	widgetId,
-	graphType,
-}: {
-	dashboardId: string;
-	widgetId: string;
-	graphType: PANEL_TYPES;
-}): JSX.Element | null {
-	const [selectedDashboard, setSelectedDashboard] = useState<
-		Dashboard | undefined
-	>(undefined);
-
-	const { transformDashboardVariables } = useTransformDashboardVariables(
-		dashboardId,
-	);
-
-	const {
-		isFetching: isFetchingDashboardResponse,
-		isError: isErrorDashboardResponse,
-	} = useQuery([REACT_QUERY_KEY.DASHBOARD_BY_ID, dashboardId, widgetId], {
-		enabled: true,
-		queryFn: async () =>
-			await getDashboard({
-				id: dashboardId,
-			}),
-		refetchOnWindowFocus: false,
-		cacheTime: DASHBOARD_CACHE_TIME,
-		onSuccess: (response) => {
-			const updatedDashboardData = transformDashboardVariables(response.data);
-			setSelectedDashboard(updatedDashboardData);
-			setDashboardVariablesStore({
-				dashboardId,
-				variables: updatedDashboardData.data.variables,
-			});
-		},
-	});
-
-	if (isFetchingDashboardResponse) {
+	if (selectedGraph === undefined || dashboardResponse.isLoading) {
 		return <Spinner tip="Loading.." />;
 	}
 
-	if (isErrorDashboardResponse) {
+	if (dashboardResponse.isError) {
 		return (
 			<Card>
 				<Typography>{SOMETHING_WENT_WRONG}</Typography>
@@ -102,11 +54,16 @@ function DashboardWidgetInternal({
 
 	return (
 		<NewWidget
-			dashboardId={dashboardId}
-			selectedGraph={graphType}
+			yAxisUnit={selectedWidget?.yAxisUnit}
+			selectedGraph={selectedGraph}
+			fillSpans={selectedWidget?.fillSpans}
 			enableDrillDown={isDrilldownEnabled()}
-			selectedDashboard={selectedDashboard}
 		/>
 	);
 }
+
+export interface DashboardWidgetPageParams {
+	dashboardId: string;
+}
+
 export default DashboardWidget;

frontend/src/pages/DashboardsListPage/__tests__/DashboardListPage.test.tsx

@@ -8,6 +8,7 @@ import {
 } from 'mocks-server/__mockdata__/dashboards';
 import { server } from 'mocks-server/server';
 import { rest } from 'msw';
+import { DashboardProvider } from 'providers/Dashboard/Dashboard';
 import { fireEvent, render, waitFor } from 'tests/test-utils';
 
 jest.mock('container/DashboardContainer/DashboardDescription/utils', () => ({
@@ -18,6 +19,11 @@ jest.mock('container/DashboardContainer/DashboardDescription/utils', () => ({
 jest.mock('react-router-dom', () => ({
 	...jest.requireActual('react-router-dom'),
 	useLocation: jest.fn(),
+	useRouteMatch: jest.fn().mockReturnValue({
+		params: {
+			dashboardId: 4,
+		},
+	}),
 }));
 
 const mockWindowOpen = jest.fn();
@@ -41,7 +47,9 @@ describe('dashboard list page', () => {
 			<MemoryRouter
 				initialEntries={['/dashbords?columnKey=asgard&order=stones&page=1']}
 			>
-				<DashboardsList />
+				<DashboardProvider>
+					<DashboardsList />
+				</DashboardProvider>
 			</MemoryRouter>,
 		);
 
@@ -63,7 +71,9 @@ describe('dashboard list page', () => {
 			<MemoryRouter
 				initialEntries={['/dashbords?columnKey=createdAt&order=descend&page=1']}
 			>
-				<DashboardsList />
+				<DashboardProvider>
+					<DashboardsList />
+				</DashboardProvider>
 			</MemoryRouter>,
 		);
 
@@ -82,7 +92,9 @@ describe('dashboard list page', () => {
 					'/dashbords?columnKey=createdAt&order=descend&page=1&search=tho',
 				]}
 			>
-				<DashboardsList />
+				<DashboardProvider>
+					<DashboardsList />
+				</DashboardProvider>
 			</MemoryRouter>,
 		);
 
@@ -123,7 +135,9 @@ describe('dashboard list page', () => {
 					'/dashbords?columnKey=createdAt&order=descend&page=1&search=tho',
 				]}
 			>
-				<DashboardsList />
+				<DashboardProvider>
+					<DashboardsList />
+				</DashboardProvider>
 			</MemoryRouter>,
 		);
 
@@ -150,7 +164,9 @@ describe('dashboard list page', () => {
 					'/dashbords?columnKey=createdAt&order=descend&page=1&search=tho',
 				]}
 			>
-				<DashboardsList />
+				<DashboardProvider>
+					<DashboardsList />
+				</DashboardProvider>
 			</MemoryRouter>,
 		);
 
@@ -180,7 +196,9 @@ describe('dashboard list page', () => {
 					'/dashbords?columnKey=createdAt&order=descend&page=1&search=tho',
 				]}
 			>
-				<DashboardsList />
+				<DashboardProvider>
+					<DashboardsList />
+				</DashboardProvider>
 			</MemoryRouter>,
 		);
 

frontend/src/providers/Dashboard/Dashboard.tsx

@@ -14,21 +14,26 @@ import { useTranslation } from 'react-i18next';
 import { useMutation, useQuery, UseQueryResult } from 'react-query';
 // eslint-disable-next-line no-restricted-imports
 import { useDispatch, useSelector } from 'react-redux';
+import { useRouteMatch } from 'react-router-dom';
 import { Modal } from 'antd';
 import getDashboard from 'api/v1/dashboards/id/get';
 import locked from 'api/v1/dashboards/id/lock';
+import { ALL_SELECTED_VALUE } from 'components/NewSelect/utils';
 import { REACT_QUERY_KEY } from 'constants/reactQueryKeys';
+import ROUTES from 'constants/routes';
 import dayjs, { Dayjs } from 'dayjs';
-import { useTransformDashboardVariables } from 'hooks/dashboard/useTransformDashboardVariables';
+import { useDashboardVariablesFromLocalStorage } from 'hooks/dashboard/useDashboardFromLocalStorage';
+import useVariablesFromUrl from 'hooks/dashboard/useVariablesFromUrl';
 import useTabVisibility from 'hooks/useTabFocus';
 import { getUpdatedLayout } from 'lib/dashboard/getUpdatedLayout';
 import { getMinMaxForSelectedTime } from 'lib/getMinMax';
-import { defaultTo } from 'lodash-es';
+import { defaultTo, isEmpty } from 'lodash-es';
 import isEqual from 'lodash-es/isEqual';
 import isUndefined from 'lodash-es/isUndefined';
 import omitBy from 'lodash-es/omitBy';
 import { useAppContext } from 'providers/App/App';
 import { initializeDefaultVariables } from 'providers/Dashboard/initializeDefaultVariables';
+import { normalizeUrlValueForVariable } from 'providers/Dashboard/normalizeUrlValue';
 import { useErrorModal } from 'providers/ErrorModalProvider';
 // eslint-disable-next-line no-restricted-imports
 import { Dispatch } from 'redux';
@@ -36,9 +41,10 @@ import { AppState } from 'store/reducers';
 import AppActions from 'types/actions';
 import { UPDATE_TIME_INTERVAL } from 'types/actions/globalTime';
 import { SuccessResponseV2 } from 'types/api';
-import { Dashboard } from 'types/api/dashboard/getAll';
+import { Dashboard, IDashboardVariable } from 'types/api/dashboard/getAll';
 import APIError from 'types/api/error';
 import { GlobalReducer } from 'types/reducer/globalTime';
+import { v4 as generateUUID } from 'uuid';
 
 import {
 	DASHBOARD_CACHE_TIME,
@@ -77,11 +83,14 @@ export const DashboardContext = createContext<IDashboardContext>({
 	setColumnWidths: () => {},
 });
 
+interface Props {
+	dashboardId: string;
+}
+
 // eslint-disable-next-line sonarjs/cognitive-complexity
 export function DashboardProvider({
 	children,
-	dashboardId,
-}: PropsWithChildren<{ dashboardId: string }>): JSX.Element {
+}: PropsWithChildren): JSX.Element {
 	const [isDashboardSliderOpen, setIsDashboardSlider] = useState<boolean>(false);
 
 	const [isDashboardLocked, setIsDashboardLocked] = useState<boolean>(false);
@@ -91,6 +100,11 @@ export function DashboardProvider({
 		setDashboardQueryRangeCalled,
 	] = useState<boolean>(false);
 
+	const isDashboardPage = useRouteMatch<Props>({
+		path: ROUTES.DASHBOARD,
+		exact: true,
+	});
+
 	const { showErrorModal } = useErrorModal();
 
 	const dispatch = useDispatch<Dispatch<AppActions>>();
@@ -101,6 +115,11 @@ export function DashboardProvider({
 
 	const [onModal, Content] = Modal.useModal();
 
+	const isDashboardWidgetPage = useRouteMatch<Props>({
+		path: ROUTES.DASHBOARD_WIDGET,
+		exact: true,
+	});
+
 	const [layouts, setLayouts] = useState<Layout[]>([]);
 
 	const [panelMap, setPanelMap] = useState<
@@ -109,6 +128,11 @@ export function DashboardProvider({
 
 	const { isLoggedIn } = useAppContext();
 
+	const dashboardId =
+		(isDashboardPage
+			? isDashboardPage.params.dashboardId
+			: isDashboardWidgetPage?.params.dashboardId) || '';
+
 	const [selectedDashboard, setSelectedDashboard] = useState<Dashboard>();
 	const dashboardVariables = useDashboardVariablesSelector((s) => s.variables);
 	const savedDashboardId = useDashboardVariablesSelector((s) => s.dashboardId);
@@ -133,10 +157,9 @@ export function DashboardProvider({
 	const {
 		currentDashboard,
 		updateLocalStorageDashboardVariables,
-		getUrlVariables,
-		updateUrlVariable,
-		transformDashboardVariables,
-	} = useTransformDashboardVariables(dashboardId);
+	} = useDashboardVariablesFromLocalStorage(dashboardId);
+
+	const { getUrlVariables, updateUrlVariable } = useVariablesFromUrl();
 
 	const updatedTimeRef = useRef<Dayjs | null>(null); // Using ref to store the updated time
 	const modalRef = useRef<any>(null);
@@ -148,14 +171,108 @@ export function DashboardProvider({
 
 	const [isDashboardFetching, setIsDashboardFetching] = useState<boolean>(false);
 
+	const mergeDBWithLocalStorage = (
+		data: Dashboard,
+		localStorageVariables: any,
+	): Dashboard => {
+		const updatedData = data;
+		if (data && localStorageVariables) {
+			const updatedVariables = data.data.variables;
+			const variablesFromUrl = getUrlVariables();
+			Object.keys(data.data.variables).forEach((variable) => {
+				const variableData = data.data.variables[variable];
+
+				// values from url
+				const urlVariable = variableData?.name
+					? variablesFromUrl[variableData?.name] || variablesFromUrl[variableData.id]
+					: variablesFromUrl[variableData.id];
+
+				let updatedVariable = {
+					...data.data.variables[variable],
+					...localStorageVariables[variableData.name as any],
+				};
+
+				// respect the url variable if it is set, override the others
+				if (!isEmpty(urlVariable)) {
+					if (urlVariable === ALL_SELECTED_VALUE) {
+						updatedVariable = {
+							...updatedVariable,
+							allSelected: true,
+						};
+					} else {
+						// Normalize URL value to match variable's multiSelect configuration
+						const normalizedValue = normalizeUrlValueForVariable(
+							urlVariable,
+							variableData,
+						);
+
+						updatedVariable = {
+							...updatedVariable,
+							selectedValue: normalizedValue,
+							// Only set allSelected to false if showALLOption is available
+							...(updatedVariable?.showALLOption && { allSelected: false }),
+						};
+					}
+				}
+
+				updatedVariables[variable] = updatedVariable;
+			});
+			updatedData.data.variables = updatedVariables;
+		}
+		return updatedData;
+	};
+	// As we do not have order and ID's in the variables object, we have to process variables to add order and ID if they do not exist in the variables object
+	// eslint-disable-next-line sonarjs/cognitive-complexity
+	const transformDashboardVariables = (data: Dashboard): Dashboard => {
+		if (data && data.data && data.data.variables) {
+			const clonedDashboardData = mergeDBWithLocalStorage(
+				JSON.parse(JSON.stringify(data)),
+				currentDashboard,
+			);
+			const { variables } = clonedDashboardData.data;
+			const existingOrders: Set<number> = new Set();
+
+			for (const key in variables) {
+				// eslint-disable-next-line no-prototype-builtins
+				if (variables.hasOwnProperty(key)) {
+					const variable: IDashboardVariable = variables[key];
+
+					// Check if 'order' property doesn't exist or is undefined
+					if (variable.order === undefined) {
+						// Find a unique order starting from 0
+						let order = 0;
+						while (existingOrders.has(order)) {
+							order += 1;
+						}
+
+						variable.order = order;
+						existingOrders.add(order);
+						// ! BWC - Specific case for backward compatibility where textboxValue was used instead of defaultValue
+						if (variable.type === 'TEXTBOX' && !variable.defaultValue) {
+							variable.defaultValue = variable.textboxValue || '';
+						}
+					}
+
+					if (variable.id === undefined) {
+						variable.id = generateUUID();
+					}
+				}
+			}
+
+			return clonedDashboardData;
+		}
+
+		return data;
+	};
 	const dashboardResponse = useQuery(
 		[
 			REACT_QUERY_KEY.DASHBOARD_BY_ID,
+			isDashboardPage?.params,
 			dashboardId,
 			globalTime.isAutoRefreshDisabled,
 		],
 		{
-			enabled: !!dashboardId && isLoggedIn,
+			enabled: (!!isDashboardPage || !!isDashboardWidgetPage) && isLoggedIn,
 			queryFn: async () => {
 				setIsDashboardFetching(true);
 				try {
@@ -178,14 +295,13 @@ export function DashboardProvider({
 			},
 
 			onSuccess: (data: SuccessResponseV2<Dashboard>) => {
-				const updatedDashboardData = transformDashboardVariables(data?.data);
-
-				// initialize URL variables after dashboard state is set to avoid race conditions
-				const variables = updatedDashboardData?.data?.variables;
+				// if the url variable is not set for any variable, set it to the default value
+				const variables = data?.data?.data?.variables;
 				if (variables) {
 					initializeDefaultVariables(variables, getUrlVariables, updateUrlVariable);
 				}
 
+				const updatedDashboardData = transformDashboardVariables(data?.data);
 				const updatedDate = dayjs(updatedDashboardData?.updatedAt);
 
 				setIsDashboardLocked(updatedDashboardData?.locked || false);
@@ -276,7 +392,11 @@ export function DashboardProvider({
 
 	useEffect(() => {
 		// make the call on tab visibility only if the user is on dashboard / widget page
-		if (isVisible && updatedTimeRef.current && !!dashboardId) {
+		if (
+			isVisible &&
+			updatedTimeRef.current &&
+			(!!isDashboardPage || !!isDashboardWidgetPage)
+		) {
 			dashboardResponse.refetch();
 		}
 		// eslint-disable-next-line react-hooks/exhaustive-deps

frontend/src/providers/Dashboard/__tests__/Dashboard.test.tsx

@@ -2,10 +2,11 @@ import { QueryClient, QueryClientProvider } from 'react-query';
 // eslint-disable-next-line no-restricted-imports
 import { useSelector } from 'react-redux';
 import { MemoryRouter } from 'react-router-dom';
-import { render, RenderResult, screen, waitFor } from '@testing-library/react';
+import { render, screen, waitFor } from '@testing-library/react';
 import getDashboard from 'api/v1/dashboards/id/get';
 import { DASHBOARD_CACHE_TIME_ON_REFRESH_ENABLED } from 'constants/queryCacheTime';
 import { REACT_QUERY_KEY } from 'constants/reactQueryKeys';
+import ROUTES from 'constants/routes';
 import { DashboardProvider, useDashboard } from 'providers/Dashboard/Dashboard';
 import { IDashboardVariable } from 'types/api/dashboard/getAll';
 
@@ -18,28 +19,30 @@ jest.mock('api/v1/dashboards/id/get');
 jest.mock('api/v1/dashboards/id/lock');
 const mockGetDashboard = jest.mocked(getDashboard);
 
+// Mock useRouteMatch to simulate different route scenarios
+const mockUseRouteMatch = jest.fn();
+jest.mock('react-router-dom', () => ({
+	...jest.requireActual('react-router-dom'),
+	useRouteMatch: (): any => mockUseRouteMatch(),
+}));
+
 // Mock other dependencies
 jest.mock('hooks/useSafeNavigate', () => ({
-	useSafeNavigate: (): { safeNavigate: jest.Mock } => ({
+	useSafeNavigate: (): any => ({
 		safeNavigate: jest.fn(),
 	}),
 }));
 
