feat(service-account): add back sql migrations

.github/workflows/jsci.yaml

@@ -61,13 +61,3 @@ jobs:
     with:
       PRIMUS_REF: main
       JS_SRC: frontend
-  md-languages:
-    if: |
-      (github.event_name == 'pull_request' && ! github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]' && ! contains(github.event.pull_request.labels.*.name, 'safe-to-test')) ||
-      (github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'safe-to-test'))
-    runs-on: ubuntu-latest
-    steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: validate md languages
-        run: bash frontend/scripts/validate-md-languages.sh

docs/api/openapi.yml

@@ -1763,6 +1763,124 @@ components:
       - type
       - orgId
       type: object
+    ServiceaccounttypesFactorAPIKey:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        expires_at:
+          minimum: 0
+          type: integer
+        id:
+          type: string
+        key:
+          type: string
+        last_used:
+          format: date-time
+          type: string
+        name:
+          type: string
+        service_account_id:
+          type: string
+        updatedAt:
+          format: date-time
+          type: string
+      required:
+      - id
+      - key
+      - expires_at
+      - last_used
+      - service_account_id
+      type: object
+    ServiceaccounttypesPostableFactorAPIKey:
+      properties:
+        expires_at:
+          minimum: 0
+          type: integer
+        name:
+          type: string
+      required:
+      - name
+      - expires_at
+      type: object
+    ServiceaccounttypesPostableServiceAccount:
+      properties:
+        email:
+          type: string
+        name:
+          type: string
+        roles:
+          items:
+            type: string
+          type: array
+      required:
+      - name
+      - email
+      - roles
+      type: object
+    ServiceaccounttypesServiceAccount:
+      properties:
+        createdAt:
+          format: date-time
+          type: string
+        email:
+          type: string
+        id:
+          type: string
+        name:
+          type: string
+        orgID:
+          type: string
+        roles:
+          items:
+            type: string
+          type: array
+        status:
+          type: string
+        updatedAt:
+          format: date-time
+          type: string
+      required:
+      - id
+      - name
+      - email
+      - roles
+      - status
+      - orgID
+      type: object
+    ServiceaccounttypesUpdatableFactorAPIKey:
+      properties:
+        expires_at:
+          minimum: 0
+          type: integer
+        name:
+          type: string
+      required:
+      - name
+      - expires_at
+      type: object
+    ServiceaccounttypesUpdatableServiceAccount:
+      properties:
+        email:
+          type: string
+        name:
+          type: string
+        roles:
+          items:
+            type: string
+          type: array
+      required:
+      - name
+      - email
+      - roles
+      type: object
+    ServiceaccounttypesUpdatableServiceAccountStatus:
+      properties:
+        status:
+          type: string
+      required:
+      - status
+      type: object
     TelemetrytypesFieldContext:
       enum:
       - metric
@@ -4537,6 +4655,586 @@ paths:
       summary: Patch objects for a role by relation
       tags:
       - role
+  /api/v1/service_accounts:
+    get:
+      deprecated: false
+      description: This endpoint lists the service accounts for an organisation
+      operationId: ListServiceAccounts
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/ServiceaccounttypesServiceAccount'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: List service accounts
+      tags:
+      - serviceaccount
+    post:
+      deprecated: false
+      description: This endpoint creates a service account
+      operationId: CreateServiceAccount
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ServiceaccounttypesPostableServiceAccount'
+      responses:
+        "201":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesIdentifiable'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Create service account
+      tags:
+      - serviceaccount
+  /api/v1/service_accounts/{id}:
+    delete:
+      deprecated: false
+      description: This endpoint deletes an existing service account
+      operationId: DeleteServiceAccount
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Deletes a service account
+      tags:
+      - serviceaccount
+    get:
+      deprecated: false
+      description: This endpoint gets an existing service account
+      operationId: GetServiceAccount
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/ServiceaccounttypesServiceAccount'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Gets a service account
+      tags:
+      - serviceaccount
+    put:
+      deprecated: false
+      description: This endpoint updates an existing service account
+      operationId: UpdateServiceAccount
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ServiceaccounttypesUpdatableServiceAccount'
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Updates a service account
+      tags:
+      - serviceaccount
+  /api/v1/service_accounts/{id}/keys:
+    get:
+      deprecated: false
+      description: This endpoint lists the service account keys
+      operationId: ListServiceAccountKeys
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/ServiceaccounttypesFactorAPIKey'
+                    type: array
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: List service account keys
+      tags:
+      - serviceaccount
+    post:
+      deprecated: false
+      description: This endpoint creates a service account key
+      operationId: CreateServiceAccountKey
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ServiceaccounttypesPostableFactorAPIKey'
+      responses:
+        "201":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesIdentifiable'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "409":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Conflict
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Create a service account key
+      tags:
+      - serviceaccount
+  /api/v1/service_accounts/{id}/keys/{fid}:
+    delete:
+      deprecated: false
+      description: This endpoint revokes an existing service account key
+      operationId: RevokeServiceAccountKey
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: fid
+        required: true
+        schema:
+          type: string
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Revoke a service account key
+      tags:
+      - serviceaccount
+    put:
+      deprecated: false
+      description: This endpoint updates an existing service account key
+      operationId: UpdateServiceAccountKey
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      - in: path
+        name: fid
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ServiceaccounttypesUpdatableFactorAPIKey'
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Updates a service account key
+      tags:
+      - serviceaccount
+  /api/v1/service_accounts/{id}/status:
+    put:
+      deprecated: false
+      description: This endpoint updates an existing service account status
+      operationId: UpdateServiceAccountStatus
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ServiceaccounttypesUpdatableServiceAccountStatus'
+      responses:
+        "204":
+          content:
+            application/json:
+              schema:
+                type: string
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Updates a service account status
+      tags:
+      - serviceaccount
   /api/v1/user:
     get:
       deprecated: false

docs/contributing/go/abstractions.md

@@ -1,104 +0,0 @@
-# Abstractions
-
-This document provides rules for deciding when a new type, interface, or intermediate representation is warranted in Go code. The goal is to keep the codebase navigable by ensuring every abstraction earns its place.
-
-## The cost of a new abstraction
-
-Every exported type, interface, or wrapper is a permanent commitment. It must be named, documented, tested, and understood by every future contributor. It creates a new concept in the codebase vocabulary. Before introducing one, verify that the cost is justified by a concrete benefit that cannot be achieved with existing mechanisms.
-
-## Before you introduce anything new
-
-Answer these four questions. If writing a PR, include the answers in the description.
-
-1. **What already exists?** Name the specific type, function, interface, or library that covers this ground today.
-2. **What does the new abstraction add?** Name the concrete operation, guarantee, or capability. "Cleaner" or "more reusable" are not sufficient; name what the caller can do that it could not do before.
-3. **What does the new abstraction drop?** If it wraps or mirrors an existing structure, list what it cannot represent. Every gap must be either justified or handled with an explicit error.
-4. **Who consumes it?** List the call sites. If there is only one producer and one consumer in the same call chain, you likely need a function, not a type.
-
-## Rules
-
-### 1. Prefer functions over types
-
-If a piece of logic has one input and one output, write a function. Do not create a struct to hold intermediate state that is built in one place and read in one place. A function is easier to test, easier to inline, and does not expand the vocabulary of the codebase.
-
-```go
-// Prefer this:
-func ConvertConfig(src ExternalConfig) (InternalConfig, error)
-
-// Over this:
-type ConfigAdapter struct { ... }
-func NewConfigAdapter(src ExternalConfig) *ConfigAdapter
-func (a *ConfigAdapter) ToInternal() (InternalConfig, error)
-```
-
-The two-step version is only justified when `ConfigAdapter` has multiple distinct consumers that use it in different ways.
-
-### 2. Do not duplicate structures you do not own
-
-When a library or external package produces a structured output, operate on that output directly. Do not create a parallel type that mirrors a subset of its fields.
-
-A partial copy will:
-- **Silently lose data** when the source has fields or variants the copy does not account for.
-- **Drift** when the source evolves and the copy is not updated in lockstep.
-- **Add a conversion step** that doubles the code surface and the opportunity for bugs.
-
-If you need to shield consumers from a dependency, define a narrow interface over the dependency's type rather than copying its shape into a new struct.
-
-### 3. Never silently discard input
-
-If your code receives structured input and cannot handle part of it, return an error. Do not silently return nil, skip the element, or produce a partial result. Silent data loss is the hardest class of bug to detect because the code appears to work, it just produces wrong results.
-
-```go
-// Wrong: silently ignores the unrecognized case.
-default:
-    return nil
-
-// Right: makes the gap visible.
-default:
-    return nil, fmt.Errorf("unsupported %T value: %v", v, v)
-```
-
-This applies broadly: type switches, format conversions, data migrations, enum mappings, configuration parsing. Anywhere a `default` or `else` branch can swallow input, it should surface an error instead.
-
-### 4. Do not expose methods that lose information
-
-A method on a structured type should not strip meaning from the structure it belongs to. If a caller needs to iterate over elements for a specific purpose (validation, aggregation, logging), write that logic as a standalone function that operates on the structure with full context, rather than adding a method that returns a reduced view.
-
-```go
-// Problematic: callers cannot distinguish how items were related.
-func (o *Order) AllLineItems() []LineItem { ... }
-
-// Better: the validation logic operates on the full structure.
-func ValidateOrder(o *Order) error { ... }
-```
-
-Public methods shape how a type is used. Once a lossy accessor exists, callers will depend on it, and the lost information becomes unrecoverable at those call sites.
-
-### 5. Interfaces should be discovered, not predicted
-
-Do not define an interface before you have at least two concrete implementations that need it. An interface with one implementation is not abstraction; it is indirection that makes it harder to navigate from call site to implementation.
-
-The exception is interfaces required for testing (e.g., for mocking an external dependency). In that case, define the interface in the **consuming** package, not the providing package, following the Go convention of [accepting interfaces and returning structs](https://go.dev/wiki/CodeReviewComments#interfaces).
-
-## When a new type IS warranted
-
-See [Types](types.md#when-a-new-type-is-warranted) for the criteria that justify introducing a new type.
-
-## What should I remember?
-
-- A function is almost always simpler than a type. Start with a function; promote to a type only when you have evidence of need.
-- Never silently drop data. If you cannot handle it, error.
-- If your new type mirrors an existing one, you need a strong reason beyond "nicer to work with".
-- If your type has one producer and one consumer, it is indirection, not abstraction.
-- Interfaces come from need (multiple implementations), not from prediction.
-- When in doubt, do not add it. It is easier to add an abstraction later when the need is clear than to remove one after it has spread through the codebase.
-
-## Further reading
-
-These works and our own lessions shaped the above guidelines
-
-- [The Wrong Abstraction](https://sandimetz.com/blog/2016/1/20/the-wrong-abstraction) - Sandi Metz. The wrong abstraction is worse than duplication. If you find yourself passing parameters and adding conditional paths through shared code, inline it back into every caller and let the duplication show you what the right abstraction is.
-- [Write code that is easy to delete, not easy to extend](https://programmingisterrible.com/post/139222674273/write-code-that-is-easy-to-delete-not-easy-to) - tef. Every abstraction is a bet on the future. Optimize for how cheaply you can remove code when the bet is wrong, not for how easily you can extend it when the bet is right.
-- [Goodbye, Clean Code](https://overreacted.io/goodbye-clean-code/) - Dan Abramov. A refactoring that removes duplication can look cleaner while making the code harder to change. Clean-looking and easy-to-change are not the same thing.
-- [A Philosophy of Software Design](https://www.amazon.com/Philosophy-Software-Design-John-Ousterhout/dp/1732102201) - John Ousterhout. Good abstractions are deep: simple interface, complex implementation. A "false abstraction" omits important details while appearing simple, and is worse than no abstraction at all. ([Summary by Pragmatic Engineer](https://blog.pragmaticengineer.com/a-philosophy-of-software-design-review/))
-- [Simplicity is Complicated](https://go.dev/talks/2015/simplicity-is-complicated.slide) - Rob Pike. Go-specific. Fewer orthogonal concepts that compose predictably beat many overlapping ones. Features were left out of Go deliberately; the same discipline applies to your own code.

docs/contributing/go/packages.md

@@ -49,43 +49,6 @@ Follow these rules:
 
 5. **Test files stay alongside source**: Unit tests go in `_test.go` files next to the code they test, in the same package.
 
-## How should I order code within a file?
-
-Within a single `.go` file, declarations should follow this order:
-
-1. Constants
-2. Variables
-3. Types (structs, interfaces)
-4. Constructor functions (`New...`)
-5. Exported methods and functions
-6. Unexported methods and functions
-
-```go
-// 1. Constants
-const defaultTimeout = 30 * time.Second
-
-// 2. Variables
-var ErrNotFound = errors.New(errors.TypeNotFound, errors.CodeNotFound, "resource not found")
-
-// 3. Types
-type Store struct {
-    db *sql.DB
-}
-
-// 4. Constructors
-func NewStore(db *sql.DB) *Store {
-    return &Store{db: db}
-}
-
-// 5. Exported methods
-func (s *Store) Get(ctx context.Context, id string) (*Resource, error) { ... }
-
-// 6. Unexported methods
-func (s *Store) buildQuery(id string) string { ... }
-```
-
-This ordering makes files predictable. A reader scanning from top to bottom sees the contract (constants, types, constructors) before the implementation (methods), and exported behavior before internal helpers.
-
 ## How should I name symbols?
 
 ### Exported symbols
@@ -127,7 +90,9 @@ Never introduce circular imports. If package A needs package B and B needs A, ex
 
 ## Where do shared types go?
 
-See [Types](types.md) for full conventions on type placement, naming variants, composition, and constructors.
+Most types belong in `pkg/types/` under a domain-specific sub-package (e.g., `pkg/types/ruletypes`, `pkg/types/authtypes`).
+
+Do not put domain logic in `pkg/types/`. Only data structures, constants, and simple methods.
 
 ## How do I merge or move packages?
 
@@ -140,10 +105,6 @@ When two packages are tightly coupled (one imports the other's constants, they c
 5. Delete the old packages. Do not leave behind re-export shims.
 6. Verify with `go build ./...`, `go test ./<new-pkg>/...`, and `go vet ./...`.
 
-## When should I use valuer types?
-
-See [Types](types.md#typed-domain-values-pkgvaluer) for valuer types, when to use them, and the enum pattern using `valuer.String`.
-
 ## When should I add documentation?
 
 Add a `doc.go` with a package-level comment for any package that is non-trivial or has multiple consumers. Keep it to 1–3 sentences:
@@ -158,10 +119,6 @@ package cache
 
 - Package names are domain-specific and lowercase. Never generic names like `util` or `common`.
 - The file matching the package name (e.g., `cache.go`) defines the public interface. Implementation details go elsewhere.
-- Within a file, order declarations: constants, variables, types, constructors, exported functions, unexported functions.
-- Segregate types across files by responsibility. A file with 5 unrelated types is harder to navigate than 5 files with one type each.
-- Use valuer types (`valuer.String`, `valuer.Email`, `valuer.UUID`, `valuer.TextDuration`) for domain values that need validation, normalization, or cross-boundary serialization. See [Types](types.md#typed-domain-values-pkgvaluer) for details.
-- Avoid `init()` functions. If you need to initialize a variable, use a package-level `var` with a function call or a `sync.Once`. `init()` hides execution order, makes testing harder, and has caused subtle bugs in large codebases.
 - Never introduce circular imports. Extract shared types into `pkg/types/` when needed.
 - Watch for symbol name collisions when merging packages, prefix to disambiguate.
 - Put test helpers in a `{pkg}test/` sub-package, not in the main package.

docs/contributing/go/readme.md

@@ -8,41 +8,13 @@ We adhere to three primary style guides as our foundation:
 - [Code Review Comments](https://go.dev/wiki/CodeReviewComments) - For understanding common comments in code reviews
 - [Google Style Guide](https://google.github.io/styleguide/go/) - Additional practices from Google
 
-We **recommend** (almost enforce) reviewing these guides before contributing to the codebase. They provide valuable insights into writing idiomatic Go code and will help you understand our approach to backend development.
+We **recommend** (almost enforce) reviewing these guides before contributing to the codebase. They provide valuable insights into writing idiomatic Go code and will help you understand our approach to backend development. In addition, we have a few additional rules that make certain areas stricter than the above which can be found in area-specific files in this package:
 
-**Discover before inventing.** Before writing new code, search the codebase for existing solutions. SigNoz has established patterns for common problems: `pkg/valuer` for typed domain values, `pkg/errors` for structured errors, `pkg/factory` for provider wiring, `{pkg}test/` sub-packages for test helpers, and shared fixtures for integration tests. Duplicating what already exists creates drift and maintenance burden. When you find an existing pattern, use it. When you don't find one, check with the maintainers before building your own.
-
-## How to approach a feature
-
-Building a feature is not one task, it is a sequence of concerns that build on each other. Work through them in this order:
-
-1. **Domain design (types).** Define the types that represent your domain. What are the entities, what are their relationships, what are the constraints? This is where you decide your data model. Get this right first because everything else depends on it. See [Packages](packages.md) and [Abstractions](abstractions.md).
-
-2. **Structure (services / modules / handlers).** Place your code in the right layer given the current infrastructure. If the current structure does not work for your feature, that is the time to open a discussion and write a technical document, not to silently reshape things in the same PR. See [Handler](handler.md) and [Provider](provider.md).
-
-3. **HTTP endpoints (paths, status codes, errors).** Pay close attention to detail here. Paths, methods, request/response shapes, status codes, error codes. These are the contract with consumers and are expensive to change after release. See [Endpoint](endpoint.md) and [Handler](handler.md).
-
-4. **Database constraints (org_id, foreign keys, migrations).** Ensure org scoping, schema consistency, and migration correctness. See [SQL](sql.md).
-
-5. **Business logic (module layer).** With the types, structure, endpoints, and storage in place, the focus narrows to the actual logic. This is where review should concentrate on correctness, edge cases, and error handling.
-
-This ordering also gives you a natural way to split PRs. Each layer affects a different area and requires a different lens for review. A PR that mixes refactoring with new feature logic is hard to review and risky to ship. Separate them.
-
-For large refactors or features that touch multiple subsystems, write a short technical document outlining the design and get relevant stakeholders aligned before starting implementation. This saves significant back-and-forth during review.
-
-## Area-specific guides
-
-In addition, we have a few additional rules that make certain areas stricter than the above which can be found in area-specific files in this package:
-
-- [Abstractions](abstractions.md) - When to introduce new types and intermediate representations
-- [Errors](errors.md) - Structured error handling
-- [Endpoint](endpoint.md) - HTTP endpoint patterns
-- [Flagger](flagger.md) - Feature flag patterns
-- [Handler](handler.md) - HTTP handler patterns
-- [Integration](integration.md) - Integration testing
-- [Provider](provider.md) - Dependency injection and provider patterns
-- [Packages](packages.md) - Naming, layout, and conventions for `pkg/` packages
-- [Service](service.md) - Managed service lifecycle with `factory.Service`
-- [SQL](sql.md) - Database and SQL patterns
-- [Testing](testing.md) - Writing tests that catch bugs without becoming a maintenance burden
-- [Types](types.md) - Type placement, naming variants, composition, and constructors
+- [Packages](packages.md) — Naming, layout, and conventions for `pkg/` packages
+- [Errors](errors.md) — Structured error handling
+- [Handler](handler.md) — Writing HTTP handlers and OpenAPI integration
+- [Endpoint](endpoint.md) — Endpoint conventions
+- [SQL](sql.md) — Database query patterns
+- [Provider](provider.md) — Provider pattern
+- [Integration](integration.md) — Integration conventions
+- [Flagger](flagger.md) — Feature flag conventions