 // Mock only the essential dependencies for Dashboard provider
 jest.mock('providers/App/App', () => ({
-	useAppContext: (): {
-		isLoggedIn: boolean;
-		user: { email: string; role: string };
-	} => ({
+	useAppContext: (): any => ({
 		isLoggedIn: true,
 		user: { email: 'test@example.com', role: 'ADMIN' },
 	}),
 }));
 
 jest.mock('providers/ErrorModalProvider', () => ({
-	useErrorModal: (): { showErrorModal: jest.Mock } => ({
-		showErrorModal: jest.fn(),
-	}),
+	useErrorModal: (): any => ({ showErrorModal: jest.fn() }),
 }));
 
 jest.mock('react-redux', () => ({
@@ -57,10 +60,11 @@ jest.mock('uuid', () => ({ v4: jest.fn(() => 'mock-uuid') }));
 function TestComponent(): JSX.Element {
 	const { dashboardResponse, selectedDashboard } = useDashboard();
 	const { dashboardVariables } = useDashboardVariables();
+	const dashboardId = selectedDashboard?.id;
 
 	return (
 		<div>
-			<div data-testid="dashboard-id">{selectedDashboard?.id}</div>
+			<div data-testid="dashboard-id">{dashboardId}</div>
 			<div data-testid="query-status">{dashboardResponse.status}</div>
 			<div data-testid="is-loading">{dashboardResponse.isLoading.toString()}</div>
 			<div data-testid="is-fetching">
@@ -90,15 +94,27 @@ function createTestQueryClient(): QueryClient {
 
 // Helper to render with dashboard provider
 function renderWithDashboardProvider(
-	dashboardId = 'test-dashboard-id',
-): RenderResult {
+	initialRoute = '/dashboard/test-dashboard-id',
+	routeMatchParams?: { dashboardId: string } | null,
+): any {
 	const queryClient = createTestQueryClient();
-	const initialRoute = dashboardId ? `/dashboard/${dashboardId}` : '/dashboard';
+
+	// Mock the route match
+	mockUseRouteMatch.mockReturnValue(
+		routeMatchParams
+			? {
+					path: ROUTES.DASHBOARD,
+					url: `/dashboard/${routeMatchParams.dashboardId}`,
+					isExact: true,
+					params: routeMatchParams,
+			  }
+			: null,
+	);
 
 	return render(
 		<QueryClientProvider client={queryClient}>
 			<MemoryRouter initialEntries={[initialRoute]}>
-				<DashboardProvider dashboardId={dashboardId}>
+				<DashboardProvider>
 					<TestComponent />
 				</DashboardProvider>
 			</MemoryRouter>
@@ -172,7 +188,7 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 	describe('Query Key Behavior', () => {
 		it('should include route params in query key when on dashboard page', async () => {
 			const dashboardId = 'test-dashboard-id';
-			renderWithDashboardProvider(dashboardId);
+			renderWithDashboardProvider(`/dashboard/${dashboardId}`, { dashboardId });
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: dashboardId });
@@ -187,17 +203,30 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 			const newDashboardId = 'new-dashboard-id';
 
 			// First render with initial dashboard ID
-			const { rerender } = renderWithDashboardProvider(initialDashboardId);
+			const { rerender } = renderWithDashboardProvider(
+				`/dashboard/${initialDashboardId}`,
+				{
+					dashboardId: initialDashboardId,
+				},
+			);
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: initialDashboardId });
 			});
 
-			// Rerender with new dashboard ID prop
+			// Change route params to simulate navigation
+			mockUseRouteMatch.mockReturnValue({
+				path: ROUTES.DASHBOARD,
+				url: `/dashboard/${newDashboardId}`,
+				isExact: true,
+				params: { dashboardId: newDashboardId },
+			});
+
+			// Rerender with new route
 			rerender(
 				<QueryClientProvider client={createTestQueryClient()}>
 					<MemoryRouter initialEntries={[`/dashboard/${newDashboardId}`]}>
-						<DashboardProvider dashboardId={newDashboardId}>
+						<DashboardProvider>
 							<TestComponent />
 						</DashboardProvider>
 					</MemoryRouter>
@@ -212,24 +241,50 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 			expect(mockGetDashboard).toHaveBeenCalledTimes(2);
 		});
 
-		it('should not fetch when no dashboardId is provided', () => {
-			renderWithDashboardProvider('');
+		it('should not fetch when not on dashboard page', () => {
+			// Mock no route match (not on dashboard page)
+			mockUseRouteMatch.mockReturnValue(null);
+
+			renderWithDashboardProvider('/some-other-page', null);
 
 			// Should not call the API
 			expect(mockGetDashboard).not.toHaveBeenCalled();
 		});
+
+		it('should handle undefined route params gracefully', async () => {
+			// Mock route match with undefined params
+			mockUseRouteMatch.mockReturnValue({
+				path: ROUTES.DASHBOARD,
+				url: '/dashboard/undefined',
+				isExact: true,
+				params: undefined,
+			});
+
+			renderWithDashboardProvider('/dashboard/undefined');
+
+			// Should not call API when params are undefined
+			expect(mockGetDashboard).not.toHaveBeenCalled();
+		});
 	});
 
 	describe('Cache Behavior', () => {
-		it('should create separate cache entries for different dashboardIds', async () => {
+		it('should create separate cache entries for different route params', async () => {
 			const queryClient = createTestQueryClient();
 			const dashboardId1 = 'dashboard-1';
 			const dashboardId2 = 'dashboard-2';
 
+			// First dashboard
+			mockUseRouteMatch.mockReturnValue({
+				path: ROUTES.DASHBOARD,
+				url: `/dashboard/${dashboardId1}`,
+				isExact: true,
+				params: { dashboardId: dashboardId1 },
+			});
+
 			const { rerender } = render(
 				<QueryClientProvider client={queryClient}>
 					<MemoryRouter initialEntries={[`/dashboard/${dashboardId1}`]}>
-						<DashboardProvider dashboardId={dashboardId1}>
+						<DashboardProvider>
 							<TestComponent />
 						</DashboardProvider>
 					</MemoryRouter>
@@ -240,10 +295,18 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: dashboardId1 });
 			});
 
+			// Second dashboard
+			mockUseRouteMatch.mockReturnValue({
+				path: ROUTES.DASHBOARD,
+				url: `/dashboard/${dashboardId2}`,
+				isExact: true,
+				params: { dashboardId: dashboardId2 },
+			});
+
 			rerender(
 				<QueryClientProvider client={queryClient}>
 					<MemoryRouter initialEntries={[`/dashboard/${dashboardId2}`]}>
-						<DashboardProvider dashboardId={dashboardId2}>
+						<DashboardProvider>
 							<TestComponent />
 						</DashboardProvider>
 					</MemoryRouter>
@@ -262,11 +325,13 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 			expect(cacheKeys).toHaveLength(2);
 			expect(cacheKeys[0]).toEqual([
 				REACT_QUERY_KEY.DASHBOARD_BY_ID,
+				{ dashboardId: dashboardId1 },
 				dashboardId1,
 				true, // globalTime.isAutoRefreshDisabled
 			]);
 			expect(cacheKeys[1]).toEqual([
 				REACT_QUERY_KEY.DASHBOARD_BY_ID,
+				{ dashboardId: dashboardId2 },
 				dashboardId2,
 				true, // globalTime.isAutoRefreshDisabled
 			]);
@@ -283,10 +348,17 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 			const queryClient = createTestQueryClient();
 			const dashboardId = 'auto-refresh-dashboard';
 
+			mockUseRouteMatch.mockReturnValue({
+				path: ROUTES.DASHBOARD,
+				url: `/dashboard/${dashboardId}`,
+				isExact: true,
+				params: { dashboardId },
+			});
+
 			render(
 				<QueryClientProvider client={queryClient}>
 					<MemoryRouter initialEntries={[`/dashboard/${dashboardId}`]}>
-						<DashboardProvider dashboardId={dashboardId}>
+						<DashboardProvider>
 							<TestComponent />
 						</DashboardProvider>
 					</MemoryRouter>
@@ -303,7 +375,7 @@ describe('Dashboard Provider - Query Key with Route Params', () => {
 				.find(
 					(query) =>
 						query.queryKey[0] === REACT_QUERY_KEY.DASHBOARD_BY_ID &&
-						query.queryKey[2] === false,
+						query.queryKey[3] === false,
 				);
 			expect(dashboardQuery).toBeDefined();
 			expect((dashboardQuery as { cacheTime: number }).cacheTime).toBe(
@@ -365,7 +437,9 @@ describe('Dashboard Provider - URL Variables Integration', () => {
 			// Empty URL variables - tests initialization flow
 			mockGetUrlVariables.mockReturnValue({});
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: DASHBOARD_ID });
@@ -381,7 +455,6 @@ describe('Dashboard Provider - URL Variables Integration', () => {
 							multiSelect: false,
 							allSelected: false,
 							showALLOption: true,
-							order: 0,
 						},
 						services: {
 							id: 'svc-id',
@@ -389,7 +462,6 @@ describe('Dashboard Provider - URL Variables Integration', () => {
 							multiSelect: true,
 							allSelected: false,
 							showALLOption: true,
-							order: 1,
 						},
 					},
 					mockGetUrlVariables,
@@ -421,7 +493,9 @@ describe('Dashboard Provider - URL Variables Integration', () => {
 				.mockReturnValueOnce('development')
 				.mockReturnValueOnce(['db', 'cache']);
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: DASHBOARD_ID });
@@ -481,7 +555,9 @@ describe('Dashboard Provider - URL Variables Integration', () => {
 
 			mockGetUrlVariables.mockReturnValue(urlVariables);
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: DASHBOARD_ID });
@@ -517,7 +593,9 @@ describe('Dashboard Provider - URL Variables Integration', () => {
 				.mockReturnValueOnce('development')
 				.mockReturnValueOnce(['api']);
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				// Verify normalization was called with the specific values and variable configs
@@ -584,7 +662,9 @@ describe('Dashboard Provider - Textbox Variable Backward Compatibility', () => {
 			} as any);
 			/* eslint-enable @typescript-eslint/no-explicit-any */
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: DASHBOARD_ID });
@@ -626,7 +706,9 @@ describe('Dashboard Provider - Textbox Variable Backward Compatibility', () => {
 			} as any);
 			/* eslint-enable @typescript-eslint/no-explicit-any */
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: DASHBOARD_ID });
@@ -669,7 +751,9 @@ describe('Dashboard Provider - Textbox Variable Backward Compatibility', () => {
 			} as any);
 			/* eslint-enable @typescript-eslint/no-explicit-any */
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: DASHBOARD_ID });
@@ -711,7 +795,9 @@ describe('Dashboard Provider - Textbox Variable Backward Compatibility', () => {
 			} as any);
 			/* eslint-enable @typescript-eslint/no-explicit-any */
 
-			renderWithDashboardProvider(DASHBOARD_ID);
+			renderWithDashboardProvider(`/dashboard/${DASHBOARD_ID}`, {
+				dashboardId: DASHBOARD_ID,
+			});
 
 			await waitFor(() => {
 				expect(mockGetDashboard).toHaveBeenCalledWith({ id: DASHBOARD_ID });

frontend/src/utils/metricsTimeStorageUtils.ts

@@ -0,0 +1,28 @@
+import getLocalStorageKey from 'api/browser/localstorage/get';
+import setLocalStorageKey from 'api/browser/localstorage/set';
+import { LOCALSTORAGE } from 'constants/localStorage';
+
+/**
+ * Updates the stored time duration for a route in localStorage.
+ * Used by both DateTimeSelectionV2 (manual time pick) and useZoomOut (zoom out button).
+ *
+ * @param pathname - The route path (e.g. /infrastructure-monitoring/hosts)
+ * @param value - The time value to store (preset string like '1w' or JSON string for custom range)
+ */
+export function persistTimeDurationForRoute(
+	pathname: string,
+	value: string,
+): void {
+	const preRoutes = getLocalStorageKey(LOCALSTORAGE.METRICS_TIME_IN_DURATION);
+	let preRoutesObject: Record<string, string> = {};
+	try {
+		preRoutesObject = preRoutes ? JSON.parse(preRoutes) : {};
+	} catch {
+		preRoutesObject = {};
+	}
+	const preRoute = { ...preRoutesObject, [pathname]: value };
+	setLocalStorageKey(
+		LOCALSTORAGE.METRICS_TIME_IN_DURATION,
+		JSON.stringify(preRoute),
+	);
+}

pkg/apiserver/signozapiserver/user.go

@@ -111,74 +111,6 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}
 
-	if err := router.Handle("/api/v1/pats", handler.New(provider.authZ.AdminAccess(provider.userHandler.CreateAPIKey), handler.OpenAPIDef{
-		ID:                  "CreateAPIKey",
-		Tags:                []string{"users"},
-		Summary:             "Create api key",
-		Description:         "This endpoint creates an api key",
-		Request:             new(types.PostableAPIKey),
-		RequestContentType:  "application/json",
-		Response:            new(types.GettableAPIKey),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusCreated,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPost).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/pats", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListAPIKeys), handler.OpenAPIDef{
-		ID:                  "ListAPIKeys",
-		Tags:                []string{"users"},
-		Summary:             "List api keys",
-		Description:         "This endpoint lists all api keys",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            make([]*types.GettableAPIKey, 0),
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusOK,
-		ErrorStatusCodes:    []int{},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodGet).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/pats/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.UpdateAPIKey), handler.OpenAPIDef{
-		ID:                  "UpdateAPIKey",
-		Tags:                []string{"users"},
-		Summary:             "Update api key",
-		Description:         "This endpoint updates an api key",
-		Request:             new(types.StorableAPIKey),
-		RequestContentType:  "application/json",
-		Response:            nil,
-		ResponseContentType: "application/json",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodPut).GetError(); err != nil {
-		return err
-	}
-
-	if err := router.Handle("/api/v1/pats/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.RevokeAPIKey), handler.OpenAPIDef{
-		ID:                  "RevokeAPIKey",
-		Tags:                []string{"users"},
-		Summary:             "Revoke api key",
-		Description:         "This endpoint revokes an api key",
-		Request:             nil,
-		RequestContentType:  "",
-		Response:            nil,
-		ResponseContentType: "",
-		SuccessStatusCode:   http.StatusNoContent,
-		ErrorStatusCodes:    []int{http.StatusNotFound},
-		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
-	})).Methods(http.MethodDelete).GetError(); err != nil {
-		return err
-	}
-
 	if err := router.Handle("/api/v1/user", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListUsers), handler.OpenAPIDef{
 		ID:                  "ListUsers",
 		Tags:                []string{"users"},

pkg/authn/passwordauthn/emailpasswordauthn/authn.go

@@ -30,5 +30,5 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string,
 		return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password")
 	}
 
-	return authtypes.NewIdentity(user.ID, orgID, user.Email, user.Role), nil
+	return authtypes.NewIdentity(user.ID, valuer.UUID{}, authtypes.PrincipalUser, orgID, user.Email), nil
 }

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -97,11 +97,7 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 	}
 
 	if len(roles) != len(names) {
-		return nil, store.sqlstore.WrapNotFoundErrf(
-			nil,
-			roletypes.ErrCodeRoleNotFound,
-			"not all roles found for the provided names: %v", names,
-		)
+		return nil, errors.Newf(errors.TypeInvalidInput, roletypes.ErrCodeRoleNotFound, "not all roles found for the provided names: %v", names)
 	}
 
 	return roles, nil
@@ -122,11 +118,7 @@ func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, id
 	}
 
 	if len(roles) != len(ids) {
-		return nil, store.sqlstore.WrapNotFoundErrf(
-			nil,
-			roletypes.ErrCodeRoleNotFound,
-			"not all roles found for the provided ids: %v", ids,
-		)
+		return nil, errors.Newf(errors.TypeInvalidInput, roletypes.ErrCodeRoleNotFound, "not all roles found for the provided ids: %v", ids)
 	}
 
 	return roles, nil

pkg/authz/openfgaserver/server.go

@@ -128,9 +128,22 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openf
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
-	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-	if err != nil {
-		return err
+	subject := ""
+	switch claims.Principal {
+	case authtypes.PrincipalUser.StringValue():
+		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = user
+	case authtypes.PrincipalServiceAccount.StringValue():
+		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.ServiceAccountID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = serviceAccount
 	}
 
 	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)

pkg/http/middleware/api_key.go

@@ -1,143 +0,0 @@
-package middleware
-
-import (
-	"context"
-	"log/slog"
-	"net/http"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/sharder"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"golang.org/x/sync/singleflight"
-)
-
-const (
-	apiKeyCrossOrgMessage string = "::API-KEY-CROSS-ORG::"
-)
-
-type APIKey struct {
-	store   sqlstore.SQLStore
-	uuid    *authtypes.UUID
-	headers []string
-	logger  *slog.Logger
-	sharder sharder.Sharder
-	sfGroup *singleflight.Group
-}
-
-func NewAPIKey(store sqlstore.SQLStore, headers []string, logger *slog.Logger, sharder sharder.Sharder) *APIKey {
-	return &APIKey{
-		store:   store,
-		uuid:    authtypes.NewUUID(),
-		headers: headers,
-		logger:  logger,
-		sharder: sharder,
-		sfGroup: &singleflight.Group{},
-	}
-}
-
-func (a *APIKey) Wrap(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var values []string
-		var apiKeyToken string
-		var apiKey types.StorableAPIKey
-
-		for _, header := range a.headers {
-			values = append(values, r.Header.Get(header))
-		}
-
-		ctx, err := a.uuid.ContextFromRequest(r.Context(), values...)
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		apiKeyToken, ok := authtypes.UUIDFromContext(ctx)
-		if !ok {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		err = a.
-			store.
-			BunDB().
-			NewSelect().
-			Model(&apiKey).
-			Where("token = ?", apiKeyToken).
-			Scan(r.Context())
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		// allow the APIKey if expires_at is not set
-		if apiKey.ExpiresAt.Before(time.Now()) && !apiKey.ExpiresAt.Equal(types.NEVER_EXPIRES) {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		// get user from db
-		user := types.User{}
-		err = a.store.BunDB().NewSelect().Model(&user).Where("id = ?", apiKey.UserID).Scan(r.Context())
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		jwt := authtypes.Claims{
-			UserID: user.ID.String(),
-			Role:   apiKey.Role,
-			Email:  user.Email.String(),
-			OrgID:  user.OrgID.String(),
-		}
-
-		ctx = authtypes.NewContextWithClaims(ctx, jwt)
-
-		claims, err := authtypes.ClaimsFromContext(ctx)
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		if err := a.sharder.IsMyOwnedKey(r.Context(), types.NewOrganizationKey(valuer.MustNewUUID(claims.OrgID))); err != nil {
-			a.logger.ErrorContext(r.Context(), apiKeyCrossOrgMessage, "claims", claims, "error", err)
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		ctx = ctxtypes.SetAuthType(ctx, ctxtypes.AuthTypeAPIKey)
-
-		comment := ctxtypes.CommentFromContext(ctx)
-		comment.Set("auth_type", ctxtypes.AuthTypeAPIKey.StringValue())
-		comment.Set("user_id", claims.UserID)
-		comment.Set("org_id", claims.OrgID)
-
-		r = r.WithContext(ctxtypes.NewContextWithComment(ctx, comment))
-
-		next.ServeHTTP(w, r)
-
-		lastUsedCtx := context.WithoutCancel(r.Context())
-		_, _, _ = a.sfGroup.Do(apiKey.ID.StringValue(), func() (any, error) {
-			apiKey.LastUsed = time.Now()
-			_, err = a.
-				store.
-				BunDB().
-				NewUpdate().
-				Model(&apiKey).
-				Column("last_used").
-				Where("token = ?", apiKeyToken).
-				Where("revoked = false").
-				Exec(lastUsedCtx)
-			if err != nil {
-				a.logger.ErrorContext(lastUsedCtx, "failed to update last used of api key", "error", err)
-			}
-
-			return true, nil
-		})
-
-	})
-
-}

pkg/http/middleware/authn.go

@@ -22,31 +22,50 @@ const (
 )
 
 type AuthN struct {
-	tokenizer tokenizer.Tokenizer
-	headers   []string
-	sharder   sharder.Sharder
-	logger    *slog.Logger
-	sfGroup   *singleflight.Group
+	tokenizer               tokenizer.Tokenizer
+	serviceAccountTokenizer tokenizer.Tokenizer
+	headers                 []string
+	serviceAccountHeaders   []string
+	sharder                 sharder.Sharder
+	logger                  *slog.Logger
+	sfGroup                 *singleflight.Group
 }
 
-func NewAuthN(headers []string, sharder sharder.Sharder, tokenizer tokenizer.Tokenizer, logger *slog.Logger) *AuthN {
+func NewAuthN(
+	headers []string,
+	serviceAccountHeaders []string,
+	sharder sharder.Sharder,
+	tokenizer tokenizer.Tokenizer,
+	serviceAccountTokenizer tokenizer.Tokenizer,
+	logger *slog.Logger,
+) *AuthN {
 	return &AuthN{
-		headers:   headers,
-		sharder:   sharder,
-		tokenizer: tokenizer,
-		logger:    logger,
-		sfGroup:   &singleflight.Group{},
+		headers:                 headers,
+		serviceAccountHeaders:   serviceAccountHeaders,
+		sharder:                 sharder,
+		tokenizer:               tokenizer,
+		serviceAccountTokenizer: serviceAccountTokenizer,
+		logger:                  logger,
+		sfGroup:                 &singleflight.Group{},
 	}
 }
 
 func (a *AuthN) Wrap(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var values []string
+		var userHeaderValues []string
 		for _, header := range a.headers {
-			values = append(values, r.Header.Get(header))
+			userHeaderValues = append(userHeaderValues, r.Header.Get(header))
+		}
+
+		ctx, authType, activeTokenizer, err := a.authenticateUser(r.Context(), userHeaderValues...)
+		if err != nil {
+			var saHeaderValues []string
+			for _, header := range a.serviceAccountHeaders {
+				saHeaderValues = append(saHeaderValues, r.Header.Get(header))
+			}
+			ctx, authType, activeTokenizer, err = a.authenticateServiceAccount(ctx, saHeaderValues...)
 		}
 
-		ctx, err := a.contextFromRequest(r.Context(), values...)
 		if err != nil {
 			r = r.WithContext(ctx)
 			next.ServeHTTP(w, r)
@@ -67,27 +86,34 @@ func (a *AuthN) Wrap(next http.Handler) http.Handler {
 			return
 		}
 
-		ctx = ctxtypes.SetAuthType(ctx, ctxtypes.AuthTypeTokenizer)
+		ctx = ctxtypes.SetAuthType(ctx, authType)
 
 		comment := ctxtypes.CommentFromContext(ctx)
-		comment.Set("auth_type", ctxtypes.AuthTypeTokenizer.StringValue())
-		comment.Set("tokenizer_provider", a.tokenizer.Config().Provider)
+		comment.Set("auth_type", authType.StringValue())
+		comment.Set("tokenizer_provider", activeTokenizer.Config().Provider)
 		comment.Set("user_id", claims.UserID)
+		comment.Set("service_account_id", claims.ServiceAccountID)
+		comment.Set("principal", claims.Principal)
 		comment.Set("org_id", claims.OrgID)
 
 		r = r.WithContext(ctxtypes.NewContextWithComment(ctx, comment))
 
 		next.ServeHTTP(w, r)
 
-		accessToken, err := authtypes.AccessTokenFromContext(r.Context())
+		// Track last observed at for the active tokenizer.
+		var token string
+		if authType == ctxtypes.AuthTypeAPIKey {
+			token, err = authtypes.ServiceAccountAPIKeyFromContext(r.Context())
+		} else {
+			token, err = authtypes.AccessTokenFromContext(r.Context())
+		}
 		if err != nil {
-			next.ServeHTTP(w, r)
 			return
 		}
 
 		lastObservedAtCtx := context.WithoutCancel(r.Context())
-		_, _, _ = a.sfGroup.Do(accessToken, func() (any, error) {
-			if err := a.tokenizer.SetLastObservedAt(lastObservedAtCtx, accessToken, time.Now()); err != nil {
+		_, _, _ = a.sfGroup.Do(token, func() (any, error) {
+			if err := activeTokenizer.SetLastObservedAt(lastObservedAtCtx, token, time.Now()); err != nil {
 				a.logger.ErrorContext(lastObservedAtCtx, "failed to set last observed at", "error", err)
 				return false, err
 			}
@@ -97,23 +123,60 @@ func (a *AuthN) Wrap(next http.Handler) http.Handler {
 	})
 }
 
-func (a *AuthN) contextFromRequest(ctx context.Context, values ...string) (context.Context, error) {
+func (a *AuthN) authenticateUser(ctx context.Context, values ...string) (context.Context, ctxtypes.AuthType, tokenizer.Tokenizer, error) {
 	ctx, err := a.contextFromAccessToken(ctx, values...)
 	if err != nil {
-		return ctx, err
+		return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, err
 	}
 
 	accessToken, err := authtypes.AccessTokenFromContext(ctx)
 	if err != nil {
-		return ctx, err
+		return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, err
 	}
 
-	authenticatedUser, err := a.tokenizer.GetIdentity(ctx, accessToken)
+	identity, err := a.tokenizer.GetIdentity(ctx, accessToken)
 	if err != nil {
-		return ctx, err
+		return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, err
 	}
 
-	return authtypes.NewContextWithClaims(ctx, authenticatedUser.ToClaims()), nil
+	ctx = authtypes.NewContextWithClaims(ctx, identity.ToClaims())
+	return ctx, ctxtypes.AuthTypeTokenizer, a.tokenizer, nil
+}
+
+func (a *AuthN) authenticateServiceAccount(ctx context.Context, values ...string) (context.Context, ctxtypes.AuthType, tokenizer.Tokenizer, error) {
+	ctx, err := a.contextFromServiceAccountAPIKey(ctx, values...)
+	if err != nil {
+		return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, err
+	}
+
+	apiKey, err := authtypes.ServiceAccountAPIKeyFromContext(ctx)
+	if err != nil {
+		return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, err
+	}
+
+	identity, err := a.serviceAccountTokenizer.GetIdentity(ctx, apiKey)
+	if err != nil {
+		return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, err
+	}
+
+	ctx = authtypes.NewContextWithClaims(ctx, identity.ToClaims())
+	return ctx, ctxtypes.AuthTypeAPIKey, a.serviceAccountTokenizer, nil
+}
+
+func (a *AuthN) contextFromServiceAccountAPIKey(ctx context.Context, values ...string) (context.Context, error) {
+	var value string
+	for _, v := range values {
+		if v != "" {
+			value = v
+			break
+		}
+	}
+
+	if value == "" {
+		return ctx, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "missing api key header")
+	}
+
+	return authtypes.NewContextWithServiceAccountAPIKey(ctx, value), nil
 }
 
 func (a *AuthN) contextFromAccessToken(ctx context.Context, values ...string) (context.Context, error) {

pkg/http/middleware/authz.go

@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
@@ -42,19 +41,6 @@ func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		commentCtx := ctxtypes.CommentFromContext(ctx)
-		authtype, ok := commentCtx.Map()["auth_type"]
-		if ok && authtype == ctxtypes.AuthTypeAPIKey.StringValue() {
-			if err := claims.IsViewer(); err != nil {
-				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
-				render.Error(rw, err)
-				return
-			}
-
-			next(rw, req)
-			return
-		}
-
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozEditorRoleName),
@@ -94,19 +80,6 @@ func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		commentCtx := ctxtypes.CommentFromContext(ctx)
-		authtype, ok := commentCtx.Map()["auth_type"]
-		if ok && authtype == ctxtypes.AuthTypeAPIKey.StringValue() {
-			if err := claims.IsEditor(); err != nil {
-				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
-				render.Error(rw, err)
-				return
-			}
-
-			next(rw, req)
-			return
-		}
-
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozEditorRoleName),
@@ -145,19 +118,6 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}
 
-		commentCtx := ctxtypes.CommentFromContext(ctx)
-		authtype, ok := commentCtx.Map()["auth_type"]
-		if ok && authtype == ctxtypes.AuthTypeAPIKey.StringValue() {
-			if err := claims.IsAdmin(); err != nil {
-				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
-				render.Error(rw, err)
-				return
-			}
-
-			next(rw, req)
-			return
-		}
-
 		selectors := []authtypes.Selector{
 			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
 		}
@@ -188,17 +148,33 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 
 func (middleware *AuthZ) SelfAccess(next http.HandlerFunc) http.HandlerFunc {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
-		claims, err := authtypes.ClaimsFromContext(req.Context())
+		ctx := req.Context()
+		claims, err := authtypes.ClaimsFromContext(ctx)
 		if err != nil {
 			render.Error(rw, err)
 			return
 		}
 
-		id := mux.Vars(req)["id"]
-		if err := claims.IsSelfAccess(id); err != nil {
-			middleware.logger.WarnContext(req.Context(), authzDeniedMessage, "claims", claims)
-			render.Error(rw, err)
-			return
+		selectors := []authtypes.Selector{
+			authtypes.MustNewSelector(authtypes.TypeRole, roletypes.SigNozAdminRoleName),
+		}
+
+		err = middleware.authzService.CheckWithTupleCreation(
+			ctx,
+			claims,
+			valuer.MustNewUUID(claims.OrgID),
+			authtypes.RelationAssignee,
+			authtypes.TypeableRole,
+			selectors,
+			selectors,
+		)
+		if err != nil {
+			id := mux.Vars(req)["id"]
+			if err := claims.IsSelfAccess(id); err != nil {
+				middleware.logger.WarnContext(req.Context(), authzDeniedMessage, "claims", claims)
+				render.Error(rw, err)
+				return
+			}
 		}
 
 		next(rw, req)

pkg/modules/dashboard/dashboard.go

@@ -43,7 +43,7 @@ type Module interface {
 
 	Update(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, data dashboardtypes.UpdatableDashboard, diff int) (*dashboardtypes.Dashboard, error)
 
-	LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error
+	LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, lock bool) error
 
 	Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error
 

pkg/modules/dashboard/impldashboard/handler.go

@@ -58,7 +58,7 @@ func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
 		dashboardMigrator.Migrate(ctx, req)
 	}
 
-	dashboard, err := handler.module.Create(ctx, orgID, claims.Email, valuer.MustNewUUID(claims.UserID), req)
+	dashboard, err := handler.module.Create(ctx, orgID, claims.Email, valuer.MustNewUUID(claims.GetIdentityID()), req)
 	if err != nil {
 		render.Error(rw, err)
 		return
@@ -156,7 +156,7 @@ func (handler *handler) LockUnlock(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = handler.module.LockUnlock(ctx, orgID, dashboardID, claims.Email, claims.Role, *req.Locked)
+	err = handler.module.LockUnlock(ctx, orgID, dashboardID, valuer.MustNewEmail(claims.Email).String(), *req.Locked)
 	if err != nil {
 		render.Error(rw, err)
 		return

pkg/modules/dashboard/impldashboard/module.go

@@ -99,13 +99,13 @@ func (module *module) Update(ctx context.Context, orgID valuer.UUID, id valuer.U
 	return dashboard, nil
 }
 
-func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, role types.Role, lock bool) error {
+func (module *module) LockUnlock(ctx context.Context, orgID valuer.UUID, id valuer.UUID, updatedBy string, lock bool) error {
 	dashboard, err := module.Get(ctx, orgID, id)
 	if err != nil {
 		return err
 	}
 
-	err = dashboard.LockUnlock(lock, role, updatedBy)
+	err = dashboard.LockUnlock(lock, updatedBy)
 	if err != nil {
 		return err
 	}

pkg/modules/serviceaccount/implserviceaccount/module.go

@@ -3,11 +3,13 @@ package implserviceaccount
 import (
 	"context"
 
+	"github.com/SigNoz/signoz/pkg/analytics"
 	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/emailing"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
@@ -15,15 +17,17 @@ import (
 )
 
 type module struct {
-	store    serviceaccounttypes.Store
-	authz    authz.AuthZ
-	emailing emailing.Emailing
-	settings factory.ScopedProviderSettings
+	store     serviceaccounttypes.Store
+	authz     authz.AuthZ
+	emailing  emailing.Emailing
+	analytics analytics.Analytics
+	tokenizer tokenizer.Tokenizer
+	settings  factory.ScopedProviderSettings
 }
 
-func NewModule(store serviceaccounttypes.Store, authz authz.AuthZ, emailing emailing.Emailing, providerSettings factory.ProviderSettings) serviceaccount.Module {
+func NewModule(store serviceaccounttypes.Store, authz authz.AuthZ, emailing emailing.Emailing, analytics analytics.Analytics, providerSettings factory.ProviderSettings, tokenizer tokenizer.Tokenizer) serviceaccount.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount")
-	return &module{store: store, authz: authz, emailing: emailing, settings: settings}
+	return &module{store: store, authz: authz, emailing: emailing, analytics: analytics, settings: settings, tokenizer: tokenizer}
 }
 
 func (module *module) Create(ctx context.Context, orgID valuer.UUID, serviceAccount *serviceaccounttypes.ServiceAccount) error {
@@ -58,6 +62,8 @@ func (module *module) Create(ctx context.Context, orgID valuer.UUID, serviceAcco
 		return err
 	}
 
+	module.analytics.IdentifyUser(ctx, orgID.String(), serviceAccount.ID.String(), serviceAccount.Traits())
+	module.analytics.TrackUser(ctx, orgID.String(), serviceAccount.ID.String(), "Service Account Created", serviceAccount.Traits())
 	return nil
 }
 
@@ -76,6 +82,8 @@ func (module *module) GetOrCreate(ctx context.Context, serviceAccount *serviceac
 		return nil, err
 	}
 
+	module.analytics.IdentifyUser(ctx, serviceAccount.OrgID.String(), serviceAccount.ID.String(), serviceAccount.Traits())
+	module.analytics.TrackUser(ctx, serviceAccount.OrgID.String(), serviceAccount.ID.String(), "Service Account Created", serviceAccount.Traits())
 	return serviceAccount, nil
 }
 
@@ -186,6 +194,8 @@ func (module *module) Update(ctx context.Context, orgID valuer.UUID, input *serv
 		return err
 	}
 
+	module.analytics.IdentifyUser(ctx, orgID.String(), input.ID.String(), input.Traits())
+	module.analytics.TrackUser(ctx, orgID.String(), input.ID.String(), "Service Account Updated", input.Traits())
 	return nil
 }
 
@@ -214,6 +224,12 @@ func (module *module) UpdateStatus(ctx context.Context, orgID valuer.UUID, input
 		return err
 	}
 
+	err = module.tokenizer.DeleteIdentity(ctx, input.ID)
+	if err != nil {
+		return err
+	}
+
+	module.analytics.TrackUser(ctx, orgID.String(), input.ID.String(), "Service Account Deleted", map[string]any{})
 	return nil
 }
 
@@ -276,6 +292,7 @@ func (module *module) CreateFactorAPIKey(ctx context.Context, factorAPIKey *serv
 		module.settings.Logger().ErrorContext(ctx, "failed to send email", "error", err)
 	}
 
+	module.analytics.TrackUser(ctx, serviceAccount.OrgID, serviceAccount.ID.String(), "API Key created", factorAPIKey.Traits())
 	return nil
 }
 
@@ -297,12 +314,13 @@ func (module *module) ListFactorAPIKey(ctx context.Context, serviceAccountID val
 	return serviceaccounttypes.NewFactorAPIKeyFromStorables(storables), nil
 }
 
-func (module *module) UpdateFactorAPIKey(ctx context.Context, _ valuer.UUID, serviceAccountID valuer.UUID, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
+func (module *module) UpdateFactorAPIKey(ctx context.Context, orgID valuer.UUID, serviceAccountID valuer.UUID, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
 	err := module.store.UpdateFactorAPIKey(ctx, serviceAccountID, serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey))
 	if err != nil {
 		return err
 	}
 