docs/contributing/go/service.md

@@ -1,269 +0,0 @@
-# Service
-
-A service is a component with a managed lifecycle: it starts, runs for the lifetime of the application, and stops gracefully.
-
-Services are distinct from [providers](provider.md). A provider adapts an external dependency behind an interface. A service has a managed lifecycle that is tied to the lifetime of the application.
-
-## When do you need a service?
-
-You need a service when your component needs to do work that outlives a single method call:
-
-- **Periodic work**: polling an external system, garbage-collecting expired data, syncing state on an interval.
-- **Graceful shutdown**: holding resources (connections, caches, buffers) that must be flushed or closed before the process exits.
-- **Blocking on readiness**: waiting for an external dependency to become available before the application can proceed.
-
-If your component only responds to calls and holds no state that requires cleanup, it is a provider, not a service. If it does both (responds to calls *and* needs a lifecycle), embed `factory.Service` in the provider interface; see [How to create a service](#how-to-create-a-service).
-
-## The interface
-
-The `factory.Service` interface in `pkg/factory/service.go` defines two methods:
-
-```go
-type Service interface {
-    // Starts a service. It should block and should not return until the service is stopped or it fails.
-    Start(context.Context) error
-    // Stops a service.
-    Stop(context.Context) error
-}
-```
-
-`Start` **must block**. It should not return until the service is stopped (returning `nil`) or something goes wrong (returning an error). If `Start` returns an error, the entire application shuts down.
-
-`Stop` should cause `Start` to unblock and return. It must be safe to call from a different goroutine than the one running `Start`.
-
-## Shutdown coordination
-
-Every service uses a `stopC chan struct{}` to coordinate shutdown:
-
-- **Constructor**: `stopC: make(chan struct{})`
-- **Start**: blocks on `<-stopC` (or uses it in a `select` loop)
-- **Stop**: `close(stopC)` to unblock `Start`
-
-This is the standard pattern. Do not use `context.WithCancel` or other mechanisms for service-level shutdown coordination. See the examples in the next section.
-
-## Service shapes
-
-Two shapes recur across the codebase (these are not exhaustive, if a new shape is needed, bring it up for discussion before going ahead with the implementation), implemented by convention rather than base classes.
-
-### Idle service
-
-The service does work during startup or shutdown but has nothing to do while running. `Start` blocks on `<-stopC`. `Stop` closes `stopC` and optionally does cleanup.
-
-The JWT tokenizer (`pkg/tokenizer/jwttokenizer/provider.go`) is a good example. It validates and creates tokens on demand via method calls, but has no periodic work to do. It still needs the service lifecycle so the registry can manage its lifetime:
-
-```go
-// pkg/tokenizer/jwttokenizer/provider.go
-
-func (provider *provider) Start(ctx context.Context) error {
-    <-provider.stopC
-    return nil
-}
-
-func (provider *provider) Stop(ctx context.Context) error {
-    close(provider.stopC)
-    return nil
-}
-```
-
-The instrumentation SDK (`pkg/instrumentation/sdk.go`) is idle while running but does real cleanup in `Stop` shutting down its OpenTelemetry tracer and meter providers:
-
-```go
-// pkg/instrumentation/sdk.go
-
-func (i *SDK) Start(ctx context.Context) error {
-    <-i.startCh
-    return nil
-}
-
-func (i *SDK) Stop(ctx context.Context) error {
-    close(i.startCh)
-    return errors.Join(
-        i.sdk.Shutdown(ctx),
-        i.meterProviderShutdownFunc(ctx),
-    )
-}
-```
-
-### Scheduled service
-
-The service runs an operation repeatedly on a fixed interval. `Start` runs a ticker loop with a `select` on `stopC` and the ticker channel.
-
-The opaque tokenizer (`pkg/tokenizer/opaquetokenizer/provider.go`) garbage-collects expired tokens and flushes cached last-observed-at timestamps to the database on a configurable interval:
-
-```go
-// pkg/tokenizer/opaquetokenizer/provider.go
-
-func (provider *provider) Start(ctx context.Context) error {
-    ticker := time.NewTicker(provider.config.Opaque.GC.Interval)
-    defer ticker.Stop()
-
-    for {
-        select {
-        case <-provider.stopC:
-            return nil
-        case <-ticker.C:
-            orgs, err := provider.orgGetter.ListByOwnedKeyRange(ctx)
-            if err != nil {
-                provider.settings.Logger().ErrorContext(ctx, "failed to get orgs data", "error", err)
-                continue
-            }
-
-            for _, org := range orgs {
-                if err := provider.gc(ctx, org); err != nil {
-                    provider.settings.Logger().ErrorContext(ctx, "failed to garbage collect tokens", "error", err, "org_id", org.ID)
-                }
-
-                if err := provider.flushLastObservedAt(ctx, org); err != nil {
-                    provider.settings.Logger().ErrorContext(ctx, "failed to flush tokens", "error", err, "org_id", org.ID)
-                }
-            }
-        }
-    }
-}
-```
-
-Its `Stop` does a final gc and flush before returning, so no data is lost on shutdown:
-
-```go
-// pkg/tokenizer/opaquetokenizer/provider.go
-
-func (provider *provider) Stop(ctx context.Context) error {
-    close(provider.stopC)
-
-    orgs, err := provider.orgGetter.ListByOwnedKeyRange(ctx)
-    if err != nil {
-        return err
-    }
-
-    for _, org := range orgs {
-        if err := provider.gc(ctx, org); err != nil {
-            provider.settings.Logger().ErrorContext(ctx, "failed to garbage collect tokens", "error", err, "org_id", org.ID)
-        }
-
-        if err := provider.flushLastObservedAt(ctx, org); err != nil {
-            provider.settings.Logger().ErrorContext(ctx, "failed to flush tokens", "error", err, "org_id", org.ID)
-        }
-    }
-
-    return nil
-}
-```
-
-The key points:
-
-- In the loop, `select` on `stopC` and the ticker. Errors in iterations are logged but do not cause the service to return (which would shut down the application).
-- Only return an error from `Start` if the failure is unrecoverable.
-- Use `Stop` to flush or drain any in-memory state before the process exits.
-
-## How to create a service
-
-There are two cases: a standalone service and a provider that is also a service.
-
-### Standalone service
-
-A standalone service only has the `factory.Service` lifecycle i.e it does not serve as a dependency for other packages. The user reconciliation service is an example.
-
-1. Define the service interface in your package. Embed `factory.Service`:
-
-    ```go
-    // pkg/modules/user/service.go
-    package user
-
-    type Service interface {
-        factory.Service
-    }
-    ```
-
-2. Create the implementation in an `impl` sub-package. Use an unexported struct with an exported constructor that returns the interface:
-
-    ```go
-    // pkg/modules/user/impluser/service.go
-    package impluser
-
-    type service struct {
-        settings factory.ScopedProviderSettings
-        // ... dependencies ...
-        stopC    chan struct{}
-    }
-
-    func NewService(
-        providerSettings factory.ProviderSettings,
-        // ... dependencies ...
-    ) user.Service {
-        return &service{
-            settings: factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
-            // ... dependencies ...
-            stopC:    make(chan struct{}),
-        }
-    }
-
-    func (s *service) Start(ctx context.Context) error { ... }
-    func (s *service) Stop(ctx context.Context) error { ... }
-    ```
-
-### Provider that is also a service
-
-Many providers need a managed lifecycle: they poll, sync, or garbage-collect in the background. In this case, embed `factory.Service` in the provider interface. The implementation satisfies both the provider methods and `Start`/`Stop`.
-
-```go
-// pkg/tokenizer/tokenizer.go
-package tokenizer
-
-type Tokenizer interface {
-    factory.Service
-    CreateToken(context.Context, *authtypes.Identity, map[string]string) (*authtypes.Token, error)
-    GetIdentity(context.Context, string) (*authtypes.Identity, error)
-    // ... other methods ...
-}
-```
-
-The implementation (e.g. `pkg/tokenizer/opaquetokenizer/provider.go`) implements `Start`, `Stop`, and all the provider methods on the same struct. See the [provider guide](provider.md) for how to set up the factory, config, and constructor. The `stopC` channel and `Start`/`Stop` methods follow the same patterns described above.
-
-## How to wire it up
-
-Wiring happens in `pkg/signoz/signoz.go`.
-
-### 1. Instantiate the service
-
-For a standalone service, call the constructor directly:
-
-```go
-userService := impluser.NewService(providerSettings, store, module, orgGetter, authz, config.User.Root)
-```
-
-For a provider that is also a service, use `factory.NewProviderFromNamedMap` as described in the [provider guide](provider.md). The returned value already implements `factory.Service`.
-
-### 2. Register in the registry
-
-Wrap the service with `factory.NewNamedService` and pass it to `factory.NewRegistry`:
-
-```go
-registry, err := factory.NewRegistry(
-    instrumentation.Logger(),
-    // ... other services ...
-    factory.NewNamedService(factory.MustNewName("user"), userService),
-)
-```
-
-The name must be unique across all services. The registry handles the rest:
-
-- **Start**: launches all services concurrently in goroutines.
-- **Wait**: blocks until a service returns an error, the context is cancelled, or a SIGINT/SIGTERM is received. Any service error triggers application shutdown.
-- **Stop**: stops all services concurrently, collects errors via `errors.Join`.
-
-You do not call `Start` or `Stop` on individual services. The registry does it.
-
-## What should I remember?
-
-- A service has a managed lifecycle: `Start` blocks, `Stop` unblocks it.
-- Use `stopC chan struct{}` for shutdown coordination. `close(stopC)` in `Stop`, `<-stopC` in `Start`.
-- Service shapes: idle (block on `stopC`) and scheduled (ticker loop with `select`).
-- Unexported struct, exported `NewService` constructor returning the interface.
-- First constructor parameter is `factory.ProviderSettings`. Create scoped settings with `factory.NewScopedProviderSettings`.
-- Register in `factory.Registry` with `factory.NewNamedService`. The registry starts and stops everything.
-- Only return an error from `Start` if the failure is unrecoverable. Log and continue for transient errors in polling loops.
-
-## Further reading
-
-- [Google Guava - ServiceExplained](https://github.com/google/guava/wiki/ServiceExplained) - the service lifecycle pattern takes inspiration from this
-- [OpenTelemetry Collector](https://github.com/open-telemetry/opentelemetry-collector) - Worth studying for its approach to building composable components

docs/contributing/go/testing.md

@@ -1,260 +0,0 @@
-# Testing
-
-This document provides rules for writing tests that catch real bugs and do not become a maintenance burden. It covers both how to write good tests and how to recognize bad ones.
-
-## Why we write tests
-
-Tests exist to give confidence that the system behaves correctly. A good test suite lets you change code and know immediately (or in a reasonable time) whether you broke something. A bad test suite lets you change code (and then spend hours figuring out whether the failures are real) and still lets the bugs slip in.
-
-Every test should be written to answer one question: **if this test fails, does that mean a user-visible behavior is broken?** If the answer is no, reconsider whether the test should exist.
-
-Not all tests are equal. Different scopes serve different purposes, and the balance matters.
-
-- **Unit tests**: Fast, focused, test a single function or type in isolation. These form the foundation. They should run in milliseconds, have no I/O, and be fully deterministic.
-- **Integration tests**: Verify that components work together against real dependencies (ClickHouse, PostgreSQL, etc.). Slower, but catch problems that unit tests cannot: real query behavior, configuration issues, serialization mismatches.
-- **End-to-end tests**: Validate full system behavior from the outside. Expensive to write and maintain, but necessary for critical user flows.
-
-When a test can be written at a smaller scope, prefer the smaller scope. But do not force a unit test where an integration test is the natural fit.
-
-## What to test
-
-### Test behaviors, not implementations
-
-A test should verify what the code does, not how it does it (unless the goal of the test is specifically how something happen). If you can refactor the internals of a function e.g, change a query, rename a variable, restructure the logic and no user-visible behavior changes, no test should break.
-
-```go
-// Good: tests the behavior "given this input, expect this output."
-func TestDiscountApplied(t *testing.T) {
-    order := NewOrder(item("widget", 100))
-    order.ApplyDiscount(10)
-    assert.Equal(t, 90, order.Total())
-}
-
-// Bad: tests the implementation "did it call the right internal method?"
-func TestDiscountApplied(t *testing.T) {
-    mockPricer := new(MockPricer)
-    mockPricer.On("CalculateDiscount", 100, 10).Return(90)
-    order := NewOrder(item("widget", 100), WithPricer(mockPricer))
-    order.ApplyDiscount(10)
-    mockPricer.AssertCalled(t, "CalculateDiscount", 100, 10)
-}
-```
-
-The first test survives a refactoring of how discounts are calculated. The second test breaks the moment you rename the method, change its signature, or inline the logic.
-
-**The refactoring test**: before committing a test, ask if someone refactors the internals tomorrow without changing any behavior, will this test break? If yes, consider updating the test.
-
-### Output format as behavior
-
-Some functions exist specifically to produce a formatted output: a query builder generates SQL, a serializer generates JSON, a code generator produces source code. In these cases, the output string *is* the behavior and asserting on it is valid and necessary. The function's contract is the exact output it produces.
-
-This is different from testing a function that *uses* a query internally. If a function's job is to fetch data from a database, the query it sends is an implementation detail and the returned data is the behavior. If its job is to *build* a query for someone else to execute, the query string is the behavior.
-
-The distinction: **is the formatted output the function's product, or the function's mechanism?** Test the product, not the mechanism.
-
-### Test at the public API boundary
-
-Write tests against the exported functions and methods that consumers actually call. Do not test unexported helpers directly. If an unexported function has complex logic worth testing, that is a signal it should be extracted into its own package with its own public API.
-
-### Test edge cases and error paths
-
-The most valuable tests cover the cases that are easy to get wrong:
-
-- Empty inputs, nil inputs, zero values.
-- Boundary conditions (off-by-one, first element, last element).
-- Error conditions (what happens when the dependency fails?).
-- Concurrent access, if the code is designed for it.
-
-A test for the happy path of a trivial function adds little value. A test for the error path of a complex function prevents real bugs.
-
-### The Beyonce Rule
-
-"If you liked it, then you should have put a test on it." Any behavior you want to preserve such as correctness, performance characteristics, security constraints, error handling should be covered by a test. If it breaks and there is no test, that is not a regression; it is an untested assumption.
-
-## How to write a test
-
-### Structure: arrange, act, assert
-
-Every test should have three clearly separated sections:
-
-```go
-func TestTransferInsufficientFunds(t *testing.T) {
-    // Arrange: set up the preconditions.
-    from := NewAccount(50)
-    to := NewAccount(0)
-
-    // Act: perform the operation being tested.
-    err := Transfer(from, to, 100)
-
-    // Assert: verify the outcome.
-    require.Error(t, err)
-    assert.Equal(t, 50, from.Balance())
-    assert.Equal(t, 0, to.Balance())
-}
-```
-
-Do not interleave setup and assertions. Do not put assertions in helper functions that also perform setup. Keep the three sections visually distinct.
-
-### One behavior per test
-
-Each test function should verify one behavior. If a test name needs "and" in it, split it into two tests.
-
-```go
-// Good: one behavior per test.
-func TestParseValidInput(t *testing.T) { ... }
-func TestParseEmptyInput(t *testing.T) { ... }
-func TestParseMalformedInput(t *testing.T) { ... }
-
-// Bad: multiple behaviors in one test.
-func TestParse(t *testing.T) {
-    // test valid input
-    // test empty input
-    // test malformed input
-}
-```
-
-Table-driven tests are fine when the behavior is the same and only the inputs/outputs vary.
-
-### Name tests after behaviors
-
-Test names should describe the scenario and the expected outcome, not the function being tested.
-
-```go
-// Good: describes the behavior.
-func TestWithdrawal_InsufficientFunds_ReturnsError(t *testing.T)
-func TestWithdrawal_ZeroBalance_ReturnsError(t *testing.T)
-
-// Bad: describes the function.
-func TestWithdraw(t *testing.T)
-func TestWithdrawError(t *testing.T)
-```
-
-### Eliminate logic in tests
-
-Tests should be straight-line code. No `if`, no `for`, no `switch`. If you feel the need to add control flow to a test, either split it into multiple tests or restructure the test data.
-
-A test with logic in it needs its own tests. That is a sign something has gone wrong.
-
-### Write clear failure messages
-
-When a test fails, the failure message should tell you what went wrong without reading the test source.
-
-```go
-// Good: failure message explains the context.
-assert.Equal(t, expected, actual, "discount should be applied to order total")
-
-// Bad: failure message is just the default.
-assert.Equal(t, expected, actual)
-```
-
-Use `require` for preconditions that must hold for the rest of the test to make sense. Use `assert` for the actual verifications. This avoids cascading failures from a single root cause.
-
-## How to recognize a bad test
-
-A bad test costs more to maintain than the bugs it prevents. Learning to identify bad tests is as important as learning to write good ones. Always evaluate a test critically before commiting it.
-
-### Tests that duplicate the implementation
-
-If a test contains the same logic as the code it tests, it verifies nothing. It will pass when the code is wrong in the same way the test is wrong, and it will break whenever the code changes even if the change is correct.
-
-A common form: mocking a database, setting up canned rows, calling a function that queries and scans those rows, then asserting that the function returned exactly those rows. The test encodes the query, the row structure, and the scan logic. The same things the production code does. If the function has no branching logic beyond "query and scan," this test is a mirror of the implementation, not a check on it. An integration test against a real database verifies the actual behavior; the mock-based test verifies that the code matches the test author's expectations of the code.
-
-### Tests for functions with no interesting logic
-
-Not every function needs a test. A function that prepares a query, sends it, and scans the result has no branching, no edge cases, and no logic that could be wrong independently of the query being correct. Unit-testing it means mocking the database, which means the test does not verify the query works. It only verifies the function calls the mock in the expected way.
-
-Ask: **what bug would this test catch that would not be caught by the integration test or by the tests of the calling code?** If the answer is nothing, skip the unit test. A missing test is better than a test that provides false confidence.
-
-### Tests that rebuild the dependency boundary
-
-When a test creates an in-package mock of an external interface (database driver, HTTP client, file system) and that mock contains non-trivial logic (reflection-based scanning, response simulation, state machines), the test is now testing its own mock as much as the production code. Bugs in the mock produce false passes or false failures, and the mock must be maintained alongside the real dependency.
-
-If the mock is complex enough to have its own bugs, you have rebuilt the dependency boundary rather than testing against it. Use the real dependency (via integration test) or use a well-maintained fake provided by the dependency's authors.
-
-### Tests that exist for coverage
-
-A test that exercises a function without meaningfully verifying its output adds coverage without adding confidence. Calling a type-conversion function with every numeric type and asserting it does not panic covers lines but does not catch regressions. The function would need to be rewritten to fail, and any such rewrite would be caught by the callers' tests.
-
-Before writing a test, identify the specific failure mode it guards against. If you cannot name one, the test is not worth writing.
-
-### Tests that test the language
-
-Do not test that language type system, standard library, or well-known third-party libraries work correctly. Testing that `reflect.Kind` returns the right value for each type, that pointer dereferencing works, or that a type switch dispatches correctly adds maintenance burden without catching any plausible bug in your code.
-
-## Brittle tests
-
-A brittle test is one that fails when production code changes without an actual bug being introduced. Brittle tests are expensive: they slow down development, train people to ignore failures, and provide no real safety net. Common sources of brittleness:
-
-- **Asserting on implementation details**: Verifying which internal methods were called, in what order, or with what intermediate values. If the method is renamed or the order changes but the output is the same, the test breaks for no reason.
-- **Asserting on serialized representations when the format is not the contract**: Matching exact SQL strings, JSON output, or log messages produced by a function whose job is not to produce that format.
-- **Over-constrained mocks**: Setting up a mock that expects specific arguments in a specific sequence. Any refactoring of the call pattern breaks the mock setup even if behavior is preserved.
-- **Shared mutable state**: Tests that depend on data left behind by other tests. A change in execution order or a new test case causes unrelated failures.
-- **Time-dependence**: Tests that use `time.Now()`, `time.Sleep()`, or real timers. These produce flaky results and break under load.
-
-When you encounter a brittle test, fix or delete it. Do not work around it.
-
-## DAMP
-
-Test code should prioritize clarity (DAMP: Descriptive And Meaningful Phrases).
-
-```go
-// DAMP: each test is self-contained and readable.
-func TestCreateUser(t *testing.T) {
-    user := User{Name: "Alice", Email: "alice@example.com"}
-    err := store.Create(ctx, user)
-    require.NoError(t, err)
-}
-
-func TestCreateDuplicateUser(t *testing.T) {
-    user := User{Name: "Alice", Email: "alice@example.com"}
-    _ = store.Create(ctx, user)
-    err := store.Create(ctx, user)
-    assert.ErrorIs(t, err, ErrAlreadyExists)
-}
-```
-
-Shared setup helpers are fine for constructing objects with sensible defaults. But each test should explicitly set the values it depends on rather than relying on hidden defaults in a shared fixture.
-
-## Flaky tests
-
-A flaky test is one that sometimes passes and sometimes fails without any code change. Flaky tests erode trust in the entire suite. Once people learn to re-run and ignore failures, real bugs slip through.
-
-Common causes and fixes:
-
-- **Timing and sleeps**: Replace `time.Sleep` with channels, condition variables, or polling with a timeout.
-- **Uncontrolled concurrency**: Use deterministic synchronization rather than relying on goroutine scheduling.
-- **Shared state between tests**: Each test should set up and tear down its own state.
-
-If a test is flaky and you cannot fix the root cause quickly, skip or delete it. A skipped test with an explanation is better than a flaky test that trains everyone to ignore red builds.
-
-## Code coverage
-
-Code coverage measures which lines were executed, not whether the code is correct. A function that is called but whose output is never checked has 100% coverage and 0% verification.
-
-Do not use coverage as a target to hit. Use it as a tool to find gaps such as untested error paths, unreachable branches, dead code. A codebase with 60% meaningful coverage is better than one with 95% coverage achieved by testing trivial getters.
-
-## Tests are code
-
-Tests must be maintained and they are not second-class citizen. You should apply the same standards for readability, naming, and structure that you apply to production code. We do not tolerate complexity in tests just because they are tests.
-
-However, tests should be simpler than production code. If a test requires its own helper library, complex setup, or nested control flow, step back and ask whether you are testing the right thing at the right level. This is not a blanket rule but a prompt to pause, assess the situation, and check whether the complexity is justified.
-
-## What should I remember?
-
-- If refactoring internals breaks your test but no behavior changed, the test is likely bad. Delete it or consider updating it.
-- Test what the code does, not how it does it. Verify outputs and state, not method calls.
-- Output format is behavior when the function's job is to produce that format. It is not behavior when the function uses it internally.
-- Ask what specific bug this test catches. If you cannot name one, do not write it.
-- Always evaluate whether the test adds confidence, not just lines.
-- One behavior per test. Name it after the scenario, not the function.
-- No logic in tests. Straight-line code only.
-- Flaky tests are not acceptable. Fix the root cause or nuke the test code.
-- Coverage measures execution, not correctness.
-
-## Mandatory reading
-
-- What to look for in a code review: Tests - https://google.github.io/eng-practices/review/reviewer/looking-for.html#tests
-- Testing Overview - https://abseil.io/resources/swe-book/html/ch11.html
-- Unit Testing - https://abseil.io/resources/swe-book/html/ch12.html
-- Test Doubles - https://abseil.io/resources/swe-book/html/ch13.html
-- Larger Testing - https://abseil.io/resources/swe-book/html/ch14.html