+	module.analytics.TrackUser(ctx, orgID.String(), serviceAccountID.String(), "API Key updated", factorAPIKey.Traits())
 	return nil
 }
 
@@ -331,5 +349,22 @@ func (module *module) RevokeFactorAPIKey(ctx context.Context, serviceAccountID v
 		module.settings.Logger().ErrorContext(ctx, "failed to send email", "error", err)
 	}
 
+	module.analytics.TrackUser(ctx, serviceAccount.OrgID, serviceAccountID.String(), "API Key revoked", factorAPIKey.Traits())
 	return nil
 }
+
+func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
+	stats := make(map[string]any)
+
+	count, err := module.store.CountByOrgID(ctx, orgID)
+	if err == nil {
+		stats["serviceaccount.count"] = count
+	}
+
+	count, err = module.store.CountFactorAPIKeysByOrgID(ctx, orgID)
+	if err == nil {
+		stats["serviceaccount.keys.count"] = count
+	}
+
+	return stats, nil
+}

pkg/modules/serviceaccount/implserviceaccount/store.go

@@ -165,6 +165,23 @@ func (store *store) GetServiceAccountRoles(ctx context.Context, id valuer.UUID)
 	return storables, nil
 }
 
+func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
+	storable := new(serviceaccounttypes.StorableServiceAccount)
+
+	count, err := store.
+		sqlstore.
+		BunDB().
+		NewSelect().
+		Model(storable).
+		Where("org_id = ?", orgID).
+		Count(ctx)
+	if err != nil {
+		return 0, err
+	}
+
+	return int64(count), nil
+}
+
 func (store *store) ListServiceAccountRolesByOrgID(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccountRole, error) {
 	storables := make([]*serviceaccounttypes.StorableServiceAccountRole, 0)
 
@@ -231,6 +248,23 @@ func (store *store) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer
 	return storable, nil
 }
 
+func (store *store) GetFactorAPIKeyByKey(ctx context.Context, key string) (*serviceaccounttypes.StorableFactorAPIKey, error) {
+	storable := new(serviceaccounttypes.StorableFactorAPIKey)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(storable).
+		Where("key = ?", key).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeAPIKeytNotFound, "api key with key: %s doesn't exist", key)
+	}
+
+	return storable, nil
+}
+
 func (store *store) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.StorableFactorAPIKey, error) {
 	storables := make([]*serviceaccounttypes.StorableFactorAPIKey, 0)
 
@@ -248,6 +282,44 @@ func (store *store) ListFactorAPIKey(ctx context.Context, serviceAccountID value
 	return storables, nil
 }
 
+func (store *store) ListFactorAPIKeyByOrgID(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableFactorAPIKey, error) {
+	storables := make([]*serviceaccounttypes.StorableFactorAPIKey, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&storables).
+		Join("JOIN service_account").
+		JoinOn("service_account.id = factor_api_key.service_account_id").
+		Where("service_account.org_id = ?", orgID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storables, nil
+}
+
+func (store *store) CountFactorAPIKeysByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
+	storable := new(serviceaccounttypes.StorableFactorAPIKey)
+
+	count, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(storable).
+		Join("JOIN service_account").
+		JoinOn("service_account.id = factor_api_key.service_account_id").
+		Where("service_account.org_id = ?", orgID).
+		Count(ctx)
+	if err != nil {
+		return 0, err
+	}
+
+	return int64(count), nil
+}
+
 func (store *store) UpdateFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, storable *serviceaccounttypes.StorableFactorAPIKey) error {
 	_, err := store.
 		sqlstore.
@@ -263,6 +335,30 @@ func (store *store) UpdateFactorAPIKey(ctx context.Context, serviceAccountID val
 	return nil
 }
 
+func (store *store) UpdateLastObservedAtByKey(ctx context.Context, apiKeyToLastObservedAt []map[string]any) error {
+	values := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewValues(&apiKeyToLastObservedAt)
+
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewUpdate().
+		With("update_cte", values).
+		Model((*serviceaccounttypes.StorableFactorAPIKey)(nil)).
+		TableExpr("update_cte").
+		Set("last_observed_at = update_cte.last_observed_at").
+		Where("factor_api_key.key = update_cte.key").
+		Where("factor_api_key.service_account_id = update_cte.service_account_id").
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (store *store) RevokeFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) error {
 	_, err := store.
 		sqlstore.

pkg/modules/serviceaccount/serviceaccount.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 
+	"github.com/SigNoz/signoz/pkg/statsreporter"
 	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
@@ -47,6 +48,8 @@ type Module interface {
 
 	// Revokes an existing API key for a service account
 	RevokeFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) error
+
+	statsreporter.StatsCollector
 }
 
 type Handler interface {

pkg/modules/session/implsession/module.go

@@ -158,7 +158,7 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 		return "", errors.WithAdditionalf(err, "root user can only authenticate via password")
 	}
 
-	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email, user.Role), map[string]string{})
+	token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, valuer.UUID{}, authtypes.PrincipalUser, user.OrgID, user.Email), map[string]string{})
 	if err != nil {
 		return "", err
 	}

pkg/modules/spanpercentile/implspanpercentile/handler.go

@@ -35,7 +35,7 @@ func (h *handler) GetSpanPercentileDetails(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	result, err := h.module.GetSpanPercentile(r.Context(), valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID), spanPercentileRequest)
+	result, err := h.module.GetSpanPercentile(r.Context(), valuer.MustNewUUID(claims.OrgID), spanPercentileRequest)
 	if err != nil {
 		render.Error(w, err)
 		return

pkg/modules/spanpercentile/implspanpercentile/module.go

@@ -28,7 +28,7 @@ func NewModule(
 	}
 }
 
-func (m *module) GetSpanPercentile(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error) {
+func (m *module) GetSpanPercentile(ctx context.Context, orgID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error) {
 	ctx = ctxtypes.NewContextWithCommentVals(ctx, map[string]string{
 		instrumentationtypes.CodeNamespace:    "spanpercentile",
 		instrumentationtypes.CodeFunctionName: "GetSpanPercentile",

pkg/modules/spanpercentile/spanpercentile.go

@@ -9,7 +9,7 @@ import (
 )
 
 type Module interface {
-	GetSpanPercentile(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error)
+	GetSpanPercentile(ctx context.Context, orgID valuer.UUID, req *spanpercentiletypes.SpanPercentileRequest) (*spanpercentiletypes.SpanPercentileResponse, error)
 }
 
 type Handler interface {

pkg/modules/user/impluser/handler.go

@@ -13,7 +13,6 @@ import (
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -349,172 +348,3 @@ func (h *handler) ForgotPassword(w http.ResponseWriter, r *http.Request) {
 
 	render.Success(w, http.StatusNoContent, nil)
 }
-
-func (h *handler) CreateAPIKey(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	req := new(types.PostableAPIKey)
-	if err := json.NewDecoder(r.Body).Decode(req); err != nil {
-		render.Error(w, errors.Wrapf(err, errors.TypeInvalidInput, errors.CodeInvalidInput, "failed to decode api key"))
-		return
-	}
-
-	apiKey, err := types.NewStorableAPIKey(
-		req.Name,
-		valuer.MustNewUUID(claims.UserID),
-		req.Role,
-		req.ExpiresInDays,
-	)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	err = h.module.CreateAPIKey(ctx, apiKey)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	createdApiKey, err := h.module.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), apiKey.ID)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	// just corrected the status code, response is same,
-	render.Success(w, http.StatusCreated, createdApiKey)
-}
-
-func (h *handler) ListAPIKeys(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	apiKeys, err := h.module.ListAPIKeys(ctx, valuer.MustNewUUID(claims.OrgID))
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	// for backward compatibility
-	if len(apiKeys) == 0 {
-		render.Success(w, http.StatusOK, []types.GettableAPIKey{})
-		return
-	}
-
-	result := make([]*types.GettableAPIKey, len(apiKeys))
-	for i, apiKey := range apiKeys {
-		result[i] = types.NewGettableAPIKeyFromStorableAPIKey(apiKey)
-	}
-
-	render.Success(w, http.StatusOK, result)
-
-}
-
-func (h *handler) UpdateAPIKey(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	req := types.StorableAPIKey{}
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		render.Error(w, errors.Wrapf(err, errors.TypeInvalidInput, errors.CodeInvalidInput, "failed to decode api key"))
-		return
-	}
-
-	idStr := mux.Vars(r)["id"]
-	id, err := valuer.NewUUID(idStr)
-	if err != nil {
-		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "id is not a valid uuid-v7"))
-		return
-	}
-
-	//get the API Key
-	existingAPIKey, err := h.module.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	// get the user
-	createdByUser, err := h.getter.Get(ctx, existingAPIKey.UserID)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
-		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
-		return
-	}
-
-	err = h.module.UpdateAPIKey(ctx, id, &req, valuer.MustNewUUID(claims.UserID))
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	render.Success(w, http.StatusNoContent, nil)
-}
-
-func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
-	defer cancel()
-
-	claims, err := authtypes.ClaimsFromContext(ctx)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	idStr := mux.Vars(r)["id"]
-	id, err := valuer.NewUUID(idStr)
-	if err != nil {
-		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "id is not a valid uuid-v7"))
-		return
-	}
-
-	//get the API Key
-	existingAPIKey, err := h.module.GetAPIKey(ctx, valuer.MustNewUUID(claims.OrgID), id)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	// get the user
-	createdByUser, err := h.getter.Get(ctx, existingAPIKey.UserID)
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
-		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
-		return
-	}
-
-	if err := h.module.RevokeAPIKey(ctx, id, valuer.MustNewUUID(claims.UserID)); err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	render.Success(w, http.StatusNoContent, nil)
-}

pkg/modules/user/impluser/module.go

@@ -661,26 +661,6 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 	return user, nil
 }
 
-func (m *Module) CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error {
-	return m.store.CreateAPIKey(ctx, apiKey)
-}
-
-func (m *Module) UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error {
-	return m.store.UpdateAPIKey(ctx, id, apiKey, updaterID)
-}
-
-func (m *Module) ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error) {
-	return m.store.ListAPIKeys(ctx, orgID)
-}
-
-func (m *Module) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*types.StorableAPIKeyUser, error) {
-	return m.store.GetAPIKey(ctx, orgID, id)
-}
-
-func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error {
-	return m.store.RevokeAPIKey(ctx, id, removedByUserID)
-}
-
 func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
 	user, err := types.NewRootUser(name, email, organization.ID)
 	if err != nil {
@@ -734,11 +714,6 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 		stats["user.count.pending_invite"] = counts[types.UserStatusPendingInvite]
 	}
 
-	count, err := module.store.CountAPIKeyByOrgID(ctx, orgID)
-	if err == nil {
-		stats["factor.api_key.count"] = count
-	}
-
 	return stats, nil
 }
 

pkg/modules/user/impluser/store.go

@@ -3,7 +3,6 @@ package impluser
 import (
 	"context"
 	"database/sql"
-	"sort"
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
@@ -218,15 +217,6 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err
 		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete factor password")
 	}
 
-	// delete api keys
-	_, err = tx.NewDelete().
-		Model(&types.StorableAPIKey{}).
-		Where("user_id = ?", id).
-		Exec(ctx)
-	if err != nil {
-		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete API keys")
-	}
-
 	// delete user_preference
 	_, err = tx.NewDelete().
 		Model(new(preferencetypes.StorableUserPreference)).
@@ -302,15 +292,6 @@ func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string)
 		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete factor password")
 	}
 
-	// delete api keys
-	_, err = tx.NewDelete().
-		Model(&types.StorableAPIKey{}).
-		Where("user_id = ?", id).
-		Exec(ctx)
-	if err != nil {
-		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to delete API keys")
-	}
-
 	// delete user_preference
 	_, err = tx.NewDelete().
 		Model(new(preferencetypes.StorableUserPreference)).
@@ -457,111 +438,6 @@ func (store *store) UpdatePassword(ctx context.Context, factorPassword *types.Fa
 	return nil
 }
 
-// --- API KEY ---
-func (store *store) CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error {
-	_, err := store.sqlstore.BunDB().NewInsert().
-		Model(apiKey).
-		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapAlreadyExistsErrf(err, types.ErrAPIKeyAlreadyExists, "API key with token: %s already exists", apiKey.Token)
-	}
-
-	return nil
-}
-
-func (store *store) UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error {
-	apiKey.UpdatedBy = updaterID.String()
-	apiKey.UpdatedAt = time.Now()
-	_, err := store.sqlstore.BunDB().NewUpdate().
-		Model(apiKey).
-		Column("role", "name", "updated_at", "updated_by").
-		Where("id = ?", id).
-		Where("revoked = false").
-		Exec(ctx)
-	if err != nil {
-		return store.sqlstore.WrapNotFoundErrf(err, types.ErrAPIKeyNotFound, "API key with id: %s does not exist", id)
-	}
-	return nil
-}
-
-func (store *store) ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error) {
-	orgUserAPIKeys := new(types.OrgUserAPIKey)
-
-	if err := store.sqlstore.BunDB().NewSelect().
-		Model(orgUserAPIKeys).
-		Relation("Users").
-		Relation("Users.APIKeys", func(q *bun.SelectQuery) *bun.SelectQuery {
-			return q.Where("revoked = false")
-		},
-		).
-		Relation("Users.APIKeys.CreatedByUser").
-		Relation("Users.APIKeys.UpdatedByUser").
-		Where("id = ?", orgID).
-		Scan(ctx); err != nil {
-		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to fetch API keys")
-	}
-
-	// Flatten the API keys from all users
-	var allAPIKeys []*types.StorableAPIKeyUser
-	for _, user := range orgUserAPIKeys.Users {
-		if user.APIKeys != nil {
-			allAPIKeys = append(allAPIKeys, user.APIKeys...)
-		}
-	}
-
-	// sort the API keys by updated_at
-	sort.Slice(allAPIKeys, func(i, j int) bool {
-		return allAPIKeys[i].UpdatedAt.After(allAPIKeys[j].UpdatedAt)
-	})
-
-	return allAPIKeys, nil
-}
-
-func (store *store) RevokeAPIKey(ctx context.Context, id, revokedByUserID valuer.UUID) error {
-	updatedAt := time.Now().Unix()
-	_, err := store.sqlstore.BunDB().NewUpdate().
-		Model(&types.StorableAPIKey{}).
-		Set("revoked = ?", true).
-		Set("updated_by = ?", revokedByUserID).
-		Set("updated_at = ?", updatedAt).
-		Where("id = ?", id).
-		Exec(ctx)
-	if err != nil {
-		return errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to revoke API key")
-	}
-	return nil
-}
-
-func (store *store) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*types.StorableAPIKeyUser, error) {
-	apiKey := new(types.OrgUserAPIKey)
-	if err := store.sqlstore.BunDB().NewSelect().
-		Model(apiKey).
-		Relation("Users").
-		Relation("Users.APIKeys", func(q *bun.SelectQuery) *bun.SelectQuery {
-			return q.Where("revoked = false").Where("storable_api_key.id = ?", id).
-				OrderExpr("storable_api_key.updated_at DESC").Limit(1)
-		},
-		).
-		Relation("Users.APIKeys.CreatedByUser").
-		Relation("Users.APIKeys.UpdatedByUser").
-		Scan(ctx); err != nil {
-		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrAPIKeyNotFound, "API key with id: %s does not exist", id)
-	}
-
-	// flatten the API keys
-	flattenedAPIKeys := []*types.StorableAPIKeyUser{}
-	for _, user := range apiKey.Users {
-		if user.APIKeys != nil {
-			flattenedAPIKeys = append(flattenedAPIKeys, user.APIKeys...)
-		}
-	}
-	if len(flattenedAPIKeys) == 0 {
-		return nil, store.sqlstore.WrapNotFoundErrf(errors.New(errors.TypeNotFound, errors.CodeNotFound, "API key with id: %s does not exist"), types.ErrAPIKeyNotFound, "API key with id: %s does not exist", id)
-	}
-
-	return flattenedAPIKeys[0], nil
-}
-
 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
 	user := new(types.User)
 
@@ -609,24 +485,6 @@ func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UU
 	return counts, nil
 }
 
-func (store *store) CountAPIKeyByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	apiKey := new(types.StorableAPIKey)
-
-	count, err := store.
-		sqlstore.
-		BunDB().
-		NewSelect().
-		Model(apiKey).
-		Join("JOIN users ON users.id = storable_api_key.user_id").
-		Where("org_id = ?", orgID).
-		Count(ctx)
-	if err != nil {
-		return 0, err
-	}
-
-	return int64(count), nil
-}
-
 func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) error) error {
 	return store.sqlstore.RunInTxCtx(ctx, nil, func(ctx context.Context) error {
 		return cb(ctx)

pkg/modules/user/user.go

@@ -45,13 +45,6 @@ type Module interface {
 	AcceptInvite(ctx context.Context, token string, password string) (*types.User, error)
 	GetInviteByToken(ctx context.Context, token string) (*types.Invite, error)
 
-	// API KEY
-	CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error
-	UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *types.StorableAPIKey, updaterID valuer.UUID) error
-	ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*types.StorableAPIKeyUser, error)
-	RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UUID) error
-	GetAPIKey(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableAPIKeyUser, error)
-
 	GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error)
 
 	statsreporter.StatsCollector
@@ -106,10 +99,4 @@ type Handler interface {
 	ResetPassword(http.ResponseWriter, *http.Request)
 	ChangePassword(http.ResponseWriter, *http.Request)
 	ForgotPassword(http.ResponseWriter, *http.Request)
-
-	// API KEY
-	CreateAPIKey(http.ResponseWriter, *http.Request)
-	ListAPIKeys(http.ResponseWriter, *http.Request)
-	UpdateAPIKey(http.ResponseWriter, *http.Request)
-	RevokeAPIKey(http.ResponseWriter, *http.Request)
 }

pkg/querier/api.go

@@ -60,6 +60,8 @@ func (handler *handler) QueryRange(rw http.ResponseWriter, req *http.Request) {
 			handler.set.Logger.ErrorContext(ctx, "panic in QueryRange",
 				"error", r,
 				"user", claims.UserID,
+				"service_account", claims.ServiceAccountID,
+				"principal", claims.Principal,
 				"payload", string(queryJSON),
 				"stacktrace", stackTrace,
 			)
@@ -160,6 +162,8 @@ func (handler *handler) QueryRawStream(rw http.ResponseWriter, req *http.Request
 			handler.set.Logger.ErrorContext(ctx, "panic in QueryRawStream",
 				"error", r,
 				"user", claims.UserID,
+				"service_account", claims.ServiceAccountID,
+				"principal", claims.Principal,
 				"payload", string(queryJSON),
 				"stacktrace", stackTrace,
 			)
@@ -309,9 +313,9 @@ func (handler *handler) logEvent(ctx context.Context, referrer string, event *qb
 	}
 
 	if !event.HasData {
-		handler.analytics.TrackUser(ctx, claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
+		handler.analytics.TrackUser(ctx, claims.OrgID, claims.GetIdentityID(), "Telemetry Query Returned Empty", properties)
 		return
 	}
 
-	handler.analytics.TrackUser(ctx, claims.OrgID, claims.UserID, "Telemetry Query Returned Results", properties)
+	handler.analytics.TrackUser(ctx, claims.OrgID, claims.GetIdentityID(), "Telemetry Query Returned Results", properties)
 }

pkg/query-service/app/http_handler.go

@@ -512,7 +512,7 @@ func (aH *APIHandler) RegisterRoutes(router *mux.Router, am *middleware.AuthZ) {
 	router.HandleFunc("/api/v1/dashboards/{id}", am.ViewAccess(aH.Get)).Methods(http.MethodGet)
 	router.HandleFunc("/api/v1/dashboards/{id}", am.EditAccess(aH.Signoz.Handlers.Dashboard.Update)).Methods(http.MethodPut)
 	router.HandleFunc("/api/v1/dashboards/{id}", am.EditAccess(aH.Signoz.Handlers.Dashboard.Delete)).Methods(http.MethodDelete)
-	router.HandleFunc("/api/v1/dashboards/{id}/lock", am.EditAccess(aH.Signoz.Handlers.Dashboard.LockUnlock)).Methods(http.MethodPut)
+	router.HandleFunc("/api/v1/dashboards/{id}/lock", am.AdminAccess(aH.Signoz.Handlers.Dashboard.LockUnlock)).Methods(http.MethodPut)
 	router.HandleFunc("/api/v2/variables/query", am.ViewAccess(aH.queryDashboardVarsV2)).Methods(http.MethodPost)
 
 	router.HandleFunc("/api/v1/explorer/views", am.ViewAccess(aH.Signoz.Handlers.SavedView.List)).Methods(http.MethodGet)
@@ -1565,7 +1565,7 @@ func (aH *APIHandler) registerEvent(w http.ResponseWriter, r *http.Request) {
 	if errv2 == nil {
 		switch request.EventType {
 		case model.TrackEvent:
-			aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, request.EventName, request.Attributes)
+			aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.GetIdentityID(), request.EventName, request.Attributes)
 		}
 		aH.WriteJSON(w, r, map[string]string{"data": "Event Processed Successfully"})
 	} else {
@@ -4669,7 +4669,7 @@ func (aH *APIHandler) sendQueryResultEvents(r *http.Request, result []*v3.Result
 
 	// Check if result is empty or has no data
 	if len(result) == 0 {
-		aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
+		aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.GetIdentityID(), "Telemetry Query Returned Empty", properties)
 		return
 	}
 
@@ -4679,18 +4679,18 @@ func (aH *APIHandler) sendQueryResultEvents(r *http.Request, result []*v3.Result
 		if len(result[0].List) == 0 {
 			// Check if first result has no table data
 			if result[0].Table == nil {
-				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
+				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.GetIdentityID(), "Telemetry Query Returned Empty", properties)
 				return
 			}
 
 			if len(result[0].Table.Rows) == 0 {
-				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Empty", properties)
+				aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.GetIdentityID(), "Telemetry Query Returned Empty", properties)
 				return
 			}
 		}
 	}
 
-	aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.UserID, "Telemetry Query Returned Results", properties)
+	aH.Signoz.Analytics.TrackUser(r.Context(), claims.OrgID, claims.GetIdentityID(), "Telemetry Query Returned Results", properties)
 
 }
 

pkg/query-service/app/server.go

@@ -195,13 +195,12 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,
 		}),
 		otelmux.WithPublicEndpoint(),
 	))
-	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.Instrumentation.Logger()).Wrap)
+	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ-API-KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap)
 	r.Use(middleware.NewTimeout(s.signoz.Instrumentation.Logger(),
 		s.config.APIServer.Timeout.ExcludedRoutes,
 		s.config.APIServer.Timeout.Default,
 		s.config.APIServer.Timeout.Max,
 	).Wrap)
-	r.Use(middleware.NewAPIKey(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
 	r.Use(middleware.NewLogging(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 

pkg/signoz/handler_test.go

@@ -43,14 +43,13 @@ func TestNewHandlers(t *testing.T) {
 	emailing := emailingtest.New()
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
-	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
 
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
-
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
 
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	modules := NewModules(sqlstore, tokenizer, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
 
 	querierHandler := querier.NewHandler(providerSettings, nil, nil)
 	handlers := NewHandlers(modules, providerSettings, nil, querierHandler, nil, nil, nil, nil, nil, nil, nil)

pkg/signoz/module.go

@@ -74,6 +74,7 @@ type Modules struct {
 func NewModules(
 	sqlstore sqlstore.SQLStore,
 	tokenizer tokenizer.Tokenizer,
+	serviceAccountTokenizer tokenizer.Tokenizer,
 	emailing emailing.Emailing,
 	providerSettings factory.ProviderSettings,
 	orgGetter organization.Getter,
@@ -113,6 +114,6 @@ func NewModules(
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
 		Promote:         implpromote.NewModule(telemetryMetadataStore, telemetryStore),
-		ServiceAccount:  implserviceaccount.NewModule(implserviceaccount.NewStore(sqlstore), authz, emailing, providerSettings),
+		ServiceAccount:  implserviceaccount.NewModule(implserviceaccount.NewStore(sqlstore), authz, emailing, analytics, providerSettings, serviceAccountTokenizer),
 	}
 }

pkg/signoz/module_test.go

@@ -42,14 +42,14 @@ func TestNewModules(t *testing.T) {
 	emailing := emailingtest.New()
 	queryParser := queryparser.New(providerSettings)
 	require.NoError(t, err)
-	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
 
 	flagger, err := flagger.New(context.Background(), instrumentationtest.New().ToProviderSettings(), flagger.Config{}, flagger.MustNewRegistry())
 	require.NoError(t, err)
 
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
+	dashboardModule := impldashboard.NewModule(impldashboard.NewStore(sqlstore), providerSettings, nil, orgGetter, queryParser)
 
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
+	modules := NewModules(sqlstore, tokenizer, tokenizer, emailing, providerSettings, orgGetter, alertmanager, nil, nil, nil, nil, nil, nil, nil, queryParser, Config{}, dashboardModule, userGetter)
 
 	reflectVal := reflect.ValueOf(modules)
 	for i := 0; i < reflectVal.NumField(); i++ {

pkg/signoz/provider.go

@@ -27,6 +27,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
 	"github.com/SigNoz/signoz/pkg/modules/preference/implpreference"
 	"github.com/SigNoz/signoz/pkg/modules/promote/implpromote"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session/implsession"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
@@ -55,6 +56,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/jwttokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/opaquetokenizer"
+	"github.com/SigNoz/signoz/pkg/tokenizer/serviceaccounttokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/tokenizerstore/sqltokenizerstore"
 	"github.com/SigNoz/signoz/pkg/types/alertmanagertypes"
 	"github.com/SigNoz/signoz/pkg/types/featuretypes"
@@ -172,6 +174,9 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
 		sqlmigration.NewAddStatusUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewDeprecateUserInviteFactory(sqlstore, sqlschema),
+		sqlmigration.NewAddServiceAccountFactory(sqlstore, sqlschema),
+		sqlmigration.NewDeprecateAPIKeyFactory(sqlstore, sqlschema),
+		sqlmigration.NewServiceAccountAuthzactory(sqlstore),
 	)
 }
 
@@ -265,9 +270,11 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 
 func NewTokenizerProviderFactories(cache cache.Cache, sqlstore sqlstore.SQLStore, orgGetter organization.Getter) factory.NamedMap[factory.ProviderFactory[tokenizer.Tokenizer, tokenizer.Config]] {
 	tokenStore := sqltokenizerstore.NewStore(sqlstore)
+	apiKeyStore := implserviceaccount.NewStore(sqlstore)
 	return factory.MustNewNamedMap(
 		opaquetokenizer.NewFactory(cache, tokenStore, orgGetter),
 		jwttokenizer.NewFactory(cache, tokenStore),
+		serviceaccounttokenizer.NewFactory(cache, apiKeyStore, orgGetter),
 	)
 }
 

pkg/signoz/signoz.go

@@ -21,6 +21,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/dashboard"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/organization/implorganization"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/user/impluser"
 	"github.com/SigNoz/signoz/pkg/prometheus"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -38,6 +39,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/telemetrystore"
 	"github.com/SigNoz/signoz/pkg/telemetrytraces"
 	pkgtokenizer "github.com/SigNoz/signoz/pkg/tokenizer"
+	"github.com/SigNoz/signoz/pkg/tokenizer/serviceaccounttokenizer"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"github.com/SigNoz/signoz/pkg/version"
@@ -48,29 +50,30 @@ import (
 
 type SigNoz struct {
 	*factory.Registry
-	Instrumentation        instrumentation.Instrumentation
-	Analytics              analytics.Analytics
-	Cache                  cache.Cache
-	Web                    web.Web
-	SQLStore               sqlstore.SQLStore
-	TelemetryStore         telemetrystore.TelemetryStore
-	TelemetryMetadataStore telemetrytypes.MetadataStore
-	Prometheus             prometheus.Prometheus
-	Alertmanager           alertmanager.Alertmanager
-	Querier                querier.Querier
-	APIServer              apiserver.APIServer
-	Zeus                   zeus.Zeus
-	Licensing              licensing.Licensing
-	Emailing               emailing.Emailing
-	Sharder                sharder.Sharder
-	StatsReporter          statsreporter.StatsReporter
-	Tokenizer              pkgtokenizer.Tokenizer
-	Authz                  authz.AuthZ
-	Modules                Modules
-	Handlers               Handlers
-	QueryParser            queryparser.QueryParser
-	Flagger                flagger.Flagger
-	Gateway                gateway.Gateway
+	Instrumentation         instrumentation.Instrumentation
+	Analytics               analytics.Analytics
+	Cache                   cache.Cache
+	Web                     web.Web
+	SQLStore                sqlstore.SQLStore
+	TelemetryStore          telemetrystore.TelemetryStore
+	TelemetryMetadataStore  telemetrytypes.MetadataStore
+	Prometheus              prometheus.Prometheus
+	Alertmanager            alertmanager.Alertmanager
+	Querier                 querier.Querier
+	APIServer               apiserver.APIServer
+	Zeus                    zeus.Zeus
+	Licensing               licensing.Licensing
+	Emailing                emailing.Emailing
+	Sharder                 sharder.Sharder
+	StatsReporter           statsreporter.StatsReporter
+	Tokenizer               pkgtokenizer.Tokenizer
+	ServiceAccountTokenizer pkgtokenizer.Tokenizer
+	Authz                   authz.AuthZ
+	Modules                 Modules
+	Handlers                Handlers
+	QueryParser             queryparser.QueryParser
+	Flagger                 flagger.Flagger
+	Gateway                 gateway.Gateway
 }
 
 func New(
@@ -279,6 +282,12 @@ func New(
 		return nil, err
 	}
 
+	apiKeyStore := implserviceaccount.NewStore(sqlstore)
+	serviceAccountTokenizer, err := serviceaccounttokenizer.New(ctx, providerSettings, config.Tokenizer, cache, apiKeyStore, orgGetter)
+	if err != nil {
+		return nil, err
+	}
+
 	// Initialize user getter
 	userGetter := impluser.NewGetter(impluser.NewStore(sqlstore, providerSettings), flagger)
 
@@ -388,7 +397,7 @@ func New(
 	}
 
 	// Initialize all modules
-	modules := NewModules(sqlstore, tokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter)
+	modules := NewModules(sqlstore, tokenizer, serviceAccountTokenizer, emailing, providerSettings, orgGetter, alertmanager, analytics, querier, telemetrystore, telemetryMetadataStore, authNs, authz, cache, queryParser, config, dashboard, userGetter)
 
 	userService := impluser.NewService(providerSettings, impluser.NewStore(sqlstore, providerSettings), modules.User, orgGetter, authz, config.User.Root)
 
@@ -421,6 +430,7 @@ func New(
 		tokenizer,
 		config,
 		modules.AuthDomain,
+		modules.ServiceAccount,
 	}
 
 	// Initialize stats reporter from the available stats reporter provider factories
@@ -443,6 +453,7 @@ func New(
 		factory.NewNamedService(factory.MustNewName("licensing"), licensing),
 		factory.NewNamedService(factory.MustNewName("statsreporter"), statsReporter),
 		factory.NewNamedService(factory.MustNewName("tokenizer"), tokenizer),
+		factory.NewNamedService(factory.MustNewName("serviceaccounttokenizer"), serviceAccountTokenizer),
 		factory.NewNamedService(factory.MustNewName("authz"), authz),
 		factory.NewNamedService(factory.MustNewName("user"), userService),
 	)
@@ -451,28 +462,29 @@ func New(
 	}
 
 	return &SigNoz{
-		Registry:               registry,
-		Analytics:              analytics,
-		Instrumentation:        instrumentation,
-		Cache:                  cache,
-		Web:                    web,
-		SQLStore:               sqlstore,
-		TelemetryStore:         telemetrystore,
-		TelemetryMetadataStore: telemetryMetadataStore,
-		Prometheus:             prometheus,
-		Alertmanager:           alertmanager,
-		Querier:                querier,
-		APIServer:              apiserver,
-		Zeus:                   zeus,
-		Licensing:              licensing,
-		Emailing:               emailing,
-		Sharder:                sharder,
-		Tokenizer:              tokenizer,
-		Authz:                  authz,
-		Modules:                modules,
-		Handlers:               handlers,
-		QueryParser:            queryParser,
-		Flagger:                flagger,
-		Gateway:                gateway,
+		Registry:                registry,
+		Analytics:               analytics,
+		Instrumentation:         instrumentation,
+		Cache:                   cache,
+		Web:                     web,
+		SQLStore:                sqlstore,
+		TelemetryStore:          telemetrystore,
+		TelemetryMetadataStore:  telemetryMetadataStore,
+		Prometheus:              prometheus,
+		Alertmanager:            alertmanager,
+		Querier:                 querier,
+		APIServer:               apiserver,
+		Zeus:                    zeus,
+		Licensing:               licensing,
+		Emailing:                emailing,
+		Sharder:                 sharder,
+		Tokenizer:               tokenizer,
+		ServiceAccountTokenizer: serviceAccountTokenizer,
+		Authz:                   authz,
+		Modules:                 modules,
+		Handlers:                handlers,
+		QueryParser:             queryParser,
+		Flagger:                 flagger,
+		Gateway:                 gateway,
 	}, nil
 }

pkg/sqlmigration/069_add_service_account.go

@@ -0,0 +1,121 @@
+package sqlmigration
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addServiceAccount struct {
+	sqlschema sqlschema.SQLSchema
+	sqlstore  sqlstore.SQLStore
+}
+
+func NewAddServiceAccountFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_service_account"), func(_ context.Context, _ factory.ProviderSettings, _ Config) (SQLMigration, error) {
+		return &addServiceAccount{
+			sqlschema: sqlschema,
+			sqlstore:  sqlstore,
+		}, nil
+	})
+}
+
+func (migration *addServiceAccount) Register(migrations *migrate.Migrations) error {
+	err := migrations.Register(migration.Up, migration.Down)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addServiceAccount) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "service_account",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "deleted_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "name", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "email", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "status", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "org_id", DataType: sqlschema.DataTypeText, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("org_id"),
+				ReferencedTableName:   sqlschema.TableName("organizations"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "service_account", ColumnNames: []sqlschema.ColumnName{"name", "org_id", "deleted_at"}})
+	sqls = append(sqls, indexSQLs...)
+
+	tableSQLs = migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "service_account_role",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "service_account_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("service_account_id"),
+				ReferencedTableName:   sqlschema.TableName("service_account"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+			{
+				ReferencingColumnName: sqlschema.ColumnName("role_id"),
+				ReferencedTableName:   sqlschema.TableName("role"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs = migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "service_account_role", ColumnNames: []sqlschema.ColumnName{"service_account_id", "role_id"}})
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (a *addServiceAccount) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/070_deprecate_api_key.go