docs/contributing/go/types.md

@@ -1,272 +0,0 @@
-# Types
-
-This guide covers how types are organised, named, constructed, and composed so you can add new ones consistently.
-
-## Where do types live?
-
-Types live in `pkg/types/` and its sub-packages:
-
-```
-pkg/types/
-├── auditable.go          # TimeAuditable, UserAuditable
-├── identity.go           # Identifiable (UUID primary key)
-├── user.go               # User, PostableRegisterOrgAndAdmin, UserStore
-├── alertmanagertypes/    # Alert manager domain types
-│   ├── channel.go
-│   ├── receiver.go
-│   └── config.go
-├── authtypes/            # Auth domain types
-└── ruletypes/            # Rule domain types
-    └── maintenance.go
-```
-
-Follow these rules:
-
-1. **Embeddable building blocks** go in `pkg/types/` directly `Identifiable`, `TimeAuditable`, `UserAuditable`.
-2. **Domain-specific types** go in a sub-package named `pkg/types/<domain>types/` (e.g., `alertmanagertypes`, `ruletypes`, `authtypes`).
-3. **No domain logic** in type packages. Only data structures, constants, and simple methods. Domain services import from type packages, not the other way around.
-4. **Domain services import types, not vice versa.** If a type needs a service, the design is likely wrong and you should restructure so the service operates on the type.
-
-## Type variants
-
-A domain entity often has multiple representations depending on where it appears in the system. We use naming prefixes to distinguish them:
-
-| Prefix | Purpose | Example |
-|---|---|---|
-| `Postable<Type>` | API request input | `PostableRegisterOrgAndAdmin` |
-| `Gettable<Type>` | API response output | `GettablePlannedMaintenance` |
-| `Storable<Type>` | Database model (embeds `bun.BaseModel`) | `StorablePlannedMaintenance` |
-| Plain `<Type>` | Domain logic type | `User` |
-
-Not every entity needs all four variants. Start with the plain type and add variants only when the API or database representation genuinely differs.
-
-Here is a concrete example from `pkg/types/ruletypes/maintenance.go`:
-
-```go
-// Database model embeds bun.BaseModel and composition types
-type StorablePlannedMaintenance struct {
-    bun.BaseModel `bun:"table:planned_maintenance"`
-    types.Identifiable
-    types.TimeAuditable
-    types.UserAuditable
-    Name        string    `bun:"name,type:text,notnull"`
-    Description string    `bun:"description,type:text"`
-    Schedule    *Schedule `bun:"schedule,type:text,notnull"`
-    OrgID       string    `bun:"org_id,type:text"`
-}
-
-// API response: flat struct with JSON tags, computed fields like Status
-type GettablePlannedMaintenance struct {
-    Id          string    `json:"id"`
-    Name        string    `json:"name"`
-    Description string    `json:"description"`
-    Schedule    *Schedule `json:"schedule"`
-    RuleIDs     []string  `json:"alertIds"`
-    CreatedAt   time.Time `json:"createdAt"`
-    CreatedBy   string    `json:"createdBy"`
-    UpdatedAt   time.Time `json:"updatedAt"`
-    UpdatedBy   string    `json:"updatedBy"`
-    Status      string    `json:"status"`
-    Kind        string    `json:"kind"`
-}
-```
-
-When the API shape exactly matches the domain type, use a type alias instead of duplicating fields:
-
-```go
-// From pkg/types/user.go
-type GettableUser = User
-```
-
-## Composition via embedding
-
-`pkg/types/` provides small, reusable structs that you embed into your domain types:
-
-```go
-// pkg/types/identity.go
-type Identifiable struct {
-    ID valuer.UUID `json:"id" bun:"id,pk,type:text"`
-}
-
-// pkg/types/auditable.go
-type TimeAuditable struct {
-    CreatedAt time.Time `bun:"created_at" json:"createdAt"`
-    UpdatedAt time.Time `bun:"updated_at" json:"updatedAt"`
-}
-
-type UserAuditable struct {
-    CreatedBy string `bun:"created_by,type:text" json:"createdBy"`
-    UpdatedBy string `bun:"updated_by,type:text" json:"updatedBy"`
-}
-```
-
-Compose them in a database model:
-
-```go
-type StorablePlannedMaintenance struct {
-    bun.BaseModel `bun:"table:planned_maintenance"`
-    types.Identifiable    // adds ID (UUID primary key)
-    types.TimeAuditable   // adds CreatedAt, UpdatedAt
-    types.UserAuditable   // adds CreatedBy, UpdatedBy
-    Name        string    `bun:"name,type:text,notnull"`
-    Description string    `bun:"description,type:text"`
-}
-```
-
-See [SQL](sql.md) for full database patterns including migrations and queries.
-
-## Constructors
-
-Constructors validate inputs and return a ready-to-use value:
-
-```go
-// New<Type> validates and returns a pointer + error
-func NewUser(displayName string, email valuer.Email, role Role, orgID valuer.UUID) (*User, error) {
-    if email.IsZero() {
-        return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "email is required")
-    }
-    if role == "" {
-        return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "role is required")
-    }
-    if orgID.IsZero() {
-        return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "orgID is required")
-    }
-
-    return &User{
-        Identifiable:  Identifiable{ID: valuer.GenerateUUID()},
-        DisplayName:   displayName,
-        Email:         email,
-        Role:          role,
-        OrgID:         orgID,
-        TimeAuditable: TimeAuditable{CreatedAt: time.Now(), UpdatedAt: time.Now()},
-    }, nil
-}
-```
-
-Follow these conventions:
-
-- **`New<Type>(args) (*Type, error)`**: validates inputs, returns an error on failure. Use this in production code.
-- **Validation at construction**: check required fields, format constraints, and invariants in the constructor. Callers should not need to validate after construction.
-- **Generate IDs internally**: constructors call `valuer.GenerateUUID()` callers do not pass IDs in.
-- **Set timestamps internally**: constructors set `CreatedAt` and `UpdatedAt` to `time.Now()`.
-
-## Typed domain values (`pkg/valuer/`)
-
-The `pkg/valuer` package provides typed wrappers for common domain values. These types carry validation, normalization, and consistent serialization (JSON, SQL, text) that raw Go primitives do not.
-
-| Type | Wraps | Invariant |
-|---|---|---|
-| `valuer.UUID` | `google/uuid.UUID` | Valid UUIDv7, generated via `GenerateUUID()` |
-| `valuer.Email` | `string` | Valid email format, lowercased and trimmed |
-| `valuer.String` | `string` | Lowercased and trimmed |
-| `valuer.TextDuration` | `time.Duration` | Valid duration, text-serializable |
-
-### When to use a valuer type
-
-Use a valuer type instead of a raw primitive when the value represents a domain concept with any of:
-
-- **Enums**: All enums in the codebase must be backed by `valuer.String`. Do not use raw `string` constants or `iota`-based `int` enums. A struct embedding `valuer.String` with predefined variables gives you normalization, serialization, and an `Enum()` method for OpenAPI schema generation in one place.
-- **Validation**: emails must match a format, UUIDs must be parseable, durations must be valid.
-- **Normalization**: `valuer.String` lowercases and trims input, so comparisons are consistent throughout the system.
-- **Serialization boundary**: the value is stored in a database, sent over the wire, or bound from an HTTP parameter. Valuer types implement `Scan`, `Value`, `MarshalJSON`, `UnmarshalJSON`, and `UnmarshalParam` consistently.
-
-```go
-// Wrong: raw string constant with no validation or normalization.
-const SignalTraces = "traces"
-
-// Right: valuer-backed type that normalizes and serializes consistently.
-type Signal struct {
-    valuer.String
-}
-
-var SignalTraces = Signal{valuer.NewString("traces")}
-```
-
-Only primitive domain types that serve as shared infrastructure belong in `pkg/valuer`. If you need a new base type (like `Email` or `TextDuration`) that multiple packages will embed for validation and serialization, add it there. Domain-specific types that build on top of a valuer (like `Signal` embedding `valuer.String`) belong in their own domain package, not in `pkg/valuer`.
-
-### The `Valuer` interface
-
-Every valuer type implements the `Valuer` interface, which gives you serialization for free:
-
-```go
-type Valuer interface {
-    IsZero() bool                        // check for zero value
-    StringValue() string                 // raw string representation
-    fmt.Stringer                         // String() for printing
-    json.Marshaler / json.Unmarshaler    // JSON
-    sql.Scanner / driver.Valuer          // database
-    encoding.TextMarshaler / TextUnmarshaler  // text
-    ginbinding.BindUnmarshaler           // HTTP query/path params
-}
-```
-
-Use them in struct fields:
-
-```go
-type User struct {
-    Identifiable
-    Email valuer.Email `bun:"email" json:"email"`
-    OrgID valuer.UUID  `bun:"org_id" json:"orgId"`
-}
-```
-
-## Wrappers must add semantics, not just rename
-
-A wrapper type is justified when it adds meaning, validation, or invariants that the underlying type does not carry. It is not justified when it merely renames fields or reorganizes the same data into a different shape.
-
-```go
-// Justified: adds validation that the underlying string does not carry.
-type OrgID struct{ value string }
-func NewOrgID(s string) (OrgID, error) { /* validates format */ }
-
-// Not justified: renames fields with no new invariant or behavior.
-type UserInfo struct {
-    Name  string // same as source.Name
-    Email string // same as source.Email
-}
-```
-
-Ask: what does the wrapper guarantee that the underlying type does not? If the answer is nothing, use the underlying type directly.
-
-## When a new type IS warranted
-
-A new type earns its place when it meets **at least one** of these criteria:
-
-- **Serialization boundary**: It must be persisted, sent over the wire, or written to config. The source type is unsuitable (unexported fields, function pointers, cycles).
-- **Invariant enforcement**: The constructor or methods enforce constraints that raw data does not carry (e.g., non-empty, validated format, bounded range).
-- **Multiple distinct consumers**: Three or more call sites use the type in meaningfully different ways. The type is the shared vocabulary between them.
-- **Dependency firewall**: The type lives in a lightweight package so that consumers avoid importing a heavy dependency.
-
-See [Abstractions](abstractions.md) for the full set of rules on when abstractions are and aren't justified.
-
-## Store interfaces
-
-Each domain type package defines a store interface for persistence. The store interface lives alongside the types it operates on:
-
-```go
-// From pkg/types/ruletypes/maintenance.go
-type MaintenanceStore interface {
-    CreatePlannedMaintenance(context.Context, GettablePlannedMaintenance) (valuer.UUID, error)
-    DeletePlannedMaintenance(context.Context, valuer.UUID) error
-    GetPlannedMaintenanceByID(context.Context, valuer.UUID) (*GettablePlannedMaintenance, error)
-    EditPlannedMaintenance(context.Context, GettablePlannedMaintenance, valuer.UUID) error
-    GetAllPlannedMaintenance(context.Context, string) ([]*GettablePlannedMaintenance, error)
-}
-```
-
-Conventions:
-
-- Name the interface `<Domain>Store` (e.g., `UserStore`, `MaintenanceStore`).
-- Accept `context.Context` as the first parameter.
-- Use typed values (`valuer.UUID`, `valuer.Email`) instead of raw strings for identifiers.
-- Implementations go in separate packages (e.g., `sqlstore/`), see [SQL](sql.md) for details.
-
-## What should I remember?
-
-- Shared types live in `pkg/types/`, domain types in `pkg/types/<domain>types/`.
-- No domain logic in type packages only data structures, constants, and simple methods.
-- Use `Storable`, `Gettable`, `Postable` prefixes when API or database representation differs from the domain type.
-- Embed `Identifiable`, `TimeAuditable`, and `UserAuditable` for standard fields instead of repeating them.
-- Constructors (`New<Type>`) validate, generate IDs, and set timestamps.
-- Use `pkg/valuer/` types instead of raw strings for domain identifiers like UUIDs and emails.
-- Store interfaces live alongside the types they persist and use `context.Context` as the first parameter.

ee/authz/openfgaauthz/provider.go

@@ -98,16 +98,20 @@ func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.
 	return provider.pkgAuthzService.ListByOrgIDAndNames(ctx, orgID, names)
 }
 
-func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
-	return provider.pkgAuthzService.Grant(ctx, orgID, name, subject)
+func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.Role, error) {
+	return provider.pkgAuthzService.ListByOrgIDAndIDs(ctx, orgID, ids)
 }
 
-func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleName string, updatedRoleName string, subject string) error {
-	return provider.pkgAuthzService.ModifyGrant(ctx, orgID, existingRoleName, updatedRoleName, subject)
+func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
+	return provider.pkgAuthzService.Grant(ctx, orgID, names, subject)
 }
 
-func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
-	return provider.pkgAuthzService.Revoke(ctx, orgID, name, subject)
+func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleNames []string, updatedRoleNames []string, subject string) error {
+	return provider.pkgAuthzService.ModifyGrant(ctx, orgID, existingRoleNames, updatedRoleNames, subject)
+}
+
+func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
+	return provider.pkgAuthzService.Revoke(ctx, orgID, names, subject)
 }
 
 func (provider *provider) CreateManagedRoles(ctx context.Context, orgID valuer.UUID, managedRoles []*roletypes.Role) error {

ee/authz/openfgaschema/base.fga

@@ -2,39 +2,45 @@ module base
 
 type organisation 
   relations
-    define read: [user, role#assignee]
-    define update: [user, role#assignee]
+    define read: [user, serviceaccount, role#assignee]
+    define update: [user, serviceaccount, role#assignee]
 
 type user
   relations
-    define read: [user, role#assignee]
-    define update: [user, role#assignee]
-    define delete: [user, role#assignee]
+    define read: [user, serviceaccount, role#assignee]
+    define update: [user, serviceaccount, role#assignee]
+    define delete: [user, serviceaccount, role#assignee]
+
+type serviceaccount 
+  relations
+    define read: [user, serviceaccount, role#assignee]
+    define update: [user, serviceaccount, role#assignee]
+    define delete: [user, serviceaccount, role#assignee]  
 
 type anonymous
 
 type role 
   relations
-    define assignee: [user, anonymous]
+    define assignee: [user, serviceaccount, anonymous]
 
-    define read: [user, role#assignee]
-    define update: [user, role#assignee]
-    define delete: [user, role#assignee]
+    define read: [user, serviceaccount, role#assignee]
+    define update: [user, serviceaccount, role#assignee]
+    define delete: [user, serviceaccount, role#assignee]
 
 type metaresources
   relations
-    define create: [user, role#assignee]
-    define list: [user, role#assignee]
+    define create: [user, serviceaccount, role#assignee]
+    define list: [user, serviceaccount, role#assignee]
 
 type metaresource
   relations
-      define read: [user, anonymous, role#assignee]
-      define update: [user, role#assignee]
-      define delete: [user, role#assignee]
+      define read: [user, aserviceaccount, anonymous, role#assignee]
+      define update: [user, serviceaccount, role#assignee]
+      define delete: [user, serviceaccount, role#assignee]
 
-      define block: [user, role#assignee]
+      define block: [user, serviceaccount, role#assignee]
 
 
 type telemetryresource
   relations
-      define read: [user, role#assignee]
+      define read: [user, serviceaccount, role#assignee]

ee/authz/openfgaserver/server.go

@@ -31,9 +31,23 @@ func (server *Server) Stop(ctx context.Context) error {
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, relation authtypes.Relation, typeable authtypes.Typeable, selectors []authtypes.Selector, _ []authtypes.Selector) error {
-	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-	if err != nil {
-		return err
+	subject := ""
+
+	switch claims.Principal {
+	case authtypes.PrincipalUser.String():
+		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = user
+	case authtypes.PrincipalServiceAccount.String():
+		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = serviceAccount
 	}
 
 	tupleSlice, err := typeable.Tuples(subject, relation, selectors, orgID)

ee/query-service/app/server.go

@@ -217,7 +217,7 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h
 		otelmux.WithPublicEndpoint(),
 	))
 	r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.Instrumentation.Logger()).Wrap)
-	r.Use(middleware.NewAPIKey(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
+	r.Use(middleware.NewServiceAccount(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
 	r.Use(middleware.NewTimeout(s.signoz.Instrumentation.Logger(),
 		s.config.APIServer.Timeout.ExcludedRoutes,
 		s.config.APIServer.Timeout.Default,

frontend/jest.config.ts

@@ -19,8 +19,6 @@ const config: Config.InitialOptions = {
 		'^.*/useSafeNavigate$': USE_SAFE_NAVIGATE_MOCK_PATH,
 		'^@signozhq/icons$':
 			'<rootDir>/node_modules/@signozhq/icons/dist/index.esm.js',
-		'^react-syntax-highlighter/dist/esm/(.*)$':
-			'<rootDir>/node_modules/react-syntax-highlighter/dist/cjs/$1',
 	},
 	globals: {
 		extensionsToTreatAsEsm: ['.ts'],

frontend/package.json

@@ -214,7 +214,7 @@
 		"@types/react-redux": "^7.1.11",
 		"@types/react-resizable": "3.0.3",
 		"@types/react-router-dom": "^5.1.6",
-		"@types/react-syntax-highlighter": "15.5.13",
+		"@types/react-syntax-highlighter": "15.5.7",
 		"@types/redux-mock-store": "1.0.4",
 		"@types/styled-components": "^5.1.4",
 		"@types/uuid": "^8.3.1",

frontend/scripts/extract-md-languages.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-# Extracts unique fenced code block language identifiers from all .md files under frontend/src/
-# Usage: bash frontend/scripts/extract-md-languages.sh
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-SRC_DIR="$SCRIPT_DIR/../src"
-
-grep -roh '```[a-zA-Z0-9_+-]*' "$SRC_DIR" --include='*.md' \
-  | sed 's/^```//' \
-  | grep -v '^$' \
-  | sort -u

frontend/scripts/validate-md-languages.sh

@@ -1,35 +0,0 @@
-#!/usr/bin/env bash
-# Validates that all fenced code block languages used in .md files are registered
-# in the syntax highlighter.
-# Usage: bash frontend/scripts/validate-md-languages.sh
-
-set -euo pipefail
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-SYNTAX_HIGHLIGHTER="$SCRIPT_DIR/../src/components/MarkdownRenderer/syntaxHighlighter.ts"
-
-# Get all languages used in .md files
-md_languages=$("$SCRIPT_DIR/extract-md-languages.sh")
-
-# Get all registered languages from syntaxHighlighter.ts
-registered_languages=$(grep -oP "registerLanguage\('\K[^']+" "$SYNTAX_HIGHLIGHTER" | sort -u)
-
-missing_languages=()
-
-for lang in $md_languages; do
-  if ! echo "$registered_languages" | grep -qx "$lang"; then
-    missing_languages+=("$lang")
-  fi
-done
-
-if [ ${#missing_languages[@]} -gt 0 ]; then
-  echo "Error: The following languages are used in .md files but not registered in syntaxHighlighter.ts:"
-  for lang in "${missing_languages[@]}"; do
-    echo "  - $lang"
-  done
-  echo ""
-  echo "Please add them to: frontend/src/components/MarkdownRenderer/syntaxHighlighter.ts"
-  exit 1
-fi
-
-echo "All markdown code block languages are registered in syntaxHighlighter.ts"