@@ -0,0 +1,325 @@
+package sqlmigration
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type oldFactorAPIKey68 struct {
+	bun.BaseModel `bun:"table:factor_api_key"`
+
+	types.Identifiable
+	CreatedAt time.Time `bun:"created_at"`
+	UpdatedAt time.Time `bun:"updated_at"`
+	Token     string    `bun:"token"`
+	Role      string    `bun:"role"`
+	Name      string    `bun:"name"`
+	ExpiresAt time.Time `bun:"expires_at"`
+	LastUsed  time.Time `bun:"last_used"`
+	Revoked   bool      `bun:"revoked"`
+	UserID    string    `bun:"user_id"`
+}
+
+type oldUser68 struct {
+	bun.BaseModel `bun:"table:users"`
+
+	types.Identifiable
+	DisplayName string `bun:"display_name"`
+	Email       string `bun:"email"`
+	OrgID       string `bun:"org_id"`
+}
+
+type oldRole68 struct {
+	bun.BaseModel `bun:"table:role"`
+
+	types.Identifiable
+	Name  string `bun:"name"`
+	OrgID string `bun:"org_id"`
+}
+
+type newServiceAccount68 struct {
+	bun.BaseModel `bun:"table:service_account"`
+
+	types.Identifiable
+	CreatedAt time.Time `bun:"created_at"`
+	UpdatedAt time.Time `bun:"updated_at"`
+	Name      string    `bun:"name"`
+	Email     string    `bun:"email"`
+	Status    string    `bun:"status"`
+	OrgID     string    `bun:"org_id"`
+}
+
+type newServiceAccountRole68 struct {
+	bun.BaseModel `bun:"table:service_account_role"`
+
+	types.Identifiable
+	CreatedAt        time.Time `bun:"created_at"`
+	UpdatedAt        time.Time `bun:"updated_at"`
+	ServiceAccountID string    `bun:"service_account_id"`
+	RoleID           string    `bun:"role_id"`
+}
+
+type newFactorAPIKey68 struct {
+	bun.BaseModel `bun:"table:factor_api_key"`
+
+	types.Identifiable
+	CreatedAt        time.Time `bun:"created_at"`
+	UpdatedAt        time.Time `bun:"updated_at"`
+	Name             string    `bun:"name"`
+	Key              string    `bun:"key"`
+	ExpiresAt        uint64    `bun:"expires_at"`
+	LastObservedAt   time.Time `bun:"last_observed_at"`
+	ServiceAccountID string    `bun:"service_account_id"`
+}
+
+type deprecateAPIKey struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+func NewDeprecateAPIKeyFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("deprecate_api_key"), func(_ context.Context, _ factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &deprecateAPIKey{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *deprecateAPIKey) Register(migrations *migrate.Migrations) error {
+	err := migrations.Register(migration.Up, migration.Down)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *deprecateAPIKey) Up(ctx context.Context, db *bun.DB) error {
+	table, _, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("factor_api_key"))
+	if err != nil {
+		return err
+	}
+
+	hasOldSchema := false
+	for _, col := range table.Columns {
+		if col.Name == "user_id" {
+			hasOldSchema = true
+			break
+		}
+	}
+	if !hasOldSchema {
+		return nil
+	}
+
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	// get all the api keys
+	oldKeys := make([]*oldFactorAPIKey68, 0)
+	err = tx.NewSelect().Model(&oldKeys).Where("revoked = ?", false).Scan(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		return err
+	}
+
+	// get all the unique users
+	userIDs := make(map[string]struct{})
+	for _, key := range oldKeys {
+		userIDs[key.UserID] = struct{}{}
+	}
+
+	userIDList := make([]string, 0, len(userIDs))
+	for uid := range userIDs {
+		userIDList = append(userIDList, uid)
+	}
+
+	userMap := make(map[string]*oldUser68)
+	if len(userIDList) > 0 {
+		users := make([]*oldUser68, 0)
+		err = tx.NewSelect().Model(&users).Where("id IN (?)", bun.In(userIDList)).Scan(ctx)
+		if err != nil && err != sql.ErrNoRows {
+			return err
+		}
+		for _, u := range users {
+			userMap[u.ID.String()] = u
+		}
+	}
+
+	// get the role ids
+	type orgRoleKey struct {
+		OrgID    string
+		RoleName string
+	}
+	roleMap := make(map[orgRoleKey]string)
+	if len(userMap) > 0 {
+		orgIDs := make(map[string]struct{})
+		for _, u := range userMap {
+			orgIDs[u.OrgID] = struct{}{}
+		}
+		orgIDList := make([]string, 0, len(orgIDs))
+		for oid := range orgIDs {
+			orgIDList = append(orgIDList, oid)
+		}
+
+		roles := make([]*oldRole68, 0)
+		err = tx.NewSelect().Model(&roles).Where("org_id IN (?)", bun.In(orgIDList)).Scan(ctx)
+		if err != nil && err != sql.ErrNoRows {
+			return err
+		}
+		for _, r := range roles {
+			roleMap[orgRoleKey{OrgID: r.OrgID, RoleName: r.Name}] = r.ID.String()
+		}
+	}
+
+	serviceAccounts := make([]*newServiceAccount68, 0)
+	serviceAccountRoles := make([]*newServiceAccountRole68, 0)
+	newKeys := make([]*newFactorAPIKey68, 0)
+
+	now := time.Now()
+	for _, oldKey := range oldKeys {
+		user, ok := userMap[oldKey.UserID]
+		if !ok {
+			// this should never happen as a key cannot exist without a user
+			continue
+		}
+
+		saID := valuer.GenerateUUID()
+		serviceAccounts = append(serviceAccounts, &newServiceAccount68{
+			Identifiable: types.Identifiable{ID: saID},
+			CreatedAt:    now,
+			UpdatedAt:    now,
+			Name:         oldKey.Name,
+			Email:        user.Email,
+			Status:       "active",
+			OrgID:        user.OrgID,
+		})
+
+		managedRoleName, ok := roletypes.ExistingRoleToSigNozManagedRoleMap[types.Role(oldKey.Role)]
+		if !ok {
+			managedRoleName = roletypes.SigNozViewerRoleName
+		}
+
+		roleID, ok := roleMap[orgRoleKey{OrgID: user.OrgID, RoleName: managedRoleName}]
+		if ok {
+			serviceAccountRoles = append(serviceAccountRoles, &newServiceAccountRole68{
+				Identifiable:     types.Identifiable{ID: valuer.GenerateUUID()},
+				CreatedAt:        now,
+				UpdatedAt:        now,
+				ServiceAccountID: saID.String(),
+				RoleID:           roleID,
+			})
+		}
+
+		var expiresAtUnix uint64
+		if !oldKey.ExpiresAt.IsZero() && oldKey.ExpiresAt.Unix() > 0 {
+			expiresAtUnix = uint64(oldKey.ExpiresAt.Unix())
+		}
+
+		// Convert last_used to last_observed_at.
+		lastObservedAt := oldKey.LastUsed
+		if lastObservedAt.IsZero() {
+			lastObservedAt = oldKey.CreatedAt
+		}
+
+		newKeys = append(newKeys, &newFactorAPIKey68{
+			Identifiable:     oldKey.Identifiable,
+			CreatedAt:        oldKey.CreatedAt,
+			UpdatedAt:        oldKey.UpdatedAt,
+			Name:             oldKey.Name,
+			Key:              oldKey.Token,
+			ExpiresAt:        expiresAtUnix,
+			LastObservedAt:   lastObservedAt,
+			ServiceAccountID: saID.String(),
+		})
+	}
+
+	if len(serviceAccounts) > 0 {
+		if _, err := tx.NewInsert().Model(&serviceAccounts).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	if len(serviceAccountRoles) > 0 {
+		if _, err := tx.NewInsert().Model(&serviceAccountRoles).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	sqls := [][]byte{}
+	deprecatedFactorAPIKey, _, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("factor_api_key"))
+	if err != nil {
+		return err
+	}
+
+	dropTableSQLS := migration.sqlschema.Operator().DropTable(deprecatedFactorAPIKey)
+	sqls = append(sqls, dropTableSQLS...)
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "factor_api_key",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "name", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "key", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "expires_at", DataType: sqlschema.DataTypeInteger, Nullable: false},
+			{Name: "last_observed_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "service_account_id", DataType: sqlschema.DataTypeText, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("service_account_id"),
+				ReferencedTableName:   sqlschema.TableName("service_account"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "factor_api_key", ColumnNames: []sqlschema.ColumnName{"key"}})
+	sqls = append(sqls, indexSQLs...)
+
+	indexSQLs = migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "factor_api_key", ColumnNames: []sqlschema.ColumnName{"name", "service_account_id"}})
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if len(newKeys) > 0 {
+		if _, err := tx.NewInsert().Model(&newKeys).Exec(ctx); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *deprecateAPIKey) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/071_add_service_account_authz.go

@@ -0,0 +1,148 @@
+package sqlmigration
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/oklog/ulid/v2"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/dialect"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addServiceAccountAuthz struct {
+	sqlstore sqlstore.SQLStore
+}
+
+func NewServiceAccountAuthzactory(sqlstore sqlstore.SQLStore) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_service_account_authz"), func(ctx context.Context, ps factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &addServiceAccountAuthz{sqlstore: sqlstore}, nil
+	})
+}
+
+func (migration *addServiceAccountAuthz) Register(migrations *migrate.Migrations) error {
+	if err := migrations.Register(migration.Up, migration.Down); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addServiceAccountAuthz) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	var storeID string
+	err = tx.QueryRowContext(ctx, `SELECT id FROM store WHERE name = ? LIMIT 1`, "signoz").Scan(&storeID)
+	if err != nil {
+		return err
+	}
+
+	type saRoleTuple struct {
+		ServiceAccountID string
+		OrgID            string
+		RoleName         string
+	}
+
+	rows, err := tx.QueryContext(ctx, `
+		SELECT sa.id, sa.org_id, r.name
+		FROM service_account sa
+		JOIN service_account_role sar ON sar.service_account_id = sa.id
+		JOIN role r ON r.id = sar.role_id
+	`)
+	if err != nil && err != sql.ErrNoRows {
+		return err
+	}
+	defer rows.Close()
+
+	tuples := make([]saRoleTuple, 0)
+	for rows.Next() {
+		var t saRoleTuple
+		if err := rows.Scan(&t.ServiceAccountID, &t.OrgID, &t.RoleName); err != nil {
+			return err
+		}
+		tuples = append(tuples, t)
+	}
+
+	for _, t := range tuples {
+		entropy := ulid.DefaultEntropy()
+		now := time.Now().UTC()
+		tupleID := ulid.MustNew(ulid.Timestamp(now), entropy).String()
+
+		objectID := "organization/" + t.OrgID + "/role/" + t.RoleName
+		saUserID := "organization/" + t.OrgID + "/serviceaccount/" + t.ServiceAccountID
+
+		if migration.sqlstore.BunDB().Dialect().Name() == dialect.PG {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, _user, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, _user) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "serviceaccount:"+saUserID, "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, _user, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "serviceaccount:"+saUserID, "TUPLE_OPERATION_WRITE", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		} else {
+			result, err := tx.ExecContext(ctx, `
+				INSERT INTO tuple (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, user_type, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "serviceaccount", saUserID, "", "user", tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+
+			rowsAffected, err := result.RowsAffected()
+			if err != nil {
+				return err
+			}
+			if rowsAffected == 0 {
+				continue
+			}
+
+			_, err = tx.ExecContext(ctx, `
+				INSERT INTO changelog (store, object_type, object_id, relation, user_object_type, user_object_id, user_relation, operation, ulid, inserted_at)
+				VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+				ON CONFLICT (store, ulid, object_type) DO NOTHING`,
+				storeID, "role", objectID, "assignee", "serviceaccount", saUserID, "", 0, tupleID, now,
+			)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return tx.Commit()
+}
+
+func (migration *addServiceAccountAuthz) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/telemetrytraces/const.go

@@ -1,50 +1,6 @@
 package telemetrytraces
 
-import (
-	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
-)
-
-const (
-
-	// Internal Columns
-	SpanTimestampBucketStartColumn = "ts_bucket_start"
-	SpanResourceFingerPrintColumn  = "resource_fingerprint"
-
-	// Intrinsic Columns
-	SpanTimestampColumn        = "timestamp"
-	SpanTraceIDColumn          = "trace_id"
-	SpanSpanIDColumn           = "span_id"
-	SpanTraceStateColumn       = "trace_state"
-	SpanParentSpanIDColumn     = "parent_span_id"
-	SpanFlagsColumn            = "flags"
-	SpanNameColumn             = "name"
-	SpanKindColumn             = "kind"
-	SpanKindStringColumn       = "kind_string"
-	SpanDurationNanoColumn     = "duration_nano"
-	SpanStatusCodeColumn       = "status_code"
-	SpanStatusMessageColumn    = "status_message"
-	SpanStatusCodeStringColumn = "status_code_string"
-	SpanEventsColumn           = "events"
-	SpanLinksColumn            = "links"
-
-	// Calculated Columns
-	SpanResponseStatusCodeColumn = "response_status_code"
-	SpanExternalHTTPURLColumn    = "external_http_url"
-	SpanHTTPURLColumn            = "http_url"
-	SpanExternalHTTPMethodColumn = "external_http_method"
-	SpanHTTPMethodColumn         = "http_method"
-	SpanHTTPHostColumn           = "http_host"
-	SpanDBNameColumn             = "db_name"
-	SpanDBOperationColumn        = "db_operation"
-	SpanHasErrorColumn           = "has_error"
-	SpanIsRemoteColumn           = "is_remote"
-
-	// Contextual Columns
-	SpanAttributesStringColumn = "attributes_string"
-	SpanAttributesNumberColumn = "attributes_number"
-	SpanAttributesBoolColumn   = "attributes_bool"
-	SpanResourcesStringColumn  = "resources_string"
-)
+import "github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 
 var (
 	IntrinsicFields = map[string]telemetrytypes.TelemetryFieldKey{

pkg/telemetrytraces/statement_builder.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"slices"
 	"strings"
 
 	"github.com/SigNoz/signoz/pkg/errors"
@@ -13,6 +14,7 @@ import (
 	qbtypes "github.com/SigNoz/signoz/pkg/types/querybuildertypes/querybuildertypesv5"
 	"github.com/SigNoz/signoz/pkg/types/telemetrytypes"
 	"github.com/huandu/go-sqlbuilder"
+	"golang.org/x/exp/maps"
 )
 
 var (
@@ -72,6 +74,41 @@ func (b *traceQueryStatementBuilder) Build(
 		return nil, err
 	}
 
+	/*
+		Adding a tech debt note here:
+		This piece of code is a hot fix and should be removed once we close issue: engineering-pod/issues/3622
+	*/
+	/*
+		-------------------------------- Start of tech debt ----------------------------
+	*/
+	if requestType == qbtypes.RequestTypeRaw {
+
+		selectedFields := query.SelectFields
+
+		if len(selectedFields) == 0 {
+			sortedKeys := maps.Keys(DefaultFields)
+			slices.Sort(sortedKeys)
+			for _, key := range sortedKeys {
+				selectedFields = append(selectedFields, DefaultFields[key])
+			}
+			query.SelectFields = selectedFields
+		}
+
+		selectFieldKeys := []string{}
+		for _, field := range selectedFields {
+			selectFieldKeys = append(selectFieldKeys, field.Name)
+		}
+
+		for _, x := range []string{"timestamp", "span_id", "trace_id"} {
+			if !slices.Contains(selectFieldKeys, x) {
+				query.SelectFields = append(query.SelectFields, DefaultFields[x])
+			}
+		}
+	}
+	/*
+		-------------------------------- End of tech debt ----------------------------
+	*/
+
 	query = b.adjustKeys(ctx, keys, query, requestType)
 
 	// Check if filter contains trace_id(s) and optimize time range if needed
@@ -274,53 +311,13 @@ func (b *traceQueryStatementBuilder) buildListQuery(
 		cteArgs = append(cteArgs, args)
 	}
 
-	sb.SelectMore(SpanTimestampColumn)
-	sb.SelectMore(SpanTraceIDColumn)
-	sb.SelectMore(SpanSpanIDColumn)
-	// By default select all
-	if len(query.SelectFields) == 0 {
-		// Select all intrinsic columns
-		sb.SelectMore(SpanTraceStateColumn)
-		sb.SelectMore(SpanParentSpanIDColumn)
-		sb.SelectMore(SpanFlagsColumn)
-		sb.SelectMore(SpanNameColumn)
-		sb.SelectMore(SpanKindColumn)
-		sb.SelectMore(SpanKindStringColumn)
-		sb.SelectMore(SpanDurationNanoColumn)
-		sb.SelectMore(SpanStatusCodeColumn)
-		sb.SelectMore(SpanStatusMessageColumn)
-		sb.SelectMore(SpanStatusCodeStringColumn)
-		sb.SelectMore(SpanEventsColumn)
-		sb.SelectMore(SpanLinksColumn)
-
-		// select all calculated columns
-		sb.SelectMore(SpanResponseStatusCodeColumn)
-		sb.SelectMore(SpanExternalHTTPURLColumn)
-		sb.SelectMore(SpanHTTPURLColumn)
-		sb.SelectMore(SpanExternalHTTPMethodColumn)
-		sb.SelectMore(SpanHTTPMethodColumn)
-		sb.SelectMore(SpanHTTPHostColumn)
-		sb.SelectMore(SpanDBNameColumn)
-		sb.SelectMore(SpanDBOperationColumn)
-		sb.SelectMore(SpanHasErrorColumn)
-		sb.SelectMore(SpanIsRemoteColumn)
-
-		// select all contextual columns
-		sb.SelectMore(SpanAttributesStringColumn)
-		sb.SelectMore(SpanAttributesNumberColumn)
-		sb.SelectMore(SpanAttributesBoolColumn)
-		sb.SelectMore(SpanResourcesStringColumn)
-	} else {
-		for _, field := range query.SelectFields {
-			if field.Name == SpanTimestampColumn || field.Name == SpanTraceIDColumn || field.Name == SpanSpanIDColumn {
-				continue
-			}
-			colExpr, err := b.fm.ColumnExpressionFor(ctx, &field, keys)
-			if err != nil {
-				return nil, err
-			}
-			sb.SelectMore(colExpr)
+	// TODO: should we deprecate `SelectFields` and return everything from a span like we do for logs?
+	for _, field := range query.SelectFields {
+		colExpr, err := b.fm.ColumnExpressionFor(ctx, &field, keys)
+		if err != nil {
+			return nil, err
 		}
+		sb.SelectMore(colExpr)
 	}
 