frontend/src/api/generated/services/serviceaccount/index.ts

@@ -0,0 +1,973 @@
+/**
+ * ! Do not edit manually
+ * * The file has been auto-generated using Orval for SigNoz
+ * * regenerate with 'yarn generate:api'
+ * SigNoz
+ */
+import type {
+	InvalidateOptions,
+	MutationFunction,
+	QueryClient,
+	QueryFunction,
+	QueryKey,
+	UseMutationOptions,
+	UseMutationResult,
+	UseQueryOptions,
+	UseQueryResult,
+} from 'react-query';
+import { useMutation, useQuery } from 'react-query';
+
+import type { BodyType, ErrorType } from '../../../generatedAPIInstance';
+import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
+import type {
+	CreateServiceAccount201,
+	CreateServiceAccountKey201,
+	CreateServiceAccountKeyPathParameters,
+	DeleteServiceAccountPathParameters,
+	GetServiceAccount200,
+	GetServiceAccountPathParameters,
+	ListServiceAccountKeys200,
+	ListServiceAccountKeysPathParameters,
+	ListServiceAccounts200,
+	RenderErrorResponseDTO,
+	RevokeServiceAccountKeyPathParameters,
+	ServiceaccounttypesPostableFactorAPIKeyDTO,
+	ServiceaccounttypesPostableServiceAccountDTO,
+	ServiceaccounttypesUpdatableFactorAPIKeyDTO,
+	ServiceaccounttypesUpdatableServiceAccountDTO,
+	ServiceaccounttypesUpdatableServiceAccountStatusDTO,
+	UpdateServiceAccountKeyPathParameters,
+	UpdateServiceAccountPathParameters,
+	UpdateServiceAccountStatusPathParameters,
+} from '../sigNoz.schemas';
+
+type AwaitedInput<T> = PromiseLike<T> | T;
+
+type Awaited<O> = O extends AwaitedInput<infer T> ? T : never;
+
+/**
+ * This endpoint lists the service accounts for an organisation
+ * @summary List service accounts
+ */
+export const listServiceAccounts = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<ListServiceAccounts200>({
+		url: `/api/v1/service_accounts`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getListServiceAccountsQueryKey = () => {
+	return [`/api/v1/service_accounts`] as const;
+};
+
+export const getListServiceAccountsQueryOptions = <
+	TData = Awaited<ReturnType<typeof listServiceAccounts>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listServiceAccounts>>,
+		TError,
+		TData
+	>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getListServiceAccountsQueryKey();
+
+	const queryFn: QueryFunction<
+		Awaited<ReturnType<typeof listServiceAccounts>>
+	> = ({ signal }) => listServiceAccounts(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof listServiceAccounts>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListServiceAccountsQueryResult = NonNullable<
+	Awaited<ReturnType<typeof listServiceAccounts>>
+>;
+export type ListServiceAccountsQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List service accounts
+ */
+
+export function useListServiceAccounts<
+	TData = Awaited<ReturnType<typeof listServiceAccounts>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<
+		Awaited<ReturnType<typeof listServiceAccounts>>,
+		TError,
+		TData
+	>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListServiceAccountsQueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary List service accounts
+ */
+export const invalidateListServiceAccounts = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListServiceAccountsQueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint creates a service account
+ * @summary Create service account
+ */
+export const createServiceAccount = (
+	serviceaccounttypesPostableServiceAccountDTO: BodyType<ServiceaccounttypesPostableServiceAccountDTO>,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<CreateServiceAccount201>({
+		url: `/api/v1/service_accounts`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: serviceaccounttypesPostableServiceAccountDTO,
+		signal,
+	});
+};
+
+export const getCreateServiceAccountMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createServiceAccount>>,
+		TError,
+		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof createServiceAccount>>,
+	TError,
+	{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
+	TContext
+> => {
+	const mutationKey = ['createServiceAccount'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof createServiceAccount>>,
+		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return createServiceAccount(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type CreateServiceAccountMutationResult = NonNullable<
+	Awaited<ReturnType<typeof createServiceAccount>>
+>;
+export type CreateServiceAccountMutationBody = BodyType<ServiceaccounttypesPostableServiceAccountDTO>;
+export type CreateServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Create service account
+ */
+export const useCreateServiceAccount = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createServiceAccount>>,
+		TError,
+		{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof createServiceAccount>>,
+	TError,
+	{ data: BodyType<ServiceaccounttypesPostableServiceAccountDTO> },
+	TContext
+> => {
+	const mutationOptions = getCreateServiceAccountMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint deletes an existing service account
+ * @summary Deletes a service account
+ */
+export const deleteServiceAccount = ({
+	id,
+}: DeleteServiceAccountPathParameters) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/service_accounts/${id}`,
+		method: 'DELETE',
+	});
+};
+
+export const getDeleteServiceAccountMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof deleteServiceAccount>>,
+		TError,
+		{ pathParams: DeleteServiceAccountPathParameters },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof deleteServiceAccount>>,
+	TError,
+	{ pathParams: DeleteServiceAccountPathParameters },
+	TContext
+> => {
+	const mutationKey = ['deleteServiceAccount'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof deleteServiceAccount>>,
+		{ pathParams: DeleteServiceAccountPathParameters }
+	> = (props) => {
+		const { pathParams } = props ?? {};
+
+		return deleteServiceAccount(pathParams);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type DeleteServiceAccountMutationResult = NonNullable<
+	Awaited<ReturnType<typeof deleteServiceAccount>>
+>;
+
+export type DeleteServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Deletes a service account
+ */
+export const useDeleteServiceAccount = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof deleteServiceAccount>>,
+		TError,
+		{ pathParams: DeleteServiceAccountPathParameters },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof deleteServiceAccount>>,
+	TError,
+	{ pathParams: DeleteServiceAccountPathParameters },
+	TContext
+> => {
+	const mutationOptions = getDeleteServiceAccountMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint gets an existing service account
+ * @summary Gets a service account
+ */
+export const getServiceAccount = (
+	{ id }: GetServiceAccountPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetServiceAccount200>({
+		url: `/api/v1/service_accounts/${id}`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetServiceAccountQueryKey = ({
+	id,
+}: GetServiceAccountPathParameters) => {
+	return [`/api/v1/service_accounts/${id}`] as const;
+};
+
+export const getGetServiceAccountQueryOptions = <
+	TData = Awaited<ReturnType<typeof getServiceAccount>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetServiceAccountPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getServiceAccount>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey =
+		queryOptions?.queryKey ?? getGetServiceAccountQueryKey({ id });
+
+	const queryFn: QueryFunction<
+		Awaited<ReturnType<typeof getServiceAccount>>
+	> = ({ signal }) => getServiceAccount({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<
+		Awaited<ReturnType<typeof getServiceAccount>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type GetServiceAccountQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getServiceAccount>>
+>;
+export type GetServiceAccountQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Gets a service account
+ */
+
+export function useGetServiceAccount<
+	TData = Awaited<ReturnType<typeof getServiceAccount>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: GetServiceAccountPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof getServiceAccount>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetServiceAccountQueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Gets a service account
+ */
+export const invalidateGetServiceAccount = async (
+	queryClient: QueryClient,
+	{ id }: GetServiceAccountPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetServiceAccountQueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint updates an existing service account
+ * @summary Updates a service account
+ */
+export const updateServiceAccount = (
+	{ id }: UpdateServiceAccountPathParameters,
+	serviceaccounttypesUpdatableServiceAccountDTO: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/service_accounts/${id}`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: serviceaccounttypesUpdatableServiceAccountDTO,
+	});
+};
+
+export const getUpdateServiceAccountMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateServiceAccount>>,
+		TError,
+		{
+			pathParams: UpdateServiceAccountPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateServiceAccount>>,
+	TError,
+	{
+		pathParams: UpdateServiceAccountPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['updateServiceAccount'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateServiceAccount>>,
+		{
+			pathParams: UpdateServiceAccountPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return updateServiceAccount(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateServiceAccountMutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateServiceAccount>>
+>;
+export type UpdateServiceAccountMutationBody = BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
+export type UpdateServiceAccountMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Updates a service account
+ */
+export const useUpdateServiceAccount = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateServiceAccount>>,
+		TError,
+		{
+			pathParams: UpdateServiceAccountPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateServiceAccount>>,
+	TError,
+	{
+		pathParams: UpdateServiceAccountPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getUpdateServiceAccountMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint lists the service account keys
+ * @summary List service account keys
+ */
+export const listServiceAccountKeys = (
+	{ id }: ListServiceAccountKeysPathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<ListServiceAccountKeys200>({
+		url: `/api/v1/service_accounts/${id}/keys`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getListServiceAccountKeysQueryKey = ({
+	id,
+}: ListServiceAccountKeysPathParameters) => {
+	return [`/api/v1/service_accounts/${id}/keys`] as const;
+};
+
+export const getListServiceAccountKeysQueryOptions = <
+	TData = Awaited<ReturnType<typeof listServiceAccountKeys>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: ListServiceAccountKeysPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof listServiceAccountKeys>>,
+			TError,
+			TData
+		>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey =
+		queryOptions?.queryKey ?? getListServiceAccountKeysQueryKey({ id });
+
+	const queryFn: QueryFunction<
+		Awaited<ReturnType<typeof listServiceAccountKeys>>
+	> = ({ signal }) => listServiceAccountKeys({ id }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!id,
+		...queryOptions,
+	} as UseQueryOptions<
+		Awaited<ReturnType<typeof listServiceAccountKeys>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListServiceAccountKeysQueryResult = NonNullable<
+	Awaited<ReturnType<typeof listServiceAccountKeys>>
+>;
+export type ListServiceAccountKeysQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List service account keys
+ */
+
+export function useListServiceAccountKeys<
+	TData = Awaited<ReturnType<typeof listServiceAccountKeys>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ id }: ListServiceAccountKeysPathParameters,
+	options?: {
+		query?: UseQueryOptions<
+			Awaited<ReturnType<typeof listServiceAccountKeys>>,
+			TError,
+			TData
+		>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListServiceAccountKeysQueryOptions({ id }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary List service account keys
+ */
+export const invalidateListServiceAccountKeys = async (
+	queryClient: QueryClient,
+	{ id }: ListServiceAccountKeysPathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListServiceAccountKeysQueryKey({ id }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint creates a service account key
+ * @summary Create a service account key
+ */
+export const createServiceAccountKey = (
+	{ id }: CreateServiceAccountKeyPathParameters,
+	serviceaccounttypesPostableFactorAPIKeyDTO: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<CreateServiceAccountKey201>({
+		url: `/api/v1/service_accounts/${id}/keys`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: serviceaccounttypesPostableFactorAPIKeyDTO,
+		signal,
+	});
+};
+
+export const getCreateServiceAccountKeyMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createServiceAccountKey>>,
+		TError,
+		{
+			pathParams: CreateServiceAccountKeyPathParameters;
+			data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof createServiceAccountKey>>,
+	TError,
+	{
+		pathParams: CreateServiceAccountKeyPathParameters;
+		data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['createServiceAccountKey'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof createServiceAccountKey>>,
+		{
+			pathParams: CreateServiceAccountKeyPathParameters;
+			data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return createServiceAccountKey(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type CreateServiceAccountKeyMutationResult = NonNullable<
+	Awaited<ReturnType<typeof createServiceAccountKey>>
+>;
+export type CreateServiceAccountKeyMutationBody = BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
+export type CreateServiceAccountKeyMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Create a service account key
+ */
+export const useCreateServiceAccountKey = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof createServiceAccountKey>>,
+		TError,
+		{
+			pathParams: CreateServiceAccountKeyPathParameters;
+			data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof createServiceAccountKey>>,
+	TError,
+	{
+		pathParams: CreateServiceAccountKeyPathParameters;
+		data: BodyType<ServiceaccounttypesPostableFactorAPIKeyDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getCreateServiceAccountKeyMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint revokes an existing service account key
+ * @summary Revoke a service account key
+ */
+export const revokeServiceAccountKey = ({
+	id,
+	fid,
+}: RevokeServiceAccountKeyPathParameters) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/service_accounts/${id}/keys/${fid}`,
+		method: 'DELETE',
+	});
+};
+
+export const getRevokeServiceAccountKeyMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof revokeServiceAccountKey>>,
+		TError,
+		{ pathParams: RevokeServiceAccountKeyPathParameters },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof revokeServiceAccountKey>>,
+	TError,
+	{ pathParams: RevokeServiceAccountKeyPathParameters },
+	TContext
+> => {
+	const mutationKey = ['revokeServiceAccountKey'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof revokeServiceAccountKey>>,
+		{ pathParams: RevokeServiceAccountKeyPathParameters }
+	> = (props) => {
+		const { pathParams } = props ?? {};
+
+		return revokeServiceAccountKey(pathParams);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type RevokeServiceAccountKeyMutationResult = NonNullable<
+	Awaited<ReturnType<typeof revokeServiceAccountKey>>
+>;
+
+export type RevokeServiceAccountKeyMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Revoke a service account key
+ */
+export const useRevokeServiceAccountKey = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof revokeServiceAccountKey>>,
+		TError,
+		{ pathParams: RevokeServiceAccountKeyPathParameters },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof revokeServiceAccountKey>>,
+	TError,
+	{ pathParams: RevokeServiceAccountKeyPathParameters },
+	TContext
+> => {
+	const mutationOptions = getRevokeServiceAccountKeyMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint updates an existing service account key
+ * @summary Updates a service account key
+ */
+export const updateServiceAccountKey = (
+	{ id, fid }: UpdateServiceAccountKeyPathParameters,
+	serviceaccounttypesUpdatableFactorAPIKeyDTO: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/service_accounts/${id}/keys/${fid}`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: serviceaccounttypesUpdatableFactorAPIKeyDTO,
+	});
+};
+
+export const getUpdateServiceAccountKeyMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateServiceAccountKey>>,
+		TError,
+		{
+			pathParams: UpdateServiceAccountKeyPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateServiceAccountKey>>,
+	TError,
+	{
+		pathParams: UpdateServiceAccountKeyPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['updateServiceAccountKey'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateServiceAccountKey>>,
+		{
+			pathParams: UpdateServiceAccountKeyPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return updateServiceAccountKey(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateServiceAccountKeyMutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateServiceAccountKey>>
+>;
+export type UpdateServiceAccountKeyMutationBody = BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
+export type UpdateServiceAccountKeyMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Updates a service account key
+ */
+export const useUpdateServiceAccountKey = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateServiceAccountKey>>,
+		TError,
+		{
+			pathParams: UpdateServiceAccountKeyPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateServiceAccountKey>>,
+	TError,
+	{
+		pathParams: UpdateServiceAccountKeyPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableFactorAPIKeyDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getUpdateServiceAccountKeyMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint updates an existing service account status
+ * @summary Updates a service account status
+ */
+export const updateServiceAccountStatus = (
+	{ id }: UpdateServiceAccountStatusPathParameters,
+	serviceaccounttypesUpdatableServiceAccountStatusDTO: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>,
+) => {
+	return GeneratedAPIInstance<string>({
+		url: `/api/v1/service_accounts/${id}/status`,
+		method: 'PUT',
+		headers: { 'Content-Type': 'application/json' },
+		data: serviceaccounttypesUpdatableServiceAccountStatusDTO,
+	});
+};
+
+export const getUpdateServiceAccountStatusMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
+		TError,
+		{
+			pathParams: UpdateServiceAccountStatusPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
+		},
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof updateServiceAccountStatus>>,
+	TError,
+	{
+		pathParams: UpdateServiceAccountStatusPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
+	},
+	TContext
+> => {
+	const mutationKey = ['updateServiceAccountStatus'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
+		{
+			pathParams: UpdateServiceAccountStatusPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
+		}
+	> = (props) => {
+		const { pathParams, data } = props ?? {};
+
+		return updateServiceAccountStatus(pathParams, data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type UpdateServiceAccountStatusMutationResult = NonNullable<
+	Awaited<ReturnType<typeof updateServiceAccountStatus>>
+>;
+export type UpdateServiceAccountStatusMutationBody = BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
+export type UpdateServiceAccountStatusMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Updates a service account status
+ */
+export const useUpdateServiceAccountStatus = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof updateServiceAccountStatus>>,
+		TError,
+		{
+			pathParams: UpdateServiceAccountStatusPathParameters;
+			data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
+		},
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof updateServiceAccountStatus>>,
+	TError,
+	{
+		pathParams: UpdateServiceAccountStatusPathParameters;
+		data: BodyType<ServiceaccounttypesUpdatableServiceAccountStatusDTO>;
+	},
+	TContext
+> => {
+	const mutationOptions = getUpdateServiceAccountStatusMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};

frontend/src/api/generated/services/sigNoz.schemas.ts

@@ -2090,6 +2090,143 @@ export interface RoletypesRoleDTO {
 	updatedAt?: Date;
 }
 
+export interface ServiceaccounttypesFactorAPIKeyDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type integer
+	 * @minimum 0
+	 */
+	expires_at: number;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type string
+	 */
+	key: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	last_used: Date;
+	/**
+	 * @type string
+	 */
+	name?: string;
+	/**
+	 * @type string
+	 */
+	service_account_id: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+}
+
+export interface ServiceaccounttypesPostableFactorAPIKeyDTO {
+	/**
+	 * @type integer
+	 * @minimum 0
+	 */
+	expires_at: number;
+	/**
+	 * @type string
+	 */
+	name: string;
+}
+
+export interface ServiceaccounttypesPostableServiceAccountDTO {
+	/**
+	 * @type string
+	 */
+	email: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type array
+	 */
+	roles: string[];
+}
+
+export interface ServiceaccounttypesServiceAccountDTO {
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	createdAt?: Date;
+	/**
+	 * @type string
+	 */
+	email: string;
+	/**
+	 * @type string
+	 */
+	id: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type string
+	 */
+	orgID: string;
+	/**
+	 * @type array
+	 */
+	roles: string[];
+	/**
+	 * @type string
+	 */
+	status: string;
+	/**
+	 * @type string
+	 * @format date-time
+	 */
+	updatedAt?: Date;
+}
+
+export interface ServiceaccounttypesUpdatableFactorAPIKeyDTO {
+	/**
+	 * @type integer
+	 * @minimum 0
+	 */
+	expires_at: number;
+	/**
+	 * @type string
+	 */
+	name: string;
+}
+
+export interface ServiceaccounttypesUpdatableServiceAccountDTO {
+	/**
+	 * @type string
+	 */
+	email: string;
+	/**
+	 * @type string
+	 */
+	name: string;
+	/**
+	 * @type array
+	 */
+	roles: string[];
+}
+
+export interface ServiceaccounttypesUpdatableServiceAccountStatusDTO {
+	/**
+	 * @type string
+	 */
+	status: string;
+}
+
 export enum TelemetrytypesFieldContextDTO {
 	metric = 'metric',
 	log = 'log',
@@ -3050,6 +3187,78 @@ export type PatchObjectsPathParameters = {
 	id: string;
 	relation: string;
 };
+export type ListServiceAccounts200 = {
+	/**
+	 * @type array
+	 */
+	data: ServiceaccounttypesServiceAccountDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type CreateServiceAccount201 = {
+	data: TypesIdentifiableDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type DeleteServiceAccountPathParameters = {
+	id: string;
+};
+export type GetServiceAccountPathParameters = {
+	id: string;
+};
+export type GetServiceAccount200 = {
+	data: ServiceaccounttypesServiceAccountDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type UpdateServiceAccountPathParameters = {
+	id: string;
+};
+export type ListServiceAccountKeysPathParameters = {
+	id: string;
+};
+export type ListServiceAccountKeys200 = {
+	/**
+	 * @type array
+	 */
+	data: ServiceaccounttypesFactorAPIKeyDTO[];
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type CreateServiceAccountKeyPathParameters = {
+	id: string;
+};
+export type CreateServiceAccountKey201 = {
+	data: TypesIdentifiableDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type RevokeServiceAccountKeyPathParameters = {
+	id: string;
+	fid: string;
+};
+export type UpdateServiceAccountKeyPathParameters = {
+	id: string;
+	fid: string;
+};
+export type UpdateServiceAccountStatusPathParameters = {
+	id: string;
+};
 export type ListUsers200 = {
 	/**
 	 * @type array

frontend/src/components/MarkdownRenderer/MarkdownRenderer.tsx

@@ -2,12 +2,13 @@
 
 import ReactMarkdown from 'react-markdown';
 import { CodeProps } from 'react-markdown/lib/ast-to-react';
+import { Prism as SyntaxHighlighter } from 'react-syntax-highlighter';
+import { a11yDark } from 'react-syntax-highlighter/dist/cjs/styles/prism';
 import logEvent from 'api/common/logEvent';
 import { isEmpty } from 'lodash-es';
 import rehypeRaw from 'rehype-raw';
 
 import CodeCopyBtn from './CodeCopyBtn/CodeCopyBtn';
-import SyntaxHighlighter, { a11yDark } from './syntaxHighlighter';
 
 interface LinkProps {
 	href: string;

frontend/src/components/MarkdownRenderer/syntaxHighlighter.ts

@@ -1,34 +0,0 @@
-import { PrismLight as SyntaxHighlighter } from 'react-syntax-highlighter';
-import bash from 'react-syntax-highlighter/dist/esm/languages/prism/bash';
-import docker from 'react-syntax-highlighter/dist/esm/languages/prism/docker';
-import elixir from 'react-syntax-highlighter/dist/esm/languages/prism/elixir';
-import go from 'react-syntax-highlighter/dist/esm/languages/prism/go';
-import javascript from 'react-syntax-highlighter/dist/esm/languages/prism/javascript';
-import json from 'react-syntax-highlighter/dist/esm/languages/prism/json';
-import jsx from 'react-syntax-highlighter/dist/esm/languages/prism/jsx';
-import rust from 'react-syntax-highlighter/dist/esm/languages/prism/rust';
-import swift from 'react-syntax-highlighter/dist/esm/languages/prism/swift';
-import tsx from 'react-syntax-highlighter/dist/esm/languages/prism/tsx';
-import typescript from 'react-syntax-highlighter/dist/esm/languages/prism/typescript';
-import yaml from 'react-syntax-highlighter/dist/esm/languages/prism/yaml';
-import a11yDark from 'react-syntax-highlighter/dist/esm/styles/prism/a11y-dark';
-
-SyntaxHighlighter.registerLanguage('bash', bash);
-SyntaxHighlighter.registerLanguage('docker', docker);
-SyntaxHighlighter.registerLanguage('dockerfile', docker);
-SyntaxHighlighter.registerLanguage('elixir', elixir);
-SyntaxHighlighter.registerLanguage('go', go);
-SyntaxHighlighter.registerLanguage('javascript', javascript);
-SyntaxHighlighter.registerLanguage('js', javascript);
-SyntaxHighlighter.registerLanguage('json', json);
-SyntaxHighlighter.registerLanguage('jsx', jsx);
-SyntaxHighlighter.registerLanguage('rust', rust);
-SyntaxHighlighter.registerLanguage('swift', swift);
-SyntaxHighlighter.registerLanguage('ts', typescript);
-SyntaxHighlighter.registerLanguage('tsx', tsx);
-SyntaxHighlighter.registerLanguage('typescript', typescript);
-SyntaxHighlighter.registerLanguage('yaml', yaml);
-SyntaxHighlighter.registerLanguage('yml', yaml);
-
-export default SyntaxHighlighter;
-export { a11yDark };

frontend/src/container/Download/Download.tsx

@@ -1,6 +1,6 @@
-import { useState } from 'react';
 import { CloudDownloadOutlined } from '@ant-design/icons';
 import { Button, Dropdown, MenuProps } from 'antd';
+import { Excel } from 'antd-table-saveas-excel';
 import { unparse } from 'papaparse';
 
 import { DownloadProps } from './Download.types';
@@ -8,36 +8,25 @@ import { DownloadProps } from './Download.types';
 import './Download.styles.scss';
 
 function Download({ data, isLoading, fileName }: DownloadProps): JSX.Element {
-	const [isDownloading, setIsDownloading] = useState(false);
-
-	const downloadExcelFile = async (): Promise<void> => {
-		setIsDownloading(true);
-
-		try {
-			const headers = Object.keys(Object.assign({}, ...data)).map((item) => {
-				const updatedTitle = item
-					.split('_')
-					.map((word) => word.charAt(0).toUpperCase() + word.slice(1))
-					.join(' ');
-				return {
-					title: updatedTitle,
-					dataIndex: item,
-				};
-			});
-
-			const excelLib = await import('antd-table-saveas-excel');
-
-			const excel = new excelLib.Excel();
-			excel
-				.addSheet(fileName)
-				.addColumns(headers)
-				.addDataSource(data, {
-					str2Percent: true,
-				})
-				.saveAs(`${fileName}.xlsx`);
-		} finally {
-			setIsDownloading(false);
-		}
+	const downloadExcelFile = (): void => {
+		const headers = Object.keys(Object.assign({}, ...data)).map((item) => {
+			const updatedTitle = item
+				.split('_')
+				.map((word) => word.charAt(0).toUpperCase() + word.slice(1))
+				.join(' ');
+			return {
+				title: updatedTitle,
+				dataIndex: item,
+			};
+		});
+		const excel = new Excel();
+		excel
+			.addSheet(fileName)
+			.addColumns(headers)
+			.addDataSource(data, {
+				str2Percent: true,
+			})
+			.saveAs(`${fileName}.xlsx`);
 	};
 
 	const downloadCsvFile = (): void => {
@@ -70,7 +59,7 @@ function Download({ data, isLoading, fileName }: DownloadProps): JSX.Element {
 		<Dropdown menu={menu} trigger={['click']}>
 			<Button
 				className="download-button"
-				loading={isLoading || isDownloading}
+				loading={isLoading}
 				size="small"
 				type="link"
 			>

frontend/src/container/DownloadV2/DownloadV2.tsx

@@ -1,5 +1,5 @@
-import { useState } from 'react';
 import { Button, Popover, Typography } from 'antd';
+import { Excel } from 'antd-table-saveas-excel';
 import { FileDigit, FileDown, Sheet } from 'lucide-react';
 import { unparse } from 'papaparse';
 