 	// From table

pkg/tokenizer/config.go

@@ -17,6 +17,9 @@ type Config struct {
 	// Config for the JWT tokenizer.
 	JWT JWTConfig `mapstructure:"jwt"`
 
+	// Config for the serviceAccount tokenizer.
+	ServiceAccount ServiceAccountConfig `mapstructure:"service_account"`
+
 	// Rotation config
 	Rotation RotationConfig `mapstructure:"rotation"`
 
@@ -37,6 +40,11 @@ type JWTConfig struct {
 	Secret string `mapstructure:"secret"`
 }
 
+type ServiceAccountConfig struct {
+	// GC config
+	GC GCConfig `mapstructure:"gc"`
+}
+
 type GCConfig struct {
 	// The interval to perform garbage collection.
 	Interval time.Duration `mapstructure:"interval"`
@@ -81,6 +89,11 @@ func newConfig() factory.Config {
 		JWT: JWTConfig{
 			Secret: "",
 		},
+		ServiceAccount: ServiceAccountConfig{
+			GC: GCConfig{
+				Interval: 1 * time.Hour, // 1 hour
+			},
+		},
 		Rotation: RotationConfig{
 			Interval: 30 * time.Minute, // 30 minutes
 			Duration: 60 * time.Second, // 60 seconds

pkg/tokenizer/jwttokenizer/claims.go

@@ -2,7 +2,6 @@ package jwttokenizer
 
 import (
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/golang-jwt/jwt/v5"
 )
 
@@ -10,21 +9,15 @@ var _ jwt.ClaimsValidator = (*Claims)(nil)
 
 type Claims struct {
 	jwt.RegisteredClaims
-	UserID string     `json:"id"`
-	Email  string     `json:"email"`
-	Role   types.Role `json:"role"`
-	OrgID  string     `json:"orgId"`
+	UserID string `json:"id"`
+	Email  string `json:"email"`
+	OrgID  string `json:"orgId"`
 }
 
 func (c *Claims) Validate() error {
 	if c.UserID == "" {
 		return errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "id is required")
 	}
-	// The problem is that when the "role" field is missing entirely from the JSON (as opposed to being present but empty), the UnmarshalJSON method for Role isn't called at all.
-	// The JSON decoder just sets the Role field to its zero value ("").
-	if c.Role == "" {
-		return errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "role is required")
-	}
 
 	if c.OrgID == "" {
 		return errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "orgId is required")

pkg/tokenizer/jwttokenizer/provider.go

@@ -76,7 +76,6 @@ func (provider *provider) Start(ctx context.Context) error {
 func (provider *provider) CreateToken(ctx context.Context, identity *authtypes.Identity, meta map[string]string) (*authtypes.Token, error) {
 	accessTokenClaims := Claims{
 		UserID: identity.UserID.String(),
-		Role:   identity.Role,
 		Email:  identity.Email.String(),
 		OrgID:  identity.OrgID.String(),
 		RegisteredClaims: jwt.RegisteredClaims{
@@ -92,7 +91,6 @@ func (provider *provider) CreateToken(ctx context.Context, identity *authtypes.I
 
 	refreshTokenClaims := Claims{
 		UserID: identity.UserID.String(),
-		Role:   identity.Role,
 		Email:  identity.Email.String(),
 		OrgID:  identity.OrgID.String(),
 		RegisteredClaims: jwt.RegisteredClaims{
@@ -115,17 +113,7 @@ func (provider *provider) GetIdentity(ctx context.Context, accessToken string) (
 		return nil, err
 	}
 
-	// check claimed role
-	identity, err := provider.getOrSetIdentity(ctx, emptyOrgID, valuer.MustNewUUID(claims.UserID))
-	if err != nil {
-		return nil, err
-	}
-
-	if identity.Role != claims.Role {
-		return nil, errors.Newf(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "claim role mismatch")
-	}
-
-	return authtypes.NewIdentity(valuer.MustNewUUID(claims.UserID), valuer.MustNewUUID(claims.OrgID), valuer.MustNewEmail(claims.Email), claims.Role), nil
+	return authtypes.NewIdentity(valuer.MustNewUUID(claims.UserID), valuer.UUID{}, authtypes.PrincipalUser, valuer.MustNewUUID(claims.OrgID), valuer.MustNewEmail(claims.Email)), nil
 }
 
 func (provider *provider) DeleteToken(ctx context.Context, accessToken string) error {

pkg/tokenizer/jwttokenizer/provider_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore/sqlstoretest"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/tokenizer/tokenizerstore/sqltokenizerstore"
-	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/stretchr/testify/assert"
@@ -62,7 +61,6 @@ func TestLastObservedAt_Concurrent(t *testing.T) {
 		&authtypes.Identity{
 			UserID: valuer.GenerateUUID(),
 			OrgID:  orgID,
-			Role:   types.RoleAdmin,
 			Email:  valuer.MustNewEmail("test@test.com"),
 		},
 		map[string]string{},
@@ -74,7 +72,6 @@ func TestLastObservedAt_Concurrent(t *testing.T) {
 		&authtypes.Identity{
 			UserID: valuer.GenerateUUID(),
 			OrgID:  orgID,
-			Role:   types.RoleAdmin,
 			Email:  valuer.MustNewEmail("test@test.com"),
 		},
 		map[string]string{},

pkg/tokenizer/serviceaccounttokenizer/provider.go

@@ -0,0 +1,353 @@
+package serviceaccounttokenizer
+
+import (
+	"context"
+	"slices"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/cache"
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/modules/organization"
+	"github.com/SigNoz/signoz/pkg/tokenizer"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/cachetypes"
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/dgraph-io/ristretto/v2"
+	"go.opentelemetry.io/otel/attribute"
+	"go.opentelemetry.io/otel/trace"
+)
+
+var (
+	emptyOrgID valuer.UUID = valuer.UUID{}
+)
+
+const (
+	expectedLastObservedAtCacheEntries int64 = 5000 // 1000 serviceAccounts * Max 5 keys per account
+)
+
+type provider struct {
+	config              tokenizer.Config
+	settings            factory.ScopedProviderSettings
+	cache               cache.Cache
+	apiKeyStore         serviceaccounttypes.Store
+	orgGetter           organization.Getter
+	stopC               chan struct{}
+	lastObservedAtCache *ristretto.Cache[string, time.Time]
+}
+
+func NewFactory(cache cache.Cache, apiKeyStore serviceaccounttypes.Store, orgGetter organization.Getter) factory.ProviderFactory[tokenizer.Tokenizer, tokenizer.Config] {
+	return factory.NewProviderFactory(factory.MustNewName("serviceaccount"), func(ctx context.Context, providerSettings factory.ProviderSettings, config tokenizer.Config) (tokenizer.Tokenizer, error) {
+		return New(ctx, providerSettings, config, cache, apiKeyStore, orgGetter)
+	})
+}
+
+func New(ctx context.Context, providerSettings factory.ProviderSettings, config tokenizer.Config, cache cache.Cache, apiKeyStore serviceaccounttypes.Store, orgGetter organization.Getter) (tokenizer.Tokenizer, error) {
+	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/tokenizer/serviceaccounttokenizer")
+
+	// * move these hardcoded values to a config based value when needed
+	lastObservedAtCache, err := ristretto.NewCache(&ristretto.Config[string, time.Time]{
+		NumCounters: 10 * expectedLastObservedAtCacheEntries, // 10x of expected entries
+		MaxCost:     1 << 19,                                 // ~ 512 KB
+		BufferItems: 64,
+		Metrics:     false,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return tokenizer.NewWrappedTokenizer(settings, &provider{
+		config:              config,
+		settings:            settings,
+		cache:               cache,
+		apiKeyStore:         apiKeyStore,
+		orgGetter:           orgGetter,
+		stopC:               make(chan struct{}),
+		lastObservedAtCache: lastObservedAtCache,
+	}), nil
+}
+
+func (provider *provider) Start(ctx context.Context) error {
+	ticker := time.NewTicker(provider.config.ServiceAccount.GC.Interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-provider.stopC:
+			return nil
+		case <-ticker.C:
+			ctx, span := provider.settings.Tracer().Start(ctx, "tokenizer.LastObservedAt", trace.WithAttributes(attribute.String("tokenizer.provider", "serviceaccount")))
+
+			orgs, err := provider.orgGetter.ListByOwnedKeyRange(ctx)
+			if err != nil {
+				provider.settings.Logger().ErrorContext(ctx, "failed to get orgs data", "error", err)
+				span.End()
+				continue
+			}
+
+			for _, org := range orgs {
+				if err := provider.flushLastObservedAt(ctx, org); err != nil {
+					span.RecordError(err)
+					provider.settings.Logger().ErrorContext(ctx, "failed to flush api keys", "error", err, "org_id", org.ID)
+				}
+			}
+
+			span.End()
+		}
+	}
+}
+
+func (provider *provider) CreateToken(_ context.Context, _ *authtypes.Identity, _ map[string]string) (*authtypes.Token, error) {
+	return nil, errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
+}
+
+func (provider *provider) GetIdentity(ctx context.Context, key string) (*authtypes.Identity, error) {
+	apiKey, err := provider.getOrGetSetAPIKey(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := apiKey.IsExpired(); err != nil {
+		return nil, err
+	}
+
+	identity, err := provider.getOrGetSetIdentity(ctx, apiKey.ServiceAccountID)
+	if err != nil {
+		return nil, err
+	}
+
+	return identity, nil
+}
+
+func (provider *provider) RotateToken(_ context.Context, _ string, _ string) (*authtypes.Token, error) {
+	return nil, errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
+}
+
+func (provider *provider) DeleteToken(_ context.Context, _ string) error {
+	return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
+}
+
+func (provider *provider) DeleteTokensByUserID(_ context.Context, _ valuer.UUID) error {
+	return errors.New(errors.TypeUnsupported, errors.CodeUnsupported, "not implemented")
+}
+
+func (provider *provider) DeleteIdentity(ctx context.Context, serviceAccountID valuer.UUID) error {
+	provider.cache.Delete(ctx, emptyOrgID, identityCacheKey(serviceAccountID))
+	return nil
+}
+
+func (provider *provider) Stop(ctx context.Context) error {
+	close(provider.stopC)
+
+	orgs, err := provider.orgGetter.ListByOwnedKeyRange(ctx)
+	if err != nil {
+		return err
+	}
+
+	for _, org := range orgs {
+		// flush api keys on stop
+		if err := provider.flushLastObservedAt(ctx, org); err != nil {
+			provider.settings.Logger().ErrorContext(ctx, "failed to flush tokens", "error", err, "org_id", org.ID)
+		}
+	}
+
+	return nil
+}
+
+func (provider *provider) SetLastObservedAt(ctx context.Context, key string, lastObservedAt time.Time) error {
+	apiKey, err := provider.getOrGetSetAPIKey(ctx, key)
+	if err != nil {
+		return err
+	}
+
+	// If we can't update the last observed at, we return nil.
+	if err := apiKey.UpdateLastObservedAt(lastObservedAt); err != nil {
+		return nil
+	}
+
+	if ok := provider.lastObservedAtCache.Set(lastObservedAtCacheKey(key, apiKey.ServiceAccountID), lastObservedAt, 24); !ok {
+		provider.settings.Logger().ErrorContext(ctx, "error caching last observed at timestamp", "service_account_id", apiKey.ServiceAccountID)
+	}
+
+	err = provider.cache.Set(ctx, emptyOrgID, apiKeyCacheKey(key), apiKey, provider.config.Lifetime.Max)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (provider *provider) Config() tokenizer.Config {
+	return provider.config
+}
+
+func (provider *provider) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
+	apiKeys, err := provider.apiKeyStore.ListFactorAPIKeyByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	stats := make(map[string]any)
+	stats["api_key.count"] = len(apiKeys)
+
+	keyToLastObservedAt, err := provider.listLastObservedAtDesc(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(keyToLastObservedAt) == 0 {
+		return stats, nil
+	}
+
+	keyToLastObservedAtMax := keyToLastObservedAt[0]
+
+	if lastObservedAt, ok := keyToLastObservedAtMax["last_observed_at"].(time.Time); ok {
+		if !lastObservedAt.IsZero() {
+			stats["api_key.last_observed_at.max.time"] = lastObservedAt.UTC()
+			stats["api_key.last_observed_at.max.time_unix"] = lastObservedAt.Unix()
+		}
+	}
+
+	return stats, nil
+}
+
+func (provider *provider) ListMaxLastObservedAtByOrgID(ctx context.Context, orgID valuer.UUID) (map[valuer.UUID]time.Time, error) {
+	apiKeyToLastObservedAts, err := provider.listLastObservedAtDesc(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	maxLastObservedAtPerServiceAccountID := make(map[valuer.UUID]time.Time)
+
+	for _, apiKeyToLastObservedAt := range apiKeyToLastObservedAts {
+		serviceAccountID, ok := apiKeyToLastObservedAt["service_account_id"].(valuer.UUID)
+		if !ok {
+			continue
+		}
+
+		lastObservedAt, ok := apiKeyToLastObservedAt["last_observed_at"].(time.Time)
+		if !ok {
+			continue
+		}
+
+		if lastObservedAt.IsZero() {
+			continue
+		}
+
+		if _, ok := maxLastObservedAtPerServiceAccountID[serviceAccountID]; !ok {
+			maxLastObservedAtPerServiceAccountID[serviceAccountID] = lastObservedAt.UTC()
+			continue
+		}
+
+		if lastObservedAt.UTC().After(maxLastObservedAtPerServiceAccountID[serviceAccountID]) {
+			maxLastObservedAtPerServiceAccountID[serviceAccountID] = lastObservedAt.UTC()
+		}
+	}
+
+	return maxLastObservedAtPerServiceAccountID, nil
+
+}
+
+func (provider *provider) flushLastObservedAt(ctx context.Context, org *types.Organization) error {
+	apiKeyToLastObservedAt, err := provider.listLastObservedAtDesc(ctx, org.ID)
+	if err != nil {
+		return err
+	}
+
+	if err := provider.apiKeyStore.UpdateLastObservedAtByKey(ctx, apiKeyToLastObservedAt); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (provider *provider) getOrGetSetAPIKey(ctx context.Context, key string) (*serviceaccounttypes.FactorAPIKey, error) {
+	apiKey := new(serviceaccounttypes.FactorAPIKey)
+	err := provider.cache.Get(ctx, emptyOrgID, apiKeyCacheKey(key), apiKey)
+	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
+		return nil, err
+	}
+
+	if err == nil {
+		return apiKey, nil
+	}
+
+	storable, err := provider.apiKeyStore.GetFactorAPIKeyByKey(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+	apiKey = serviceaccounttypes.NewFactorAPIKeyFromStorable(storable)
+
+	err = provider.cache.Set(ctx, emptyOrgID, apiKeyCacheKey(key), apiKey, provider.config.Lifetime.Max)
+	if err != nil {
+		return nil, err
+	}
+
+	return apiKey, nil
+}
+
+func (provider *provider) getOrGetSetIdentity(ctx context.Context, serviceAccountID valuer.UUID) (*authtypes.Identity, error) {
+	identity := new(authtypes.Identity)
+	err := provider.cache.Get(ctx, emptyOrgID, identityCacheKey(serviceAccountID), identity)
+	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
+		return nil, err
+	}
+
+	if err == nil {
+		return identity, nil
+	}
+
+	storableServiceAccount, err := provider.apiKeyStore.GetByID(ctx, serviceAccountID)
+	if err != nil {
+		return nil, err
+	}
+
+	identity = storableServiceAccount.ToIdentity()
+	err = provider.cache.Set(ctx, emptyOrgID, identityCacheKey(serviceAccountID), identity, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	return identity, nil
+}
+
+func (provider *provider) listLastObservedAtDesc(ctx context.Context, orgID valuer.UUID) ([]map[string]any, error) {
+	apiKeys, err := provider.apiKeyStore.ListFactorAPIKeyByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	var keyToLastObservedAt []map[string]any
+
+	for _, key := range apiKeys {
+		keyCachedLastObservedAt, ok := provider.lastObservedAtCache.Get(lastObservedAtCacheKey(key.Key, valuer.MustNewUUID(key.ServiceAccountID)))
+		if ok {
+			keyToLastObservedAt = append(keyToLastObservedAt, map[string]any{
+				"service_account_id": key.ServiceAccountID,
+				"key":                key.Key,
+				"last_observed_at":   keyCachedLastObservedAt,
+			})
+		}
+	}
+
+	// sort by descending order of last_observed_at
+	slices.SortFunc(keyToLastObservedAt, func(a, b map[string]any) int {
+		return b["last_observed_at"].(time.Time).Compare(a["last_observed_at"].(time.Time))
+	})
+
+	return keyToLastObservedAt, nil
+}
+
+func apiKeyCacheKey(apiKey string) string {
+	return "api_key::" + cachetypes.NewSha1CacheKey(apiKey)
+}
+
+func identityCacheKey(serviceAccountID valuer.UUID) string {
+	return "identity::" + serviceAccountID.String()
+}
+
+func lastObservedAtCacheKey(apiKey string, serviceAccountID valuer.UUID) string {
+	return "api_key::" + apiKey + "::" + serviceAccountID.String()
+}

pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go

@@ -47,7 +47,7 @@ func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID)
 		return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with id: %s does not exist", userID)
 	}
 