@@ -8,34 +8,25 @@ import { DownloadProps } from './DownloadV2.types';
 import './DownloadV2.styles.scss';
 
 function Download({ data, isLoading, fileName }: DownloadProps): JSX.Element {
-	const [isDownloading, setIsDownloading] = useState(false);
-
-	const downloadExcelFile = async (): Promise<void> => {
-		setIsDownloading(true);
-
-		try {
-			const headers = Object.keys(Object.assign({}, ...data)).map((item) => {
-				const updatedTitle = item
-					.split('_')
-					.map((word) => word.charAt(0).toUpperCase() + word.slice(1))
-					.join(' ');
-				return {
-					title: updatedTitle,
-					dataIndex: item,
-				};
-			});
-			const excelLib = await import('antd-table-saveas-excel');
-			const excel = new excelLib.Excel();
-			excel
-				.addSheet(fileName)
-				.addColumns(headers)
-				.addDataSource(data, {
-					str2Percent: true,
-				})
-				.saveAs(`${fileName}.xlsx`);
-		} finally {
-			setIsDownloading(false);
-		}
+	const downloadExcelFile = (): void => {
+		const headers = Object.keys(Object.assign({}, ...data)).map((item) => {
+			const updatedTitle = item
+				.split('_')
+				.map((word) => word.charAt(0).toUpperCase() + word.slice(1))
+				.join(' ');
+			return {
+				title: updatedTitle,
+				dataIndex: item,
+			};
+		});
+		const excel = new Excel();
+		excel
+			.addSheet(fileName)
+			.addColumns(headers)
+			.addDataSource(data, {
+				str2Percent: true,
+			})
+			.saveAs(`${fileName}.xlsx`);
 	};
 
 	const downloadCsvFile = (): void => {
@@ -63,7 +54,6 @@ function Download({ data, isLoading, fileName }: DownloadProps): JSX.Element {
 						type="text"
 						onClick={downloadExcelFile}
 						className="action-btns"
-						loading={isDownloading}
 					>
 						Excel (.xlsx)
 					</Button>

frontend/yarn.lock

@@ -6205,10 +6205,10 @@
     "@types/history" "^4.7.11"
     "@types/react" "*"
 
-"@types/react-syntax-highlighter@15.5.13":
-  version "15.5.13"
-  resolved "https://registry.yarnpkg.com/@types/react-syntax-highlighter/-/react-syntax-highlighter-15.5.13.tgz#c5baf62a3219b3bf28d39cfea55d0a49a263d1f2"
-  integrity sha512-uLGJ87j6Sz8UaBAooU0T6lWJ0dBmjZgN1PZTrj05TNql2/XpC6+4HhMT5syIdFUUt+FASfCeLLv4kBygNU+8qA==
+"@types/react-syntax-highlighter@15.5.7":
+  version "15.5.7"
+  resolved "https://registry.yarnpkg.com/@types/react-syntax-highlighter/-/react-syntax-highlighter-15.5.7.tgz#bd29020ccb118543d88779848f99059b64b02d0f"
+  integrity sha512-bo5fEO5toQeyCp0zVHBeggclqf5SQ/Z5blfFmjwO5dkMVGPgmiwZsJh9nu/Bo5L7IHTuGWrja6LxJVE2uB5ZrQ==
   dependencies:
     "@types/react" "*"
 

pkg/apiserver/signozapiserver/provider.go

@@ -18,6 +18,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/preference"
 	"github.com/SigNoz/signoz/pkg/modules/promote"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -48,6 +49,7 @@ type provider struct {
 	authzHandler           authz.Handler
 	zeusHandler            zeus.Handler
 	querierHandler         querier.Handler
+	serviceAccountHandler  serviceaccount.Handler
 }
 
 func NewFactory(
@@ -69,6 +71,7 @@ func NewFactory(
 	authzHandler authz.Handler,
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
+	serviceAccountHandler serviceaccount.Handler,
 ) factory.ProviderFactory[apiserver.APIServer, apiserver.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config apiserver.Config) (apiserver.APIServer, error) {
 		return newProvider(
@@ -93,6 +96,7 @@ func NewFactory(
 			authzHandler,
 			zeusHandler,
 			querierHandler,
+			serviceAccountHandler,
 		)
 	})
 }
@@ -119,6 +123,7 @@ func newProvider(
 	authzHandler authz.Handler,
 	zeusHandler zeus.Handler,
 	querierHandler querier.Handler,
+	serviceAccountHandler serviceaccount.Handler,
 ) (apiserver.APIServer, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/apiserver/signozapiserver")
 	router := mux.NewRouter().UseEncodedPath()
@@ -143,6 +148,7 @@ func newProvider(
 		authzHandler:           authzHandler,
 		zeusHandler:            zeusHandler,
 		querierHandler:         querierHandler,
+		serviceAccountHandler:  serviceAccountHandler,
 	}
 
 	provider.authZ = middleware.NewAuthZ(settings.Logger(), orgGetter, authz)
@@ -223,6 +229,10 @@ func (provider *provider) AddToRouter(router *mux.Router) error {
 		return err
 	}
 
+	if err := provider.addServiceAccountRoutes(router); err != nil {
+		return err
+	}
+
 	return nil
 }
 

pkg/apiserver/signozapiserver/serviceaccount.go

@@ -0,0 +1,184 @@
+package signozapiserver
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/handler"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/gorilla/mux"
+)
+
+func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {
+	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Create), handler.OpenAPIDef{
+		ID:                  "CreateServiceAccount",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Create service account",
+		Description:         "This endpoint creates a service account",
+		Request:             new(serviceaccounttypes.PostableServiceAccount),
+		RequestContentType:  "",
+		Response:            new(types.Identifiable),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusCreated,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.List), handler.OpenAPIDef{
+		ID:                  "ListServiceAccounts",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "List service accounts",
+		Description:         "This endpoint lists the service accounts for an organisation",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*serviceaccounttypes.ServiceAccount, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Get), handler.OpenAPIDef{
+		ID:                  "GetServiceAccount",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Gets a service account",
+		Description:         "This endpoint gets an existing service account",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(serviceaccounttypes.ServiceAccount),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Update), handler.OpenAPIDef{
+		ID:                  "UpdateServiceAccount",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Updates a service account",
+		Description:         "This endpoint updates an existing service account",
+		Request:             new(serviceaccounttypes.UpdatableServiceAccount),
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}/status", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.UpdateStatus), handler.OpenAPIDef{
+		ID:                  "UpdateServiceAccountStatus",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Updates a service account status",
+		Description:         "This endpoint updates an existing service account status",
+		Request:             new(serviceaccounttypes.UpdatableServiceAccountStatus),
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.Delete), handler.OpenAPIDef{
+		ID:                  "DeleteServiceAccount",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Deletes a service account",
+		Description:         "This endpoint deletes an existing service account",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.CreateFactorAPIKey), handler.OpenAPIDef{
+		ID:                  "CreateServiceAccountKey",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Create a service account key",
+		Description:         "This endpoint creates a service account key",
+		Request:             new(serviceaccounttypes.PostableFactorAPIKey),
+		RequestContentType:  "",
+		Response:            new(types.Identifiable),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusCreated,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.ListFactorAPIKey), handler.OpenAPIDef{
+		ID:                  "ListServiceAccountKeys",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "List service account keys",
+		Description:         "This endpoint lists the service account keys",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*serviceaccounttypes.FactorAPIKey, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.UpdateFactorAPIKey), handler.OpenAPIDef{
+		ID:                  "UpdateServiceAccountKey",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Updates a service account key",
+		Description:         "This endpoint updates an existing service account key",
+		Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodPut).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authZ.AdminAccess(provider.serviceAccountHandler.RevokeFactorAPIKey), handler.OpenAPIDef{
+		ID:                  "RevokeServiceAccountKey",
+		Tags:                []string{"serviceaccount"},
+		Summary:             "Revoke a service account key",
+		Description:         "This endpoint revokes an existing service account key",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/authz/authz.go

@@ -62,14 +62,17 @@ type AuthZ interface {
 	//  Lists all the roles for the organization filtered by name
 	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*roletypes.Role, error)
 
+	//  Lists all the roles for the organization filtered by ids
+	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*roletypes.Role, error)
+
 	// Grants a role to the subject based on role name.
-	Grant(context.Context, valuer.UUID, string, string) error
+	Grant(context.Context, valuer.UUID, []string, string) error
 
 	// Revokes a granted role from the subject based on role name.
-	Revoke(context.Context, valuer.UUID, string, string) error
+	Revoke(context.Context, valuer.UUID, []string, string) error
 
 	// Changes the granted role for the subject based on role name.
-	ModifyGrant(context.Context, valuer.UUID, string, string, string) error
+	ModifyGrant(context.Context, valuer.UUID, []string, []string, string) error
 
 	// Bootstrap the managed roles.
 	CreateManagedRoles(context.Context, valuer.UUID, []*roletypes.Role) error

pkg/authz/authzstore/sqlauthzstore/store.go

@@ -96,6 +96,39 @@ func (store *store) ListByOrgIDAndNames(ctx context.Context, orgID valuer.UUID,
 		return nil, err
 	}
 
+	if len(roles) != len(names) {
+		return nil, store.sqlstore.WrapNotFoundErrf(
+			nil,
+			roletypes.ErrCodeRoleNotFound,
+			"not all roles found for the provided names: %v", names,
+		)
+	}
+
+	return roles, nil
+}
+
+func (store *store) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.StorableRole, error) {
+	roles := make([]*roletypes.StorableRole, 0)
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&roles).
+		Where("org_id = ?", orgID).
+		Where("id IN (?)", bun.In(ids)).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(roles) != len(ids) {
+		return nil, store.sqlstore.WrapNotFoundErrf(
+			nil,
+			roletypes.ErrCodeRoleNotFound,
+			"not all roles found for the provided ids: %v", ids,
+		)
+	}
+
 	return roles, nil
 }
 

pkg/authz/openfgaauthz/provider.go

@@ -114,28 +114,46 @@ func (provider *provider) ListByOrgIDAndNames(ctx context.Context, orgID valuer.
 	return roles, nil
 }
 
-func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
+func (provider *provider) ListByOrgIDAndIDs(ctx context.Context, orgID valuer.UUID, ids []valuer.UUID) ([]*roletypes.Role, error) {
+	storableRoles, err := provider.store.ListByOrgIDAndIDs(ctx, orgID, ids)
+	if err != nil {
+		return nil, err
+	}
+
+	roles := make([]*roletypes.Role, len(storableRoles))
+	for idx, storable := range storableRoles {
+		roles[idx] = roletypes.NewRoleFromStorableRole(storable)
+	}
+
+	return roles, nil
+}
+
+func (provider *provider) Grant(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
+	selectors := make([]authtypes.Selector, len(names))
+	for idx, name := range names {
+		selectors[idx] = authtypes.MustNewSelector(authtypes.TypeRole, name)
+	}
+
 	tuples, err := authtypes.TypeableRole.Tuples(
 		subject,
 		authtypes.RelationAssignee,
-		[]authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, name),
-		},
+		selectors,
 		orgID,
 	)
 	if err != nil {
 		return err
 	}
+
 	return provider.Write(ctx, tuples, nil)
 }
 
-func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleName string, updatedRoleName string, subject string) error {
-	err := provider.Revoke(ctx, orgID, existingRoleName, subject)
+func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, existingRoleNames []string, updatedRoleNames []string, subject string) error {
+	err := provider.Revoke(ctx, orgID, existingRoleNames, subject)
 	if err != nil {
 		return err
 	}
 
-	err = provider.Grant(ctx, orgID, updatedRoleName, subject)
+	err = provider.Grant(ctx, orgID, updatedRoleNames, subject)
 	if err != nil {
 		return err
 	}
@@ -143,13 +161,16 @@ func (provider *provider) ModifyGrant(ctx context.Context, orgID valuer.UUID, ex
 	return nil
 }
 
-func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, name string, subject string) error {
+func (provider *provider) Revoke(ctx context.Context, orgID valuer.UUID, names []string, subject string) error {
+	selectors := make([]authtypes.Selector, len(names))
+	for idx, name := range names {
+		selectors[idx] = authtypes.MustNewSelector(authtypes.TypeRole, name)
+	}
+
 	tuples, err := authtypes.TypeableRole.Tuples(
 		subject,
 		authtypes.RelationAssignee,
-		[]authtypes.Selector{
-			authtypes.MustNewSelector(authtypes.TypeRole, name),
-		},
+		selectors,
 		orgID,
 	)
 	if err != nil {
@@ -178,7 +199,7 @@ func (provider *provider) CreateManagedRoles(ctx context.Context, _ valuer.UUID,
 }
 
 func (provider *provider) CreateManagedUserRoleTransactions(ctx context.Context, orgID valuer.UUID, userID valuer.UUID) error {
-	return provider.Grant(ctx, orgID, roletypes.SigNozAdminRoleName, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
+	return provider.Grant(ctx, orgID, []string{roletypes.SigNozAdminRoleName}, authtypes.MustNewSubject(authtypes.TypeableUser, userID.String(), orgID, nil))
 }
 
 func (setter *provider) Create(_ context.Context, _ valuer.UUID, _ *roletypes.Role) error {

pkg/authz/openfgaschema/base.fga

@@ -2,9 +2,11 @@ module base
 
 type user
 
+type serviceaccount 
+
 type role 
   relations
-    define assignee: [user]
+    define assignee: [user, serviceaccount]
 
 type organisation 
   relations

pkg/authz/openfgaserver/server.go

@@ -128,9 +128,23 @@ func (server *Server) BatchCheck(ctx context.Context, tupleReq map[string]*openf
 }
 
 func (server *Server) CheckWithTupleCreation(ctx context.Context, claims authtypes.Claims, orgID valuer.UUID, _ authtypes.Relation, _ authtypes.Typeable, _ []authtypes.Selector, roleSelectors []authtypes.Selector) error {
-	subject, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
-	if err != nil {
-		return err
+	subject := ""
+
+	switch claims.Principal {
+	case authtypes.PrincipalUser.String():
+		user, err := authtypes.NewSubject(authtypes.TypeableUser, claims.UserID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = user
+	case authtypes.PrincipalServiceAccount.String():
+		serviceAccount, err := authtypes.NewSubject(authtypes.TypeableServiceAccount, claims.UserID, orgID, nil)
+		if err != nil {
+			return err
+		}
+
+		subject = serviceAccount
 	}
 
 	tupleSlice, err := authtypes.TypeableRole.Tuples(subject, authtypes.RelationAssignee, roleSelectors, orgID)

pkg/http/middleware/api_key.go

@@ -1,143 +0,0 @@
-package middleware
-
-import (
-	"context"
-	"log/slog"
-	"net/http"
-	"time"
-
-	"github.com/SigNoz/signoz/pkg/sharder"
-	"github.com/SigNoz/signoz/pkg/sqlstore"
-	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
-	"github.com/SigNoz/signoz/pkg/valuer"
-	"golang.org/x/sync/singleflight"
-)
-
-const (
-	apiKeyCrossOrgMessage string = "::API-KEY-CROSS-ORG::"
-)
-
-type APIKey struct {
-	store   sqlstore.SQLStore
-	uuid    *authtypes.UUID
-	headers []string
-	logger  *slog.Logger
-	sharder sharder.Sharder
-	sfGroup *singleflight.Group
-}
-
-func NewAPIKey(store sqlstore.SQLStore, headers []string, logger *slog.Logger, sharder sharder.Sharder) *APIKey {
-	return &APIKey{
-		store:   store,
-		uuid:    authtypes.NewUUID(),
-		headers: headers,
-		logger:  logger,
-		sharder: sharder,
-		sfGroup: &singleflight.Group{},
-	}
-}
-
-func (a *APIKey) Wrap(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var values []string
-		var apiKeyToken string
-		var apiKey types.StorableAPIKey
-
-		for _, header := range a.headers {
-			values = append(values, r.Header.Get(header))
-		}
-
-		ctx, err := a.uuid.ContextFromRequest(r.Context(), values...)
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		apiKeyToken, ok := authtypes.UUIDFromContext(ctx)
-		if !ok {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		err = a.
-			store.
-			BunDB().
-			NewSelect().
-			Model(&apiKey).
-			Where("token = ?", apiKeyToken).
-			Scan(r.Context())
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		// allow the APIKey if expires_at is not set
-		if apiKey.ExpiresAt.Before(time.Now()) && !apiKey.ExpiresAt.Equal(types.NEVER_EXPIRES) {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		// get user from db
-		user := types.User{}
-		err = a.store.BunDB().NewSelect().Model(&user).Where("id = ?", apiKey.UserID).Scan(r.Context())
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		jwt := authtypes.Claims{
-			UserID: user.ID.String(),
-			Role:   apiKey.Role,
-			Email:  user.Email.String(),
-			OrgID:  user.OrgID.String(),
-		}
-
-		ctx = authtypes.NewContextWithClaims(ctx, jwt)
-
-		claims, err := authtypes.ClaimsFromContext(ctx)
-		if err != nil {
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		if err := a.sharder.IsMyOwnedKey(r.Context(), types.NewOrganizationKey(valuer.MustNewUUID(claims.OrgID))); err != nil {
-			a.logger.ErrorContext(r.Context(), apiKeyCrossOrgMessage, "claims", claims, "error", err)
-			next.ServeHTTP(w, r)
-			return
-		}
-
-		ctx = ctxtypes.SetAuthType(ctx, ctxtypes.AuthTypeAPIKey)
-
-		comment := ctxtypes.CommentFromContext(ctx)
-		comment.Set("auth_type", ctxtypes.AuthTypeAPIKey.StringValue())
-		comment.Set("user_id", claims.UserID)
-		comment.Set("org_id", claims.OrgID)
-
-		r = r.WithContext(ctxtypes.NewContextWithComment(ctx, comment))
-
-		next.ServeHTTP(w, r)
-
-		lastUsedCtx := context.WithoutCancel(r.Context())
-		_, _, _ = a.sfGroup.Do(apiKey.ID.StringValue(), func() (any, error) {
-			apiKey.LastUsed = time.Now()
-			_, err = a.
-				store.
-				BunDB().
-				NewUpdate().
-				Model(&apiKey).
-				Column("last_used").
-				Where("token = ?", apiKeyToken).
-				Where("revoked = false").
-				Exec(lastUsedCtx)
-			if err != nil {
-				a.logger.ErrorContext(lastUsedCtx, "failed to update last used of api key", "error", err)
-			}
-
-			return true, nil
-		})
-
-	})
-
-}

pkg/http/middleware/service_account.go

@@ -0,0 +1,141 @@
+package middleware
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/sharder"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/ctxtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"golang.org/x/sync/singleflight"
+)
+
+const (
+	serviceAccountCrossOrgMessage string = "::SERVICE-ACCOUNT-CROSS-ORG::"
+)
+
+type ServiceAccount struct {
+	store          sqlstore.SQLStore
+	headers        []string
+	logger         *slog.Logger
+	sharder        sharder.Sharder
+	serviceAccount serviceaccount.Module
+	sfGroup        *singleflight.Group
+}
+
+func NewServiceAccount(store sqlstore.SQLStore, headers []string, logger *slog.Logger, sharder sharder.Sharder) *ServiceAccount {
+	return &ServiceAccount{
+		store:   store,
+		headers: headers,
+		logger:  logger,
+		sharder: sharder,
+		sfGroup: &singleflight.Group{},
+	}
+}
+
+func (a *ServiceAccount) Wrap(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var values []string
+
+		for _, header := range a.headers {
+			values = append(values, r.Header.Get(header))
+		}
+
+		ctx, err := a.contextFromRequest(r.Context(), values...)
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		r = r.WithContext(ctx)
+
+		claims, err := authtypes.ClaimsFromContext(ctx)
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		if err := a.sharder.IsMyOwnedKey(r.Context(), types.NewOrganizationKey(valuer.MustNewUUID(claims.OrgID))); err != nil {
+			a.logger.ErrorContext(r.Context(), serviceAccountCrossOrgMessage, "claims", claims, "error", err)
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		ctx = ctxtypes.SetAuthType(ctx, ctxtypes.AuthTypeAPIKey)
+
+		comment := ctxtypes.CommentFromContext(ctx)
+		comment.Set("auth_type", ctxtypes.AuthTypeAPIKey.StringValue())
+		comment.Set("user_id", claims.UserID)
+		comment.Set("org_id", claims.OrgID)
+
+		r = r.WithContext(ctxtypes.NewContextWithComment(ctx, comment))
+
+		next.ServeHTTP(w, r)
+
+		key, err := authtypes.ServiceAccountKeyFromContext(r.Context())
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		lastObservedAtCtx := context.WithoutCancel(r.Context())
+		_, _, _ = a.sfGroup.Do(key, func() (any, error) {
+			if err := a.serviceAccount.SetLastObservedAt(lastObservedAtCtx, key, time.Now()); err != nil {
+				a.logger.ErrorContext(lastObservedAtCtx, "failed to set last observed at", "error", err)
+				return false, err
+			}
+
+			return true, nil
+		})
+
+	})
+
+}
+
+func (a *ServiceAccount) contextFromRequest(ctx context.Context, values ...string) (context.Context, error) {
+	ctx, err := a.contextFromServiceAccountKey(ctx, values...)
+	if err != nil {
+		return ctx, err
+	}
+
+	key, err := authtypes.ServiceAccountKeyFromContext(ctx)
+	if err != nil {
+		return ctx, err
+	}
+
+	serviceAccount, err := a.serviceAccount.GetByKey(ctx, key)
+	if err != nil {
+		return ctx, err
+	}
+
+	if serviceAccount.ExpiresAt != 0 {
+		if time.Since(time.Now().AddDate(0, 0, int(serviceAccount.ExpiresAt))) < 0 {
+			return nil, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "the token has been expired!")
+		}
+	}
+
+	return authtypes.NewContextWithClaims(ctx, serviceAccount.ToClaims()), nil
+}
+
+func (a *ServiceAccount) contextFromServiceAccountKey(ctx context.Context, values ...string) (context.Context, error) {
+	var value string
+	for _, v := range values {
+		if v != "" {
+			value = v
+			break
+		}
+	}
+
+	if value == "" {
+		return ctx, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "missing authorization header")
+	}
+
+	return authtypes.NewContextWithServiceAccountKey(ctx, value), nil
+}

pkg/modules/savedview/implsavedview/module.go

@@ -12,7 +12,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/savedviewtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -25,7 +24,7 @@ func NewModule(sqlstore sqlstore.SQLStore) savedview.Module {
 }
 
 func (module *module) GetViewsForFilters(ctx context.Context, orgID string, sourcePage string, name string, category string) ([]*v3.SavedView, error) {
-	var views []savedviewtypes.SavedView
+	var views []types.SavedView
 	var err error
 	if len(category) == 0 {
 		err = module.sqlstore.BunDB().NewSelect().Model(&views).Where("org_id = ? AND source_page = ? AND name LIKE ?", orgID, sourcePage, "%"+name+"%").Scan(ctx)
@@ -77,7 +76,7 @@ func (module *module) CreateView(ctx context.Context, orgID string, view v3.Save
 	createBy := claims.Email
 	updatedBy := claims.Email
 
-	dbView := savedviewtypes.SavedView{
+	dbView := types.SavedView{
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: createdAt,
 			UpdatedAt: updatedAt,
@@ -106,7 +105,7 @@ func (module *module) CreateView(ctx context.Context, orgID string, view v3.Save
 }
 
 func (module *module) GetView(ctx context.Context, orgID string, uuid valuer.UUID) (*v3.SavedView, error) {
-	var view savedviewtypes.SavedView
+	var view types.SavedView
 	err := module.sqlstore.BunDB().NewSelect().Model(&view).Where("org_id = ? AND id = ?", orgID, uuid.StringValue()).Scan(ctx)
 	if err != nil {
 		return nil, errors.WrapInternalf(err, errors.CodeInternal, "error in getting saved view")
@@ -147,7 +146,7 @@ func (module *module) UpdateView(ctx context.Context, orgID string, uuid valuer.
 	updatedBy := claims.Email
 
 	_, err = module.sqlstore.BunDB().NewUpdate().
-		Model(&savedviewtypes.SavedView{}).
+		Model(&types.SavedView{}).
 		Set("updated_at = ?, updated_by = ?, name = ?, category = ?, source_page = ?, tags = ?, data = ?, extra_data = ?",
 			updatedAt, updatedBy, view.Name, view.Category, view.SourcePage, strings.Join(view.Tags, ","), data, view.ExtraData).
 		Where("id = ?", uuid.StringValue()).
@@ -161,7 +160,7 @@ func (module *module) UpdateView(ctx context.Context, orgID string, uuid valuer.
 
 func (module *module) DeleteView(ctx context.Context, orgID string, uuid valuer.UUID) error {
 	_, err := module.sqlstore.BunDB().NewDelete().
-		Model(&savedviewtypes.SavedView{}).
+		Model(&types.SavedView{}).
 		Where("id = ?", uuid.StringValue()).
 		Where("org_id = ?", orgID).
 		Exec(ctx)
@@ -172,7 +171,7 @@ func (module *module) DeleteView(ctx context.Context, orgID string, uuid valuer.
 }
 
 func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[string]any, error) {
-	savedViews := []*savedviewtypes.SavedView{}
+	savedViews := []*types.SavedView{}
 
 	err := module.
 		sqlstore.
@@ -185,5 +184,5 @@ func (module *module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin
 		return nil, err
 	}
 
-	return savedviewtypes.NewStatsFromSavedViews(savedViews), nil
+	return types.NewStatsFromSavedViews(savedViews), nil
 }

pkg/modules/serviceaccount/implserviceaccount/handler.go

@@ -0,0 +1,335 @@
+package implserviceaccount
+
+import (
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/http/binding"
+	"github.com/SigNoz/signoz/pkg/http/render"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/gorilla/mux"
+)
+
+type handler struct {
+	module serviceaccount.Module
+}
+
+func NewHandler(module serviceaccount.Module) serviceaccount.Handler {
+	return &handler{module: module}
+}
+
+func (handler *handler) Create(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	req := new(serviceaccounttypes.PostableServiceAccount)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount := serviceaccounttypes.NewServiceAccount(req.Name, req.Email, req.Roles, serviceaccounttypes.StatusActive, valuer.MustNewUUID(claims.OrgID))
+	err = handler.module.Create(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusCreated, types.Identifiable{ID: serviceAccount.ID})
+}
+
+func (handler *handler) Get(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, serviceAccount)
+}
+
+func (handler *handler) List(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccounts, err := handler.module.List(ctx, valuer.MustNewUUID(claims.OrgID))
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, serviceAccounts)
+}
+
+func (handler *handler) Update(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	req := new(serviceaccounttypes.UpdatableServiceAccount)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount.Update(req.Name, req.Email, req.Roles)
+	err = handler.module.Update(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}
+
+func (handler *handler) UpdateStatus(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	req := new(serviceaccounttypes.UpdatableServiceAccountStatus)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount, err := handler.module.Get(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount.UpdateStatus(req.Status)
+	err = handler.module.UpdateStatus(ctx, valuer.MustNewUUID(claims.OrgID), serviceAccount)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}
+
+func (handler *handler) Delete(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	err = handler.module.Delete(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}
+
+func (handler *handler) CreateFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	req := new(serviceaccounttypes.PostableFactorAPIKey)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	// this takes care of checking the existence of service account and the org constraint.
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	factorAPIKey, err := serviceAccount.NewFactorAPIKey(req.Name, req.ExpiresAt)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	err = handler.module.CreateFactorAPIKey(ctx, factorAPIKey)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusCreated, types.Identifiable{ID: factorAPIKey.ID})
+}
+
+func (handler *handler) ListFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	factorAPIKeys, err := handler.module.ListFactorAPIKey(ctx, serviceAccount.ID)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusOK, serviceaccounttypes.NewGettableFactorAPIKeys(factorAPIKeys))
+}
+
+func (handler *handler) UpdateFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	factorAPIKeyID, err := valuer.NewUUID(mux.Vars(r)["fid"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	req := new(serviceaccounttypes.UpdatableFactorAPIKey)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	factorAPIKey, err := handler.module.GetFactorAPIKey(ctx, serviceAccount.ID, factorAPIKeyID)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	factorAPIKey.Update(req.Name, req.ExpiresAt)
+	err = handler.module.UpdateFactorAPIKey(ctx, serviceAccount.ID, factorAPIKey)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}
+
+func (handler *handler) RevokeFactorAPIKey(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	id, err := valuer.NewUUID(mux.Vars(r)["id"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	factorAPIKeyID, err := valuer.NewUUID(mux.Vars(r)["fid"])
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	serviceAccount, err := handler.module.GetWithoutRoles(ctx, valuer.MustNewUUID(claims.OrgID), id)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	err = handler.module.RevokeFactorAPIKey(ctx, serviceAccount.ID, factorAPIKeyID)
+	if err != nil {
+		render.Error(rw, err)
+		return
+	}
+
+	render.Success(rw, http.StatusNoContent, nil)
+}

pkg/modules/serviceaccount/implserviceaccount/module.go

@@ -0,0 +1,383 @@
+package implserviceaccount
+
+import (
+	"context"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/authz"
+	"github.com/SigNoz/signoz/pkg/emailing"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/emailtypes"
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type module struct {
+	store    serviceaccounttypes.Store
+	authz    authz.AuthZ
+	emailing emailing.Emailing
+	settings factory.ScopedProviderSettings
+}
+
+func NewModule(store serviceaccounttypes.Store, authz authz.AuthZ, emailing emailing.Emailing, providerSettings factory.ProviderSettings) serviceaccount.Module {
+	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount")
+	return &module{store: store, authz: authz, emailing: emailing, settings: settings}
+}
+
+func (module *module) Create(ctx context.Context, orgID valuer.UUID, serviceAccount *serviceaccounttypes.ServiceAccount) error {
+	// validates the presence of all roles passed in the create request
+	roles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, serviceAccount.Roles)
+	if err != nil {
+		return err
+	}
+
+	// authz actions cannot run in sql transactions
+	err = module.authz.Grant(ctx, orgID, serviceAccount.Roles, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, serviceAccount.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	storableServiceAccount := serviceaccounttypes.NewStorableServiceAccount(serviceAccount)
+	storableServiceAccountRoles := serviceaccounttypes.NewStorableServiceAccountRoles(serviceAccount.ID, roles)
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		err := module.store.Create(ctx, storableServiceAccount)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.CreateServiceAccountRoles(ctx, storableServiceAccountRoles)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
+	storableServiceAccount, err := module.store.Get(ctx, orgID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	// did the orchestration on application layer instead of DB as the ORM also does it anyways for many to many tables.
+	storableServiceAccountRoles, err := module.store.GetServiceAccountRoles(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]valuer.UUID, len(storableServiceAccountRoles))
+	for idx, sar := range storableServiceAccountRoles {
+		roleIDs[idx] = valuer.MustNewUUID(sar.RoleID)
+	}
+
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	rolesNames, err := serviceaccounttypes.NewRolesFromStorableServiceAccountRoles(storableServiceAccountRoles, roles)
+	if err != nil {
+		return nil, err
+	}
+
+	serviceAccount := serviceaccounttypes.NewServiceAccountFromStorables(storableServiceAccount, rolesNames)
+	return serviceAccount, nil
+}
+
+func (module *module) GetWithoutRoles(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.ServiceAccount, error) {
+	storableServiceAccount, err := module.store.Get(ctx, orgID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	// passing []string{} (not nil to prevent panics) roles as the function isn't supposed to put roles.
+	serviceAccount := serviceaccounttypes.NewServiceAccountFromStorables(storableServiceAccount, []string{})
+	return serviceAccount, nil
+}
+
+func (module *module) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error) {
+	storableServiceAccounts, err := module.store.List(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	storableServiceAccountRoles, err := module.store.ListServiceAccountRolesByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	// convert the service account roles to structured data
+	saIDToRoleIDs, roleIDs := serviceaccounttypes.GetUniqueRolesAndServiceAccountMapping(storableServiceAccountRoles)
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	// fill in the role fetched data back to service account
+	serviceAccounts := serviceaccounttypes.NewServiceAccountsFromRoles(storableServiceAccounts, roles, saIDToRoleIDs)
+	return serviceAccounts, nil
+}
+
+func (module *module) GetByKey(ctx context.Context, key string) (*serviceaccounttypes.ServiceAccountWithKey, error) {
+	storableFactorAPIKey, err := module.store.GetFactorAPIKeyByKey(ctx, key)
+	if err != nil {
+		return nil, err
+	}
+
+	storableServiceAccount, err := module.store.GetByID(ctx, valuer.MustNewUUID(storableFactorAPIKey.ServiceAccountID))
+	if err != nil {
+		return nil, err
+	}
+
+	return serviceaccounttypes.NewServiceAccountWithKey(storableServiceAccount, storableFactorAPIKey), nil
+}
+
+func (module *module) Update(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
+	serviceAccount, err := module.Get(ctx, orgID, input.ID)
+	if err != nil {
+		return err
+	}
+
+	roles, err := module.authz.ListByOrgIDAndNames(ctx, orgID, input.Roles)
+	if err != nil {
+		return err
+	}
+
+	// gets the role diff if any to modify grants.
+	grants, revokes := serviceAccount.PatchRoles(input)
+	err = module.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, serviceAccount.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	storableServiceAccountRoles := serviceaccounttypes.NewStorableServiceAccountRoles(serviceAccount.ID, roles)
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		err := module.store.Update(ctx, orgID, serviceaccounttypes.NewStorableServiceAccount(input))
+		if err != nil {
+			return err
+		}
+
+		// delete all the service account roles and create new rather than diff here.
+		err = module.store.DeleteServiceAccountRoles(ctx, input.ID)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.CreateServiceAccountRoles(ctx, storableServiceAccountRoles)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) UpdateStatus(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
+	serviceAccount, err := module.Get(ctx, orgID, input.ID)
+	if err != nil {
+		return err
+	}
+
+	if input.Status == serviceAccount.Status {
+		return nil
+	}
+
+	switch input.Status {
+	case serviceaccounttypes.StatusActive:
+		err := module.activateServiceAccount(ctx, orgID, input)
+		if err != nil {
+			return err
+		}
+	case serviceaccounttypes.StatusDisabled:
+		err := module.disableServiceAccount(ctx, orgID, input)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (module *module) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
+	serviceAccount, err := module.Get(ctx, orgID, id)
+	if err != nil {
+		return err
+	}
+
+	// revoke from authz first as this cannot run in sql transaction
+	err = module.authz.Revoke(ctx, orgID, serviceAccount.Roles, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, serviceAccount.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		err := module.store.DeleteServiceAccountRoles(ctx, serviceAccount.ID)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.RevokeAllFactorAPIKeys(ctx, serviceAccount.ID)
+		if err != nil {
+			return err
+		}
+
+		err = module.store.Delete(ctx, serviceAccount.OrgID, serviceAccount.ID)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) CreateFactorAPIKey(ctx context.Context, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
+	storableFactorAPIKey := serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey)
+
+	err := module.store.CreateFactorAPIKey(ctx, storableFactorAPIKey)
+	if err != nil {
+		return err
+	}
+
+	serviceAccount, err := module.store.GetByID(ctx, factorAPIKey.ServiceAccountID)
+	if err != nil {
+		return err
+	}
+
+	if err := module.emailing.SendHTML(ctx, serviceAccount.Email, "New API Key created for your SigNoz account", emailtypes.TemplateNameAPIKeyEvent, map[string]any{
+		"Name":         serviceAccount.Name,
+		"KeyName":      factorAPIKey.Name,
+		"KeyID":        factorAPIKey.ID.String(),
+		"KeyCreatedAt": factorAPIKey.CreatedAt.String(),
+	}); err != nil {
+		module.settings.Logger().ErrorContext(ctx, "failed to send email", "error", err)
+	}
+
+	return nil
+}
+
+func (module *module) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.FactorAPIKey, error) {
+	storableFactorAPIKey, err := module.store.GetFactorAPIKey(ctx, serviceAccountID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	return serviceaccounttypes.NewFactorAPIKeyFromStorable(storableFactorAPIKey), nil
+}
+
+func (module *module) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.FactorAPIKey, error) {
+	storables, err := module.store.ListFactorAPIKey(ctx, serviceAccountID)
+	if err != nil {
+		return nil, err
+	}
+
+	return serviceaccounttypes.NewFactorAPIKeyFromStorables(storables), nil
+}
+
+func (module *module) UpdateFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, factorAPIKey *serviceaccounttypes.FactorAPIKey) error {
+	return module.store.UpdateFactorAPIKey(ctx, serviceAccountID, serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey))
+}
+
+func (module *module) SetLastObservedAt(ctx context.Context, key string, time time.Time) error {
+	storable, err := module.store.GetFactorAPIKeyByKey(ctx, key)
+	if err != nil {
+		return err
+	}
+
+	factorAPIKey := serviceaccounttypes.NewFactorAPIKeyFromStorable(storable)
+	factorAPIKey.SetLastObservedAt(time)
+
+	err = module.store.UpdateFactorAPIKey(ctx, factorAPIKey.ServiceAccountID, serviceaccounttypes.NewStorableFactorAPIKey(factorAPIKey))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) RevokeFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) error {
+	factorAPIKey, err := module.GetFactorAPIKey(ctx, serviceAccountID, id)
+	if err != nil {
+		return err
+	}
+
+	err = module.store.RevokeFactorAPIKey(ctx, serviceAccountID, id)
+	if err != nil {
+		return err
+	}
+
+	serviceAccount, err := module.store.GetByID(ctx, serviceAccountID)
+	if err != nil {
+		return err
+	}
+
+	if err := module.emailing.SendHTML(ctx, serviceAccount.Email, "API Key revoked for your SigNoz account", emailtypes.TemplateNameAPIKeyEvent, map[string]any{
+		"Name":         serviceAccount.Name,
+		"KeyName":      factorAPIKey.Name,
+		"KeyID":        factorAPIKey.ID.String(),
+		"KeyCreatedAt": factorAPIKey.CreatedAt.String(),
+	}); err != nil {
+		module.settings.Logger().ErrorContext(ctx, "failed to send email", "error", err)
+	}
+
+	return nil
+}
+
+func (module *module) disableServiceAccount(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
+	err := module.authz.Revoke(ctx, orgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, input.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	err = module.store.RunInTx(ctx, func(ctx context.Context) error {
+		// revoke all the API keys on disable
+		err := module.store.RevokeAllFactorAPIKeys(ctx, input.ID)
+		if err != nil {
+			return err
+		}
+
+		// update the status but do not delete the role mappings as we will reuse them on activation.
+		err = module.Update(ctx, orgID, input)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (module *module) activateServiceAccount(ctx context.Context, orgID valuer.UUID, input *serviceaccounttypes.ServiceAccount) error {
+	err := module.authz.Grant(ctx, orgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableServiceAccount, input.ID.String(), orgID, nil))
+	if err != nil {
+		return err
+	}
+
+	err = module.Update(ctx, orgID, input)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/modules/serviceaccount/implserviceaccount/store.go

@@ -0,0 +1,299 @@
+package implserviceaccount
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type store struct {
+	sqlstore sqlstore.SQLStore
+}
+
+func NewStore(sqlstore sqlstore.SQLStore) serviceaccounttypes.Store {
+	return &store{sqlstore: sqlstore}
+}
+
+func (store *store) Create(ctx context.Context, storable *serviceaccounttypes.StorableServiceAccount) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewInsert().
+		Model(storable).
+		Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeServiceAccountAlreadyExists, "service account with id: %s already exists", storable.ID)
+	}
+
+	return nil
+}
+
+func (store *store) Get(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.StorableServiceAccount, error) {
+	storable := new(serviceaccounttypes.StorableServiceAccount)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(storable).
+		Where("id = ?", id).
+		Where("org_id = ?", orgID).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "service account with id: %s doesn't exist in org: %s", id, orgID)
+	}
+
+	return storable, nil
+}
+
+func (store *store) GetByID(ctx context.Context, id valuer.UUID) (*serviceaccounttypes.StorableServiceAccount, error) {
+	storable := new(serviceaccounttypes.StorableServiceAccount)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(storable).
+		Where("id = ?", id).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccountNotFound, "service account with id: %s doesn't exist", id)
+	}
+
+	return storable, nil
+}
+
+func (store *store) List(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccount, error) {
+	storables := make([]*serviceaccounttypes.StorableServiceAccount, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&storables).
+		Where("org_id = ?", orgID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storables, nil
+}
+
+func (store *store) Update(ctx context.Context, orgID valuer.UUID, storable *serviceaccounttypes.StorableServiceAccount) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewUpdate().
+		Model(storable).
+		WherePK().
+		Where("org_id = ?", orgID).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *store) Delete(ctx context.Context, orgID valuer.UUID, id valuer.UUID) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewDelete().
+		Model(new(serviceaccounttypes.StorableServiceAccount)).
+		Where("id = ?", id).
+		Where("org_id = ?", orgID).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *store) CreateServiceAccountRoles(ctx context.Context, storables []*serviceaccounttypes.StorableServiceAccountRole) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewInsert().
+		Model(&storables).
+		Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeServiceAccountRoleAlreadyExists, "duplicate role assignments for service account")
+	}
+
+	return nil
+}
+
+func (store *store) GetServiceAccountRoles(ctx context.Context, id valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccountRole, error) {
+	storables := make([]*serviceaccounttypes.StorableServiceAccountRole, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&storables).
+		Where("service_account_id = ?", id).
+		Scan(ctx)
+	if err != nil {
+		// no need to wrap not found here as this is many to many table
+		return nil, err
+	}
+
+	return storables, nil
+}
+
+func (store *store) ListServiceAccountRolesByOrgID(ctx context.Context, orgID valuer.UUID) ([]*serviceaccounttypes.StorableServiceAccountRole, error) {
+	storables := make([]*serviceaccounttypes.StorableServiceAccountRole, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&storables).
+		Join("JOIN service_account").
+		JoinOn("service_account.id = service_account_role.service_account_id").
+		Where("service_account.org_id = ?", orgID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storables, nil
+}
+
+func (store *store) DeleteServiceAccountRoles(ctx context.Context, id valuer.UUID) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewDelete().
+		Model(new(serviceaccounttypes.StorableServiceAccountRole)).
+		Where("service_account_id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *store) CreateFactorAPIKey(ctx context.Context, storable *serviceaccounttypes.StorableFactorAPIKey) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewInsert().
+		Model(storable).
+		Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, serviceaccounttypes.ErrCodeServiceAccountFactorAPIKeyAlreadyExists, "api key with name: %s already exists for service account: %s", storable.Name, storable.ServiceAccountID)
+	}
+
+	return nil
+}
+
+func (store *store) GetFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) (*serviceaccounttypes.StorableFactorAPIKey, error) {
+	storable := new(serviceaccounttypes.StorableFactorAPIKey)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(storable).
+		Where("id = ?", id).
+		Where("service_account_id = ?", serviceAccountID).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccounFactorAPIKeytNotFound, "api key with id: %s doesn't exist for service account: %s", id, serviceAccountID)
+	}
+
+	return storable, nil
+}
+
+func (store *store) GetFactorAPIKeyByKey(ctx context.Context, key string) (*serviceaccounttypes.StorableFactorAPIKey, error) {
+	storable := new(serviceaccounttypes.StorableFactorAPIKey)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(storable).
+		Where("key = ?", key).
+		Scan(ctx)
+	if err != nil {
+		return nil, store.sqlstore.WrapNotFoundErrf(err, serviceaccounttypes.ErrCodeServiceAccounFactorAPIKeytNotFound, "api key with key: %s doesn't exist", key)
+	}
+
+	return storable, nil
+}
+
+func (store *store) ListFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID) ([]*serviceaccounttypes.StorableFactorAPIKey, error) {
+	storables := make([]*serviceaccounttypes.StorableFactorAPIKey, 0)
+
+	err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewSelect().
+		Model(&storables).
+		Where("service_account_id = ?", serviceAccountID).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storables, nil
+}
+
+func (store *store) UpdateFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, storable *serviceaccounttypes.StorableFactorAPIKey) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewUpdate().
+		Model(storable).
+		Where("service_account_id = ?", serviceAccountID).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *store) RevokeFactorAPIKey(ctx context.Context, serviceAccountID valuer.UUID, id valuer.UUID) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewDelete().
+		Model(new(serviceaccounttypes.StorableFactorAPIKey)).
+		Where("service_account_id = ?", serviceAccountID).
+		Where("id = ?", id).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *store) RevokeAllFactorAPIKeys(ctx context.Context, serviceAccountID valuer.UUID) error {
+	_, err := store.
+		sqlstore.
+		BunDBCtx(ctx).
+		NewDelete().
+		Model(new(serviceaccounttypes.StorableFactorAPIKey)).
+		Where("service_account_id = ?", serviceAccountID).
+		Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *store) RunInTx(ctx context.Context, cb func(context.Context) error) error {
+	return store.sqlstore.RunInTxCtx(ctx, nil, func(ctx context.Context) error {
+		return cb(ctx)
+	})
+}