-	return authtypes.NewIdentity(userID, user.OrgID, user.Email, types.Role(user.Role)), nil
+	return authtypes.NewIdentity(userID, valuer.UUID{}, authtypes.PrincipalUser, user.OrgID, user.Email), nil
 }
 
 func (store *store) GetByAccessToken(ctx context.Context, accessToken string) (*authtypes.StorableToken, error) {

pkg/types/authtypes/authn.go

@@ -25,10 +25,11 @@ var (
 type AuthNProvider struct{ valuer.String }
 
 type Identity struct {
-	UserID valuer.UUID  `json:"userId"`
-	OrgID  valuer.UUID  `json:"orgId"`
-	Email  valuer.Email `json:"email"`
-	Role   types.Role   `json:"role"`
+	UserID           valuer.UUID  `json:"userId"`
+	ServiceAccountID valuer.UUID  `json:"serviceAccountId"`
+	Principal        Principal    `json:"principal"`
+	OrgID            valuer.UUID  `json:"orgId"`
+	Email            valuer.Email `json:"email"`
 }
 
 type CallbackIdentity struct {
@@ -78,12 +79,13 @@ func NewStateFromString(state string) (State, error) {
 	}, nil
 }
 
-func NewIdentity(userID valuer.UUID, orgID valuer.UUID, email valuer.Email, role types.Role) *Identity {
+func NewIdentity(userID valuer.UUID, serviceAccountID valuer.UUID, principal Principal, orgID valuer.UUID, email valuer.Email) *Identity {
 	return &Identity{
-		UserID: userID,
-		OrgID:  orgID,
-		Email:  email,
-		Role:   role,
+		UserID:           userID,
+		ServiceAccountID: serviceAccountID,
+		Principal:        principal,
+		OrgID:            orgID,
+		Email:            email,
 	}
 }
 
@@ -116,10 +118,11 @@ func (typ *Identity) UnmarshalBinary(data []byte) error {
 
 func (typ *Identity) ToClaims() Claims {
 	return Claims{
-		UserID: typ.UserID.String(),
-		Email:  typ.Email.String(),
-		Role:   typ.Role,
-		OrgID:  typ.OrgID.String(),
+		UserID:           typ.UserID.String(),
+		ServiceAccountID: typ.ServiceAccountID.String(),
+		Principal:        typ.Principal.StringValue(),
+		Email:            typ.Email.String(),
+		OrgID:            typ.OrgID.String(),
 	}
 }
 

pkg/types/authtypes/claims.go

@@ -3,20 +3,20 @@ package authtypes
 import (
 	"context"
 	"log/slog"
-	"slices"
 
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types"
 )
 
 type claimsKey struct{}
 type accessTokenKey struct{}
+type serviceAccountAPIKeyKey struct{}
 
 type Claims struct {
-	UserID string
-	Email  string
-	Role   types.Role
-	OrgID  string
+	UserID           string
+	ServiceAccountID string
+	Principal        string
+	Email            string
+	OrgID            string
 }
 
 // NewContextWithClaims attaches individual claims to the context.
@@ -47,37 +47,35 @@ func AccessTokenFromContext(ctx context.Context) (string, error) {
 	return accessToken, nil
 }
 
+func NewContextWithServiceAccountAPIKey(ctx context.Context, apiKey string) context.Context {
+	return context.WithValue(ctx, serviceAccountAPIKeyKey{}, apiKey)
+}
+
+func ServiceAccountAPIKeyFromContext(ctx context.Context) (string, error) {
+	apiKey, ok := ctx.Value(serviceAccountAPIKeyKey{}).(string)
+	if !ok {
+		return "", errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "unauthenticated")
+	}
+
+	return apiKey, nil
+}
+
 func (c *Claims) LogValue() slog.Value {
 	return slog.GroupValue(
 		slog.String("user_id", c.UserID),
+		slog.String("service_account_id", c.ServiceAccountID),
+		slog.String("principal", c.Principal),
 		slog.String("email", c.Email),
-		slog.String("role", c.Role.String()),
 		slog.String("org_id", c.OrgID),
 	)
 }
 
-func (c *Claims) IsViewer() error {
-	if slices.Contains([]types.Role{types.RoleViewer, types.RoleEditor, types.RoleAdmin}, c.Role) {
-		return nil
+func (c *Claims) GetIdentityID() string {
+	if c.Principal == PrincipalUser.StringValue() {
+		return c.UserID
 	}
 
-	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only viewers/editors/admins can access this resource")
-}
-
-func (c *Claims) IsEditor() error {
-	if slices.Contains([]types.Role{types.RoleEditor, types.RoleAdmin}, c.Role) {
-		return nil
-	}
-
-	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only editors/admins can access this resource")
-}
-
-func (c *Claims) IsAdmin() error {
-	if c.Role == types.RoleAdmin {
-		return nil
-	}
-
-	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can access this resource")
+	return c.ServiceAccountID
 }
 
 func (c *Claims) IsSelfAccess(id string) error {
@@ -85,9 +83,5 @@ func (c *Claims) IsSelfAccess(id string) error {
 		return nil
 	}
 
-	if c.Role == types.RoleAdmin {
-		return nil
-	}
-
 	return errors.New(errors.TypeForbidden, errors.CodeForbidden, "only the user/admin can access their own resource")
 }

pkg/types/authtypes/principal.go

@@ -0,0 +1,10 @@
+package authtypes
+
+import "github.com/SigNoz/signoz/pkg/valuer"
+
+var (
+	PrincipalUser           = Principal{valuer.NewString("user")}
+	PrincipalServiceAccount = Principal{valuer.NewString("service_account")}
+)
+
+type Principal struct{ valuer.String }

pkg/types/dashboardtypes/dashboard.go

@@ -284,18 +284,7 @@ func (dashboard *Dashboard) Update(ctx context.Context, updatableDashboard Updat
 	return nil
 }
 
-func (dashboard *Dashboard) CanLockUnlock(role types.Role, updatedBy string) error {
-	if dashboard.CreatedBy != updatedBy && role != types.RoleAdmin {
-		return errors.Newf(errors.TypeForbidden, errors.CodeForbidden, "you are not authorized to lock/unlock this dashboard")
-	}
-	return nil
-}
-
-func (dashboard *Dashboard) LockUnlock(lock bool, role types.Role, updatedBy string) error {
-	err := dashboard.CanLockUnlock(role, updatedBy)
-	if err != nil {
-		return err
-	}
+func (dashboard *Dashboard) LockUnlock(lock bool, updatedBy string) error {
 	dashboard.Locked = lock
 	dashboard.UpdatedBy = updatedBy
 	dashboard.UpdatedAt = time.Now()

pkg/types/factor_api_key.go

@@ -1,144 +0,0 @@
-package types
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"github.com/uptrace/bun"
-)
-
-var NEVER_EXPIRES = time.Unix(0, 0)
-
-type PostableAPIKey struct {
-	Name          string `json:"name"`
-	Role          Role   `json:"role"`
-	ExpiresInDays int64  `json:"expiresInDays"`
-}
-
-type GettableAPIKey struct {
-	Identifiable
-	TimeAuditable
-	UserAuditable
-	Token         string `json:"token"`
-	Role          Role   `json:"role"`
-	Name          string `json:"name"`
-	ExpiresAt     int64  `json:"expiresAt"`
-	LastUsed      int64  `json:"lastUsed"`
-	Revoked       bool   `json:"revoked"`
-	UserID        string `json:"userId"`
-	CreatedByUser *User  `json:"createdByUser"`
-	UpdatedByUser *User  `json:"updatedByUser"`
-}
-
-type OrgUserAPIKey struct {
-	*Organization `bun:",extend"`
-	Users         []*UserWithAPIKey `bun:"rel:has-many,join:id=org_id"`
-}
-
-type UserWithAPIKey struct {
-	*User   `bun:",extend"`
-	APIKeys []*StorableAPIKeyUser `bun:"rel:has-many,join:id=user_id"`
-}
-
-type StorableAPIKeyUser struct {
-	StorableAPIKey `bun:",extend"`
-
-	CreatedByUser *User `json:"createdByUser" bun:"created_by_user,rel:belongs-to,join:created_by=id"`
-	UpdatedByUser *User `json:"updatedByUser" bun:"updated_by_user,rel:belongs-to,join:updated_by=id"`
-}
-
-type StorableAPIKey struct {
-	bun.BaseModel `bun:"table:factor_api_key"`
-
-	Identifiable
-	TimeAuditable
-	UserAuditable
-	Token     string      `json:"token" bun:"token,type:text,notnull,unique"`
-	Role      Role        `json:"role" bun:"role,type:text,notnull,default:'ADMIN'"`
-	Name      string      `json:"name" bun:"name,type:text,notnull"`
-	ExpiresAt time.Time   `json:"-" bun:"expires_at,notnull,nullzero,type:timestamptz"`
-	LastUsed  time.Time   `json:"-" bun:"last_used,notnull,nullzero,type:timestamptz"`
-	Revoked   bool        `json:"revoked" bun:"revoked,notnull,default:false"`
-	UserID    valuer.UUID `json:"userId" bun:"user_id,type:text,notnull"`
-}
-
-func NewStorableAPIKey(name string, userID valuer.UUID, role Role, expiresAt int64) (*StorableAPIKey, error) {
-	// validate
-
-	// we allow the APIKey if expiresAt is not set, which means it never expires
-	if expiresAt < 0 {
-		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "expiresAt must be greater than 0")
-	}
-
-	if name == "" {
-		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "name cannot be empty")
-	}
-
-	if role == "" {
-		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "role cannot be empty")
-	}
-
-	now := time.Now()
-	// convert expiresAt to unix timestamp from days
-	// expiresAt = now.Unix() + (expiresAt * 24 * 60 * 60)
-	expiresAtTime := now.AddDate(0, 0, int(expiresAt))
-
-	// if the expiresAt is 0, it means the APIKey never expires
-	if expiresAt == 0 {
-		expiresAtTime = NEVER_EXPIRES
-	}
-
-	// Generate a 32-byte random token.
-	token := make([]byte, 32)
-	_, err := rand.Read(token)
-	if err != nil {
-		return nil, errors.New(errors.TypeInternal, errors.CodeInternal, "failed to generate token")
-	}
-	// Encode the token in base64.
-	encodedToken := base64.StdEncoding.EncodeToString(token)
-
-	return &StorableAPIKey{
-		Identifiable: Identifiable{
-			ID: valuer.GenerateUUID(),
-		},
-		TimeAuditable: TimeAuditable{
-			CreatedAt: now,
-			UpdatedAt: now,
-		},
-		UserAuditable: UserAuditable{
-			CreatedBy: userID.String(),
-			UpdatedBy: userID.String(),
-		},
-		Token:     encodedToken,
-		Name:      name,
-		Role:      role,
-		UserID:    userID,
-		ExpiresAt: expiresAtTime,
-		LastUsed:  now,
-		Revoked:   false,
-	}, nil
-}
-
-func NewGettableAPIKeyFromStorableAPIKey(storableAPIKey *StorableAPIKeyUser) *GettableAPIKey {
-	lastUsed := storableAPIKey.LastUsed.Unix()
-	if storableAPIKey.LastUsed == storableAPIKey.CreatedAt {
-		lastUsed = 0
-	}
-	return &GettableAPIKey{
-		Identifiable:  storableAPIKey.Identifiable,
-		TimeAuditable: storableAPIKey.TimeAuditable,
-		UserAuditable: storableAPIKey.UserAuditable,
-		Token:         storableAPIKey.Token,
-		Role:          storableAPIKey.Role,
-		Name:          storableAPIKey.Name,
-		ExpiresAt:     storableAPIKey.ExpiresAt.Unix(),
-		LastUsed:      lastUsed,
-		Revoked:       storableAPIKey.Revoked,
-		UserID:        storableAPIKey.UserID.String(),
-		CreatedByUser: storableAPIKey.CreatedByUser,
-		UpdatedByUser: storableAPIKey.UpdatedByUser,
-	}
-}

pkg/types/serviceaccounttypes/factor_api_key.go

@@ -11,9 +11,9 @@ import (
 )
 
 var (
-	ErrCodeAPIkeyInvalidInput        = errors.MustNewCode("service_account_factor_api_key_invalid_input")
-	ErrCodeAPIKeyAlreadyExists       = errors.MustNewCode("service_account_factor_api_key_already_exists")
-	ErrCodeAPIKeytNotFound           = errors.MustNewCode("service_account_factor_api_key_not_found")
+	ErrCodeAPIkeyInvalidInput        = errors.MustNewCode("api_key_invalid_input")
+	ErrCodeAPIKeyAlreadyExists       = errors.MustNewCode("api_key_already_exists")
+	ErrCodeAPIKeytNotFound           = errors.MustNewCode("api_key_not_found")
 	ErrCodeAPIKeyExpired             = errors.MustNewCode("api_key_expired")
 	ErrCodeAPIkeyOlderLastObservedAt = errors.MustNewCode("api_key_older_last_observed_at")
 )
@@ -184,3 +184,18 @@ func (key *UpdatableFactorAPIKey) UnmarshalJSON(data []byte) error {
 	*key = UpdatableFactorAPIKey(temp)
 	return nil
 }
+
+func (key FactorAPIKey) MarshalBinary() ([]byte, error) {
+	return json.Marshal(key)
+}
+
+func (key *FactorAPIKey) UnmarshalBinary(data []byte) error {
+	return json.Unmarshal(data, key)
+}
+
+func (key *FactorAPIKey) Traits() map[string]any {
+	return map[string]any{
+		"name":       key.Name,
+		"expires_at": key.ExpiresAt,
+	}
+}

pkg/types/serviceaccounttypes/service_acccount.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
@@ -284,3 +285,21 @@ func (sa *UpdatableServiceAccountStatus) UnmarshalJSON(data []byte) error {
 	*sa = UpdatableServiceAccountStatus(temp)
 	return nil
 }
+
+func (sa *StorableServiceAccount) ToIdentity() *authtypes.Identity {
+	return &authtypes.Identity{
+		ServiceAccountID: sa.ID,
+		Principal:        authtypes.PrincipalServiceAccount,
+		OrgID:            valuer.MustNewUUID(sa.OrgID),
+		Email:            valuer.MustNewEmail(sa.Email),
+	}
+}
+
+func (sa *ServiceAccount) Traits() map[string]any {
+	return map[string]any{
+		"name":       sa.Name,
+		"roles":      sa.Roles,
+		"email":      sa.Email.String(),
+		"created_at": sa.CreatedAt,
+	}
+}

pkg/types/serviceaccounttypes/store.go

@@ -10,8 +10,9 @@ type Store interface {
 	// Service Account
 	Create(context.Context, *StorableServiceAccount) error
 	Get(context.Context, valuer.UUID, valuer.UUID) (*StorableServiceAccount, error)
-	GetActiveByOrgIDAndName(context.Context, valuer.UUID, string) (*StorableServiceAccount, error)
 	GetByID(context.Context, valuer.UUID) (*StorableServiceAccount, error)
+	GetActiveByOrgIDAndName(context.Context, valuer.UUID, string) (*StorableServiceAccount, error)
+	CountByOrgID(context.Context, valuer.UUID) (int64, error)
 	List(context.Context, valuer.UUID) ([]*StorableServiceAccount, error)
 	Update(context.Context, valuer.UUID, *StorableServiceAccount) error
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
@@ -25,8 +26,12 @@ type Store interface {
 	// Service Account Factor API Key
 	CreateFactorAPIKey(context.Context, *StorableFactorAPIKey) error
 	GetFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) (*StorableFactorAPIKey, error)
+	GetFactorAPIKeyByKey(context.Context, string) (*StorableFactorAPIKey, error)
+	CountFactorAPIKeysByOrgID(context.Context, valuer.UUID) (int64, error)
 	ListFactorAPIKey(context.Context, valuer.UUID) ([]*StorableFactorAPIKey, error)
+	ListFactorAPIKeyByOrgID(context.Context, valuer.UUID) ([]*StorableFactorAPIKey, error)
 	UpdateFactorAPIKey(context.Context, valuer.UUID, *StorableFactorAPIKey) error
+	UpdateLastObservedAtByKey(context.Context, []map[string]any) error
 	RevokeFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) error
 	RevokeAllFactorAPIKeys(context.Context, valuer.UUID) error
 

pkg/types/user.go

@@ -255,14 +255,6 @@ type UserStore interface {
 	DeleteResetPasswordTokenByPasswordID(ctx context.Context, passwordID valuer.UUID) error
 	UpdatePassword(ctx context.Context, password *FactorPassword) error
 
-	// API KEY
-	CreateAPIKey(ctx context.Context, apiKey *StorableAPIKey) error
-	UpdateAPIKey(ctx context.Context, id valuer.UUID, apiKey *StorableAPIKey, updaterID valuer.UUID) error
-	ListAPIKeys(ctx context.Context, orgID valuer.UUID) ([]*StorableAPIKeyUser, error)
-	RevokeAPIKey(ctx context.Context, id valuer.UUID, revokedByUserID valuer.UUID) error
-	GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*StorableAPIKeyUser, error)
-	CountAPIKeyByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error)
-
 	CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error)
 	CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error)