pkg/modules/serviceaccount/serviceaccount.go

@@ -0,0 +1,76 @@
+package serviceaccount
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type Module interface {
+	// Creates a new service account for an organization.
+	Create(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
+
+	// Gets a service account by id.
+	Get(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccount, error)
+
+	// Gets a service account by id without fetching roles.
+	GetWithoutRoles(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.ServiceAccount, error)
+
+	// Gets a service account by factor API key
+	GetByKey(context.Context, string) (*serviceaccounttypes.ServiceAccountWithKey, error)
+
+	// List all service accounts for an organization.
+	List(context.Context, valuer.UUID) ([]*serviceaccounttypes.ServiceAccount, error)
+
+	// Updates an existing service account
+	Update(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
+
+	// Updates an existing service account status
+	UpdateStatus(context.Context, valuer.UUID, *serviceaccounttypes.ServiceAccount) error
+
+	// Deletes an existing service account by id
+	Delete(context.Context, valuer.UUID, valuer.UUID) error
+
+	// Creates a new API key for a service account
+	CreateFactorAPIKey(context.Context, *serviceaccounttypes.FactorAPIKey) error
+
+	// Gets a factor API key by service account id and key id
+	GetFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) (*serviceaccounttypes.FactorAPIKey, error)
+
+	// Lists all the API keys for a service account
+	ListFactorAPIKey(context.Context, valuer.UUID) ([]*serviceaccounttypes.FactorAPIKey, error)
+
+	// Sets the last observed at for the key
+	SetLastObservedAt(context.Context, string, time.Time) error
+
+	// Updates an existing API key for a service account
+	UpdateFactorAPIKey(context.Context, valuer.UUID, *serviceaccounttypes.FactorAPIKey) error
+
+	// Revokes an existing API key for a service account
+	RevokeFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) error
+}
+
+type Handler interface {
+	Create(http.ResponseWriter, *http.Request)
+
+	Get(http.ResponseWriter, *http.Request)
+
+	List(http.ResponseWriter, *http.Request)
+
+	Update(http.ResponseWriter, *http.Request)
+
+	UpdateStatus(http.ResponseWriter, *http.Request)
+
+	Delete(http.ResponseWriter, *http.Request)
+
+	CreateFactorAPIKey(http.ResponseWriter, *http.Request)
+
+	ListFactorAPIKey(http.ResponseWriter, *http.Request)
+
+	UpdateFactorAPIKey(http.ResponseWriter, *http.Request)
+
+	RevokeFactorAPIKey(http.ResponseWriter, *http.Request)
+}

pkg/modules/user/impluser/handler.go

@@ -13,7 +13,6 @@ import (
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
 )
@@ -463,7 +462,7 @@ func (h *handler) UpdateAPIKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
+	if slices.Contains(types.AllIntegrationUserEmails, types.IntegrationUserEmail(createdByUser.Email.String())) {
 		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
 		return
 	}
@@ -508,7 +507,7 @@ func (h *handler) RevokeAPIKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(createdByUser.Email.String())) {
+	if slices.Contains(types.AllIntegrationUserEmails, types.IntegrationUserEmail(createdByUser.Email.String())) {
 		render.Error(w, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "API Keys for integration users cannot be revoked"))
 		return
 	}

pkg/modules/user/impluser/module.go

@@ -19,7 +19,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/emailtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/types/roletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/dustin/go-humanize"
@@ -175,7 +174,7 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 	createUserOpts := root.NewCreateUserOptions(opts...)
 
 	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
-	err := module.authz.Grant(ctx, input.OrgID, roletypes.MustGetSigNozManagedRoleFromExistingRole(input.Role), authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	err := module.authz.Grant(ctx, input.OrgID, []string{roletypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
 	if err != nil {
 		return err
 	}
@@ -237,8 +236,8 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 	if user.Role != "" && user.Role != existingUser.Role {
 		err = m.authz.ModifyGrant(ctx,
 			orgID,
-			roletypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role),
-			roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role),
+			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
+			[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
 			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
 		)
 		if err != nil {
@@ -280,7 +279,7 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 		return errors.WithAdditionalf(err, "cannot delete root user")
 	}
 
-	if slices.Contains(integrationtypes.AllIntegrationUserEmails, integrationtypes.IntegrationUserEmail(user.Email.String())) {
+	if slices.Contains(types.AllIntegrationUserEmails, types.IntegrationUserEmail(user.Email.String())) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "integration user cannot be deleted")
 	}
 
@@ -295,7 +294,7 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}
 
 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role), authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, []string{roletypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 	if err != nil {
 		return err
 	}

pkg/modules/user/impluser/service.go

@@ -159,8 +159,8 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		if oldRole != types.RoleAdmin {
 			if err := s.authz.ModifyGrant(ctx,
 				orgID,
-				roletypes.MustGetSigNozManagedRoleFromExistingRole(oldRole),
-				roletypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin),
+				[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
+				[]string{roletypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
 				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
 			); err != nil {
 				return err

pkg/query-service/app/cloudintegrations/accountsRepo.go

@@ -10,16 +10,15 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
 type cloudProviderAccountsRepository interface {
-	listConnected(ctx context.Context, orgId string, provider string) ([]integrationtypes.CloudIntegration, *model.ApiError)
+	listConnected(ctx context.Context, orgId string, provider string) ([]types.CloudIntegration, *model.ApiError)
 
-	get(ctx context.Context, orgId string, provider string, id string) (*integrationtypes.CloudIntegration, *model.ApiError)
+	get(ctx context.Context, orgId string, provider string, id string) (*types.CloudIntegration, *model.ApiError)
 
-	getConnectedCloudAccount(ctx context.Context, orgId string, provider string, accountID string) (*integrationtypes.CloudIntegration, *model.ApiError)
+	getConnectedCloudAccount(ctx context.Context, orgId string, provider string, accountID string) (*types.CloudIntegration, *model.ApiError)
 
 	// Insert an account or update it by (cloudProvider, id)
 	// for specified non-empty fields
@@ -28,11 +27,11 @@ type cloudProviderAccountsRepository interface {
 		orgId string,
 		provider string,
 		id *string,
-		config *integrationtypes.AccountConfig,
+		config *types.AccountConfig,
 		accountId *string,
-		agentReport *integrationtypes.AgentReport,
+		agentReport *types.AgentReport,
 		removedAt *time.Time,
-	) (*integrationtypes.CloudIntegration, *model.ApiError)
+	) (*types.CloudIntegration, *model.ApiError)
 }
 
 func newCloudProviderAccountsRepository(store sqlstore.SQLStore) (
@@ -49,8 +48,8 @@ type cloudProviderAccountsSQLRepository struct {
 
 func (r *cloudProviderAccountsSQLRepository) listConnected(
 	ctx context.Context, orgId string, cloudProvider string,
-) ([]integrationtypes.CloudIntegration, *model.ApiError) {
-	accounts := []integrationtypes.CloudIntegration{}
+) ([]types.CloudIntegration, *model.ApiError) {
+	accounts := []types.CloudIntegration{}
 
 	err := r.store.BunDB().NewSelect().
 		Model(&accounts).
@@ -73,8 +72,8 @@ func (r *cloudProviderAccountsSQLRepository) listConnected(
 
 func (r *cloudProviderAccountsSQLRepository) get(
 	ctx context.Context, orgId string, provider string, id string,
-) (*integrationtypes.CloudIntegration, *model.ApiError) {
-	var result integrationtypes.CloudIntegration
+) (*types.CloudIntegration, *model.ApiError) {
+	var result types.CloudIntegration
 
 	err := r.store.BunDB().NewSelect().
 		Model(&result).
@@ -98,8 +97,8 @@ func (r *cloudProviderAccountsSQLRepository) get(
 
 func (r *cloudProviderAccountsSQLRepository) getConnectedCloudAccount(
 	ctx context.Context, orgId string, provider string, accountId string,
-) (*integrationtypes.CloudIntegration, *model.ApiError) {
-	var result integrationtypes.CloudIntegration
+) (*types.CloudIntegration, *model.ApiError) {
+	var result types.CloudIntegration
 
 	err := r.store.BunDB().NewSelect().
 		Model(&result).
@@ -128,11 +127,11 @@ func (r *cloudProviderAccountsSQLRepository) upsert(
 	orgId string,
 	provider string,
 	id *string,
-	config *integrationtypes.AccountConfig,
+	config *types.AccountConfig,
 	accountId *string,
-	agentReport *integrationtypes.AgentReport,
+	agentReport *types.AgentReport,
 	removedAt *time.Time,
-) (*integrationtypes.CloudIntegration, *model.ApiError) {
+) (*types.CloudIntegration, *model.ApiError) {
 	// Insert
 	if id == nil {
 		temp := valuer.GenerateUUID().StringValue()
@@ -182,7 +181,7 @@ func (r *cloudProviderAccountsSQLRepository) upsert(
 		)
 	}
 
-	integration := integrationtypes.CloudIntegration{
+	integration := types.CloudIntegration{
 		OrgID:        orgId,
 		Provider:     provider,
 		Identifiable: types.Identifiable{ID: valuer.MustNewUUID(*id)},

pkg/query-service/app/cloudintegrations/controller.go

@@ -14,7 +14,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"golang.org/x/exp/maps"
 )
@@ -53,7 +52,7 @@ func NewController(sqlStore sqlstore.SQLStore) (*Controller, error) {
 }
 
 type ConnectedAccountsListResponse struct {
-	Accounts []integrationtypes.Account `json:"accounts"`
+	Accounts []types.Account `json:"accounts"`
 }
 
 func (c *Controller) ListConnectedAccounts(ctx context.Context, orgId string, cloudProvider string) (
@@ -68,7 +67,7 @@ func (c *Controller) ListConnectedAccounts(ctx context.Context, orgId string, cl
 		return nil, model.WrapApiError(apiErr, "couldn't list cloud accounts")
 	}
 
-	connectedAccounts := []integrationtypes.Account{}
+	connectedAccounts := []types.Account{}
 	for _, a := range accountRecords {
 		connectedAccounts = append(connectedAccounts, a.Account())
 	}
@@ -82,7 +81,7 @@ type GenerateConnectionUrlRequest struct {
 	// Optional. To be specified for updates.
 	AccountId *string `json:"account_id,omitempty"`
 
-	AccountConfig integrationtypes.AccountConfig `json:"account_config"`
+	AccountConfig types.AccountConfig `json:"account_config"`
 
 	AgentConfig SigNozAgentConfig `json:"agent_config"`
 }
@@ -150,9 +149,9 @@ func (c *Controller) GenerateConnectionUrl(ctx context.Context, orgId string, cl
 }
 
 type AccountStatusResponse struct {
-	Id             string                         `json:"id"`
-	CloudAccountId *string                        `json:"cloud_account_id,omitempty"`
-	Status         integrationtypes.AccountStatus `json:"status"`
+	Id             string              `json:"id"`
+	CloudAccountId *string             `json:"cloud_account_id,omitempty"`
+	Status         types.AccountStatus `json:"status"`
 }
 
 func (c *Controller) GetAccountStatus(ctx context.Context, orgId string, cloudProvider string, accountId string) (
@@ -218,7 +217,7 @@ func (c *Controller) CheckInAsAgent(ctx context.Context, orgId string, cloudProv
 		))
 	}
 
-	agentReport := integrationtypes.AgentReport{
+	agentReport := types.AgentReport{
 		TimestampMillis: time.Now().UnixMilli(),
 		Data:            req.Data,
 	}
@@ -287,10 +286,10 @@ func (c *Controller) CheckInAsAgent(ctx context.Context, orgId string, cloudProv
 }
 
 type UpdateAccountConfigRequest struct {
-	Config integrationtypes.AccountConfig `json:"config"`
+	Config types.AccountConfig `json:"config"`
 }
 
-func (c *Controller) UpdateAccountConfig(ctx context.Context, orgId string, cloudProvider string, accountId string, req UpdateAccountConfigRequest) (*integrationtypes.Account, *model.ApiError) {
+func (c *Controller) UpdateAccountConfig(ctx context.Context, orgId string, cloudProvider string, accountId string, req UpdateAccountConfigRequest) (*types.Account, *model.ApiError) {
 	if apiErr := validateCloudProviderName(cloudProvider); apiErr != nil {
 		return nil, apiErr
 	}
@@ -307,7 +306,7 @@ func (c *Controller) UpdateAccountConfig(ctx context.Context, orgId string, clou
 	return &account, nil
 }
 
-func (c *Controller) DisconnectAccount(ctx context.Context, orgId string, cloudProvider string, accountId string) (*integrationtypes.CloudIntegration, *model.ApiError) {
+func (c *Controller) DisconnectAccount(ctx context.Context, orgId string, cloudProvider string, accountId string) (*types.CloudIntegration, *model.ApiError) {
 	if apiErr := validateCloudProviderName(cloudProvider); apiErr != nil {
 		return nil, apiErr
 	}
@@ -347,7 +346,7 @@ func (c *Controller) ListServices(
 		return nil, model.WrapApiError(apiErr, "couldn't list cloud services")
 	}
 
-	svcConfigs := map[string]*integrationtypes.CloudServiceConfig{}
+	svcConfigs := map[string]*types.CloudServiceConfig{}
 	if cloudAccountId != nil {
 		activeAccount, apiErr := c.accountsRepo.getConnectedCloudAccount(
 			ctx, orgID, cloudProvider, *cloudAccountId,
@@ -442,8 +441,8 @@ func (c *Controller) GetServiceDetails(
 }
 
 type UpdateServiceConfigRequest struct {
-	CloudAccountId string                              `json:"cloud_account_id"`
-	Config         integrationtypes.CloudServiceConfig `json:"config"`
+	CloudAccountId string                   `json:"cloud_account_id"`
+	Config         types.CloudServiceConfig `json:"config"`
 }
 
 func (u *UpdateServiceConfigRequest) Validate(def *services.Definition) error {
@@ -461,8 +460,8 @@ func (u *UpdateServiceConfigRequest) Validate(def *services.Definition) error {
 }
 
 type UpdateServiceConfigResponse struct {
-	Id     string                              `json:"id"`
-	Config integrationtypes.CloudServiceConfig `json:"config"`
+	Id     string                   `json:"id"`
+	Config types.CloudServiceConfig `json:"config"`
 }
 
 func (c *Controller) UpdateServiceConfig(

pkg/query-service/app/cloudintegrations/models.go

@@ -3,20 +3,20 @@ package cloudintegrations
 import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/query-service/app/cloudintegrations/services"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
+	"github.com/SigNoz/signoz/pkg/types"
 )
 
 type ServiceSummary struct {
 	services.Metadata
 
-	Config *integrationtypes.CloudServiceConfig `json:"config"`
+	Config *types.CloudServiceConfig `json:"config"`
 }
 
 type ServiceDetails struct {
 	services.Definition
 
-	Config           *integrationtypes.CloudServiceConfig `json:"config"`
-	ConnectionStatus *ServiceConnectionStatus             `json:"status,omitempty"`
+	Config           *types.CloudServiceConfig `json:"config"`
+	ConnectionStatus *ServiceConnectionStatus  `json:"status,omitempty"`
 }
 
 type AccountStatus struct {
@@ -61,7 +61,7 @@ func NewCompiledCollectionStrategy(provider string) (*CompiledCollectionStrategy
 
 // Helper for accumulating strategies for enabled services.
 func AddServiceStrategy(serviceType string, cs *CompiledCollectionStrategy,
-	definitionStrat *services.CollectionStrategy, config *integrationtypes.CloudServiceConfig) error {
+	definitionStrat *services.CollectionStrategy, config *types.CloudServiceConfig) error {
 	if definitionStrat.Provider != cs.Provider {
 		return errors.NewInternalf(CodeMismatchCloudProvider, "can't add %s service strategy to compiled strategy for %s",
 			definitionStrat.Provider, cs.Provider)

pkg/query-service/app/cloudintegrations/serviceconfig_db.go

@@ -9,7 +9,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )
 
@@ -19,7 +18,7 @@ type ServiceConfigDatabase interface {
 		orgID string,
 		cloudAccountId string,
 		serviceType string,
-	) (*integrationtypes.CloudServiceConfig, *model.ApiError)
+	) (*types.CloudServiceConfig, *model.ApiError)
 
 	upsert(
 		ctx context.Context,
@@ -27,15 +26,15 @@ type ServiceConfigDatabase interface {
 		cloudProvider string,
 		cloudAccountId string,
 		serviceId string,
-		config integrationtypes.CloudServiceConfig,
-	) (*integrationtypes.CloudServiceConfig, *model.ApiError)
+		config types.CloudServiceConfig,
+	) (*types.CloudServiceConfig, *model.ApiError)
 
 	getAllForAccount(
 		ctx context.Context,
 		orgID string,
 		cloudAccountId string,
 	) (
-		configsBySvcId map[string]*integrationtypes.CloudServiceConfig,
+		configsBySvcId map[string]*types.CloudServiceConfig,
 		apiErr *model.ApiError,
 	)
 }
@@ -57,9 +56,9 @@ func (r *serviceConfigSQLRepository) get(
 	orgID string,
 	cloudAccountId string,
 	serviceType string,
-) (*integrationtypes.CloudServiceConfig, *model.ApiError) {
+) (*types.CloudServiceConfig, *model.ApiError) {
 
-	var result integrationtypes.CloudIntegrationService
+	var result types.CloudIntegrationService
 
 	err := r.store.BunDB().NewSelect().
 		Model(&result).
@@ -90,14 +89,14 @@ func (r *serviceConfigSQLRepository) upsert(
 	cloudProvider string,
 	cloudAccountId string,
 	serviceId string,
-	config integrationtypes.CloudServiceConfig,
-) (*integrationtypes.CloudServiceConfig, *model.ApiError) {
+	config types.CloudServiceConfig,
+) (*types.CloudServiceConfig, *model.ApiError) {
 
 	// get cloud integration id from account id
 	// if the account is not connected, we don't need to upsert the config
 	var cloudIntegrationId string
 	err := r.store.BunDB().NewSelect().
-		Model((*integrationtypes.CloudIntegration)(nil)).
+		Model((*types.CloudIntegration)(nil)).
 		Column("id").
 		Where("provider = ?", cloudProvider).
 		Where("account_id = ?", cloudAccountId).
@@ -112,7 +111,7 @@ func (r *serviceConfigSQLRepository) upsert(
 		))
 	}
 
-	serviceConfig := integrationtypes.CloudIntegrationService{
+	serviceConfig := types.CloudIntegrationService{
 		Identifiable: types.Identifiable{ID: valuer.GenerateUUID()},
 		TimeAuditable: types.TimeAuditable{
 			CreatedAt: time.Now(),
@@ -140,8 +139,8 @@ func (r *serviceConfigSQLRepository) getAllForAccount(
 	ctx context.Context,
 	orgID string,
 	cloudAccountId string,
-) (map[string]*integrationtypes.CloudServiceConfig, *model.ApiError) {
-	serviceConfigs := []integrationtypes.CloudIntegrationService{}
+) (map[string]*types.CloudServiceConfig, *model.ApiError) {
+	serviceConfigs := []types.CloudIntegrationService{}
 
 	err := r.store.BunDB().NewSelect().
 		Model(&serviceConfigs).
@@ -155,7 +154,7 @@ func (r *serviceConfigSQLRepository) getAllForAccount(
 		))
 	}
 
-	result := map[string]*integrationtypes.CloudServiceConfig{}
+	result := map[string]*types.CloudServiceConfig{}
 
 	for _, r := range serviceConfigs {
 		result[r.Type] = &r.Config

pkg/query-service/app/integrations/manager.go

@@ -11,7 +11,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/SigNoz/signoz/pkg/types/dashboardtypes"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/types/pipelinetypes"
 	ruletypes "github.com/SigNoz/signoz/pkg/types/ruletypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
@@ -108,7 +107,7 @@ type IntegrationsListItem struct {
 
 type Integration struct {
 	IntegrationDetails
-	Installation *integrationtypes.InstalledIntegration `json:"installation"`
+	Installation *types.InstalledIntegration `json:"installation"`
 }
 
 type Manager struct {
@@ -224,7 +223,7 @@ func (m *Manager) InstallIntegration(
 	ctx context.Context,
 	orgId string,
 	integrationId string,
-	config integrationtypes.InstalledIntegrationConfig,
+	config types.InstalledIntegrationConfig,
 ) (*IntegrationsListItem, *model.ApiError) {
 	integrationDetails, apiErr := m.getIntegrationDetails(ctx, integrationId)
 	if apiErr != nil {
@@ -430,7 +429,7 @@ func (m *Manager) getInstalledIntegration(
 	ctx context.Context,
 	orgId string,
 	integrationId string,
-) (*integrationtypes.InstalledIntegration, *model.ApiError) {
+) (*types.InstalledIntegration, *model.ApiError) {
 	iis, apiErr := m.installedIntegrationsRepo.get(
 		ctx, orgId, []string{integrationId},
 	)
@@ -458,7 +457,7 @@ func (m *Manager) getInstalledIntegrations(
 		return nil, apiErr
 	}
 
-	installedTypes := utils.MapSlice(installations, func(i integrationtypes.InstalledIntegration) string {
+	installedTypes := utils.MapSlice(installations, func(i types.InstalledIntegration) string {
 		return i.Type
 	})
 	integrationDetails, apiErr := m.availableIntegrationsRepo.get(ctx, installedTypes)

pkg/query-service/app/integrations/repo.go

@@ -4,22 +4,22 @@ import (
 	"context"
 
 	"github.com/SigNoz/signoz/pkg/query-service/model"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
+	"github.com/SigNoz/signoz/pkg/types"
 )
 
 type InstalledIntegrationsRepo interface {
-	list(ctx context.Context, orgId string) ([]integrationtypes.InstalledIntegration, *model.ApiError)
+	list(ctx context.Context, orgId string) ([]types.InstalledIntegration, *model.ApiError)
 
 	get(
 		ctx context.Context, orgId string, integrationTypes []string,
-	) (map[string]integrationtypes.InstalledIntegration, *model.ApiError)
+	) (map[string]types.InstalledIntegration, *model.ApiError)
 
 	upsert(
 		ctx context.Context,
 		orgId string,
 		integrationType string,
-		config integrationtypes.InstalledIntegrationConfig,
-	) (*integrationtypes.InstalledIntegration, *model.ApiError)
+		config types.InstalledIntegrationConfig,
+	) (*types.InstalledIntegration, *model.ApiError)
 
 	delete(ctx context.Context, orgId string, integrationType string) *model.ApiError
 }

pkg/query-service/app/integrations/sqlite_repo.go

@@ -7,7 +7,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/query-service/model"
 	"github.com/SigNoz/signoz/pkg/sqlstore"
 	"github.com/SigNoz/signoz/pkg/types"
-	"github.com/SigNoz/signoz/pkg/types/integrationtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/uptrace/bun"
 )
@@ -27,8 +26,8 @@ func NewInstalledIntegrationsSqliteRepo(store sqlstore.SQLStore) (
 func (r *InstalledIntegrationsSqliteRepo) list(
 	ctx context.Context,
 	orgId string,
-) ([]integrationtypes.InstalledIntegration, *model.ApiError) {
-	integrations := []integrationtypes.InstalledIntegration{}
+) ([]types.InstalledIntegration, *model.ApiError) {
+	integrations := []types.InstalledIntegration{}
 
 	err := r.store.BunDB().NewSelect().
 		Model(&integrations).
@@ -45,8 +44,8 @@ func (r *InstalledIntegrationsSqliteRepo) list(
 
 func (r *InstalledIntegrationsSqliteRepo) get(
 	ctx context.Context, orgId string, integrationTypes []string,
-) (map[string]integrationtypes.InstalledIntegration, *model.ApiError) {
-	integrations := []integrationtypes.InstalledIntegration{}
+) (map[string]types.InstalledIntegration, *model.ApiError) {
+	integrations := []types.InstalledIntegration{}
 
 	typeValues := []interface{}{}
 	for _, integrationType := range integrationTypes {
@@ -63,7 +62,7 @@ func (r *InstalledIntegrationsSqliteRepo) get(
 		))
 	}
 
-	result := map[string]integrationtypes.InstalledIntegration{}
+	result := map[string]types.InstalledIntegration{}
 	for _, ii := range integrations {
 		result[ii.Type] = ii
 	}
@@ -75,10 +74,10 @@ func (r *InstalledIntegrationsSqliteRepo) upsert(
 	ctx context.Context,
 	orgId string,
 	integrationType string,
-	config integrationtypes.InstalledIntegrationConfig,
-) (*integrationtypes.InstalledIntegration, *model.ApiError) {
+	config types.InstalledIntegrationConfig,
+) (*types.InstalledIntegration, *model.ApiError) {
 
-	integration := integrationtypes.InstalledIntegration{
+	integration := types.InstalledIntegration{
 		Identifiable: types.Identifiable{
 			ID: valuer.GenerateUUID(),
 		},
@@ -115,7 +114,7 @@ func (r *InstalledIntegrationsSqliteRepo) delete(
 	ctx context.Context, orgId string, integrationType string,
 ) *model.ApiError {
 	_, dbErr := r.store.BunDB().NewDelete().
-		Model(&integrationtypes.InstalledIntegration{}).
+		Model(&types.InstalledIntegration{}).
 		Where("type = ?", integrationType).
 		Where("org_id = ?", orgId).
 		Exec(ctx)

pkg/query-service/app/server.go

@@ -201,7 +201,7 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,
 		s.config.APIServer.Timeout.Default,
 		s.config.APIServer.Timeout.Max,
 	).Wrap)
-	r.Use(middleware.NewAPIKey(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
+	r.Use(middleware.NewServiceAccount(s.signoz.SQLStore, []string{"SIGNOZ-API-KEY"}, s.signoz.Instrumentation.Logger(), s.signoz.Sharder).Wrap)
 	r.Use(middleware.NewLogging(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes).Wrap)
 	r.Use(middleware.NewComment().Wrap)
 

pkg/signoz/handler.go

@@ -24,6 +24,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport/implrawdataexport"
 	"github.com/SigNoz/signoz/pkg/modules/savedview"
 	"github.com/SigNoz/signoz/pkg/modules/savedview/implsavedview"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/services"
 	"github.com/SigNoz/signoz/pkg/modules/services/implservices"
 	"github.com/SigNoz/signoz/pkg/modules/spanpercentile"
@@ -36,22 +38,23 @@ import (
 )
 
 type Handlers struct {
-	SavedView       savedview.Handler
-	Apdex           apdex.Handler
-	Dashboard       dashboard.Handler
-	QuickFilter     quickfilter.Handler
-	TraceFunnel     tracefunnel.Handler
-	RawDataExport   rawdataexport.Handler
-	SpanPercentile  spanpercentile.Handler
-	Services        services.Handler
-	MetricsExplorer metricsexplorer.Handler
-	Global          global.Handler
-	FlaggerHandler  flagger.Handler
-	GatewayHandler  gateway.Handler
-	Fields          fields.Handler
-	AuthzHandler    authz.Handler
-	ZeusHandler     zeus.Handler
-	QuerierHandler  querier.Handler
+	SavedView             savedview.Handler
+	Apdex                 apdex.Handler
+	Dashboard             dashboard.Handler
+	QuickFilter           quickfilter.Handler
+	TraceFunnel           tracefunnel.Handler
+	RawDataExport         rawdataexport.Handler
+	SpanPercentile        spanpercentile.Handler
+	Services              services.Handler
+	MetricsExplorer       metricsexplorer.Handler
+	Global                global.Handler
+	FlaggerHandler        flagger.Handler
+	GatewayHandler        gateway.Handler
+	Fields                fields.Handler
+	AuthzHandler          authz.Handler
+	ZeusHandler           zeus.Handler
+	QuerierHandler        querier.Handler
+	ServiceAccountHandler serviceaccount.Handler
 }
 
 func NewHandlers(
@@ -68,21 +71,22 @@ func NewHandlers(
 	zeusService zeus.Zeus,
 ) Handlers {
 	return Handlers{
-		SavedView:       implsavedview.NewHandler(modules.SavedView),
-		Apdex:           implapdex.NewHandler(modules.Apdex),
-		Dashboard:       impldashboard.NewHandler(modules.Dashboard, providerSettings),
-		QuickFilter:     implquickfilter.NewHandler(modules.QuickFilter),
-		TraceFunnel:     impltracefunnel.NewHandler(modules.TraceFunnel),
-		RawDataExport:   implrawdataexport.NewHandler(modules.RawDataExport),
-		Services:        implservices.NewHandler(modules.Services),
-		MetricsExplorer: implmetricsexplorer.NewHandler(modules.MetricsExplorer),
-		SpanPercentile:  implspanpercentile.NewHandler(modules.SpanPercentile),
-		Global:          signozglobal.NewHandler(global),
-		FlaggerHandler:  flagger.NewHandler(flaggerService),
-		GatewayHandler:  gateway.NewHandler(gatewayService),
-		Fields:          implfields.NewHandler(providerSettings, telemetryMetadataStore),
-		AuthzHandler:    signozauthzapi.NewHandler(authz),
-		ZeusHandler:     zeus.NewHandler(zeusService, licensing),
-		QuerierHandler:  querierHandler,
+		SavedView:             implsavedview.NewHandler(modules.SavedView),
+		Apdex:                 implapdex.NewHandler(modules.Apdex),
+		Dashboard:             impldashboard.NewHandler(modules.Dashboard, providerSettings),
+		QuickFilter:           implquickfilter.NewHandler(modules.QuickFilter),
+		TraceFunnel:           impltracefunnel.NewHandler(modules.TraceFunnel),
+		RawDataExport:         implrawdataexport.NewHandler(modules.RawDataExport),
+		Services:              implservices.NewHandler(modules.Services),
+		MetricsExplorer:       implmetricsexplorer.NewHandler(modules.MetricsExplorer),
+		SpanPercentile:        implspanpercentile.NewHandler(modules.SpanPercentile),
+		Global:                signozglobal.NewHandler(global),
+		FlaggerHandler:        flagger.NewHandler(flaggerService),
+		GatewayHandler:        gateway.NewHandler(gatewayService),
+		Fields:                implfields.NewHandler(providerSettings, telemetryMetadataStore),
+		AuthzHandler:          signozauthzapi.NewHandler(authz),
+		ZeusHandler:           zeus.NewHandler(zeusService, licensing),
+		QuerierHandler:        querierHandler,
+		ServiceAccountHandler: implserviceaccount.NewHandler(modules.ServiceAccount),
 	}
 }

pkg/signoz/module.go

@@ -27,6 +27,8 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/rawdataexport/implrawdataexport"
 	"github.com/SigNoz/signoz/pkg/modules/savedview"
 	"github.com/SigNoz/signoz/pkg/modules/savedview/implsavedview"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount/implserviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/services"
 	"github.com/SigNoz/signoz/pkg/modules/services/implservices"
 	"github.com/SigNoz/signoz/pkg/modules/session"
@@ -66,6 +68,7 @@ type Modules struct {
 	SpanPercentile  spanpercentile.Module
 	MetricsExplorer metricsexplorer.Module
 	Promote         promote.Module
+	ServiceAccount  serviceaccount.Module
 }
 
 func NewModules(
@@ -110,5 +113,6 @@ func NewModules(
 		Services:        implservices.NewModule(querier, telemetryStore),
 		MetricsExplorer: implmetricsexplorer.NewModule(telemetryStore, telemetryMetadataStore, cache, ruleStore, dashboard, providerSettings, config.MetricsExplorer),
 		Promote:         implpromote.NewModule(telemetryMetadataStore, telemetryStore),
+		ServiceAccount:  implserviceaccount.NewModule(implserviceaccount.NewStore(sqlstore), authz, emailing, providerSettings),
 	}
 }

pkg/signoz/openapi.go

@@ -22,6 +22,7 @@ import (
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/modules/preference"
 	"github.com/SigNoz/signoz/pkg/modules/promote"
+	"github.com/SigNoz/signoz/pkg/modules/serviceaccount"
 	"github.com/SigNoz/signoz/pkg/modules/session"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/querier"
@@ -59,6 +60,7 @@ func NewOpenAPI(ctx context.Context, instrumentation instrumentation.Instrumenta
 		struct{ authz.Handler }{},
 		struct{ zeus.Handler }{},
 		struct{ querier.Handler }{},
+		struct{ serviceaccount.Handler }{},
 	).New(ctx, instrumentation.ToProviderSettings(), apiserver.Config{})
 	if err != nil {
 		return nil, err

pkg/signoz/provider.go

@@ -170,6 +170,8 @@ func NewSQLMigrationProviderFactories(
 		sqlmigration.NewAddRootUserFactory(sqlstore, sqlschema),
 		sqlmigration.NewAddUserEmailOrgIDIndexFactory(sqlstore, sqlschema),
 		sqlmigration.NewMigrateRulesV4ToV5Factory(sqlstore, telemetryStore),
+		sqlmigration.NewAddServiceAccountFactory(sqlstore, sqlschema),
+		sqlmigration.NewDeprecateAPIKeyFactory(sqlstore, sqlschema),
 	)
 }
 
@@ -255,6 +257,7 @@ func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.Au
 			handlers.AuthzHandler,
 			handlers.ZeusHandler,
 			handlers.QuerierHandler,
+			handlers.ServiceAccountHandler,
 		),
 	)
 }

pkg/sqlmigration/067_add_service_account.go

@@ -0,0 +1,117 @@
+package sqlmigration
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type addServiceAccount struct {
+	sqlschema sqlschema.SQLSchema
+	sqlstore  sqlstore.SQLStore
+}
+
+func NewAddServiceAccountFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("add_service_account"), func(_ context.Context, _ factory.ProviderSettings, _ Config) (SQLMigration, error) {
+		return &addServiceAccount{
+			sqlschema: sqlschema,
+			sqlstore:  sqlstore,
+		}, nil
+	})
+}
+
+func (migration *addServiceAccount) Register(migrations *migrate.Migrations) error {
+	err := migrations.Register(migration.Up, migration.Down)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *addServiceAccount) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "service_account",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "name", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "email", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "status", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "org_id", DataType: sqlschema.DataTypeText, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("org_id"),
+				ReferencedTableName:   sqlschema.TableName("organizations"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+	sqls = append(sqls, tableSQLs...)
+
+	tableSQLs = migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "service_account_role",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "service_account_id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "role_id", DataType: sqlschema.DataTypeText, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("service_account_id"),
+				ReferencedTableName:   sqlschema.TableName("service_account"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+			{
+				ReferencingColumnName: sqlschema.ColumnName("role_id"),
+				ReferencedTableName:   sqlschema.TableName("role"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "service_account_role", ColumnNames: []sqlschema.ColumnName{"service_account_id", "role_id"}})
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (a *addServiceAccount) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/sqlmigration/068_deprecate_api_key.go

@@ -0,0 +1,103 @@
+package sqlmigration
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlschema"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/uptrace/bun"
+	"github.com/uptrace/bun/migrate"
+)
+
+type deprecateAPIKey struct {
+	sqlstore  sqlstore.SQLStore
+	sqlschema sqlschema.SQLSchema
+}
+
+func NewDeprecateAPIKeyFactory(sqlstore sqlstore.SQLStore, sqlschema sqlschema.SQLSchema) factory.ProviderFactory[SQLMigration, Config] {
+	return factory.NewProviderFactory(factory.MustNewName("deprecate_api_key"), func(_ context.Context, _ factory.ProviderSettings, c Config) (SQLMigration, error) {
+		return &deprecateAPIKey{
+			sqlstore:  sqlstore,
+			sqlschema: sqlschema,
+		}, nil
+	})
+}
+
+func (migration *deprecateAPIKey) Register(migrations *migrate.Migrations) error {
+	err := migrations.Register(migration.Up, migration.Down)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *deprecateAPIKey) Up(ctx context.Context, db *bun.DB) error {
+	tx, err := db.BeginTx(ctx, nil)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = tx.Rollback()
+	}()
+
+	sqls := [][]byte{}
+
+	// TODO[@vikrantgupta25]: migrate the older keys to the new table
+	deprecatedFactorAPIKey, _, err := migration.sqlschema.GetTable(ctx, sqlschema.TableName("factor_api_key"))
+	if err != nil {
+		return err
+	}
+
+	dropTableSQLS := migration.sqlschema.Operator().DropTable(deprecatedFactorAPIKey)
+	sqls = append(sqls, dropTableSQLS...)
+
+	tableSQLs := migration.sqlschema.Operator().CreateTable(&sqlschema.Table{
+		Name: "factor_api_key",
+		Columns: []*sqlschema.Column{
+			{Name: "id", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "name", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "key", DataType: sqlschema.DataTypeText, Nullable: false},
+			{Name: "created_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "updated_at", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "expires_at", DataType: sqlschema.DataTypeInteger, Nullable: false},
+			{Name: "last_used", DataType: sqlschema.DataTypeTimestamp, Nullable: false},
+			{Name: "service_account_id", DataType: sqlschema.DataTypeText, Nullable: false},
+		},
+		PrimaryKeyConstraint: &sqlschema.PrimaryKeyConstraint{
+			ColumnNames: []sqlschema.ColumnName{"id"},
+		},
+		ForeignKeyConstraints: []*sqlschema.ForeignKeyConstraint{
+			{
+				ReferencingColumnName: sqlschema.ColumnName("service_account_id"),
+				ReferencedTableName:   sqlschema.TableName("service_account"),
+				ReferencedColumnName:  sqlschema.ColumnName("id"),
+			},
+		},
+	})
+	sqls = append(sqls, tableSQLs...)
+
+	indexSQLs := migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "factor_api_key", ColumnNames: []sqlschema.ColumnName{"key"}})
+	sqls = append(sqls, indexSQLs...)
+
+	indexSQLs = migration.sqlschema.Operator().CreateIndex(&sqlschema.UniqueIndex{TableName: "factor_api_key", ColumnNames: []sqlschema.ColumnName{"name", "service_account_id"}})
+	sqls = append(sqls, indexSQLs...)
+
+	for _, sql := range sqls {
+		if _, err := tx.ExecContext(ctx, string(sql)); err != nil {
+			return err
+		}
+	}
+
+	if err := tx.Commit(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (migration *deprecateAPIKey) Down(context.Context, *bun.DB) error {
+	return nil
+}

pkg/types/authtypes/authn.go

@@ -116,10 +116,11 @@ func (typ *Identity) UnmarshalBinary(data []byte) error {
 
 func (typ *Identity) ToClaims() Claims {
 	return Claims{
-		UserID: typ.UserID.String(),
-		Email:  typ.Email.String(),
-		Role:   typ.Role,
-		OrgID:  typ.OrgID.String(),
+		UserID:    typ.UserID.String(),
+		Principal: PrincipalUser.String(),
+		Email:     typ.Email.String(),
+		Role:      typ.Role,
+		OrgID:     typ.OrgID.String(),
 	}
 }
 

pkg/types/authtypes/claims.go

@@ -11,12 +11,15 @@ import (
 
 type claimsKey struct{}
 type accessTokenKey struct{}
+type serviceAccountKey struct{}
 
 type Claims struct {
-	UserID string
-	Email  string
-	Role   types.Role
-	OrgID  string
+	UserID           string
+	ServiceAccountID string
+	Principal        string
+	Email            string
+	Role             types.Role
+	OrgID            string
 }
 
 // NewContextWithClaims attaches individual claims to the context.
@@ -47,9 +50,24 @@ func AccessTokenFromContext(ctx context.Context) (string, error) {
 	return accessToken, nil
 }
 
+func NewContextWithServiceAccountKey(ctx context.Context, key string) context.Context {
+	return context.WithValue(ctx, serviceAccountKey{}, key)
+}
+
+func ServiceAccountKeyFromContext(ctx context.Context) (string, error) {
+	key, ok := ctx.Value(serviceAccountKey{}).(string)
+	if !ok {
+		return "", errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "unauthenticated")
+	}
+
+	return key, nil
+}
+
 func (c *Claims) LogValue() slog.Value {
 	return slog.GroupValue(
 		slog.String("user_id", c.UserID),
+		slog.String("service_account_id", c.ServiceAccountID),
+		slog.String("principal", c.Principal),
 		slog.String("email", c.Email),
 		slog.String("role", c.Role.String()),
 		slog.String("org_id", c.OrgID),

pkg/types/authtypes/principal.go

@@ -0,0 +1,10 @@
+package authtypes
+
+import "github.com/SigNoz/signoz/pkg/valuer"
+
+var (
+	PrincipalUser           = valuer.NewString("user")
+	PrincipalServiceAccount = valuer.NewString("service_account")
+)
+
+type Principal struct{ valuer.String }

pkg/types/authtypes/relation.go

@@ -20,19 +20,20 @@ var (
 )
 
 var TypeableRelations = map[Type][]Relation{
-	TypeUser:          {RelationRead, RelationUpdate, RelationDelete},
-	TypeRole:          {RelationAssignee, RelationRead, RelationUpdate, RelationDelete},
-	TypeOrganization:  {RelationRead, RelationUpdate, RelationDelete},
-	TypeMetaResource:  {RelationRead, RelationUpdate, RelationDelete},
-	TypeMetaResources: {RelationCreate, RelationList},
+	TypeUser:           {RelationRead, RelationUpdate, RelationDelete},
+	TypeServiceAccount: {RelationRead, RelationUpdate, RelationDelete},
+	TypeRole:           {RelationAssignee, RelationRead, RelationUpdate, RelationDelete},
+	TypeOrganization:   {RelationRead, RelationUpdate, RelationDelete},
+	TypeMetaResource:   {RelationRead, RelationUpdate, RelationDelete},
+	TypeMetaResources:  {RelationCreate, RelationList},
 }
 
 var RelationsTypeable = map[Relation][]Type{
 	RelationCreate: {TypeMetaResources},
-	RelationRead:   {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationRead:   {TypeUser, TypeServiceAccount, TypeRole, TypeOrganization, TypeMetaResource},
 	RelationList:   {TypeMetaResources},
-	RelationUpdate: {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
-	RelationDelete: {TypeUser, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationUpdate: {TypeUser, TypeServiceAccount, TypeRole, TypeOrganization, TypeMetaResource},
+	RelationDelete: {TypeUser, TypeServiceAccount, TypeRole, TypeOrganization, TypeMetaResource},
 }
 
 type Relation struct{ valuer.String }

pkg/types/authtypes/selector.go

@@ -23,11 +23,12 @@ var (
 )
 
 var (
-	typeUserSelectorRegex         = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
-	typeRoleSelectorRegex         = regexp.MustCompile(`^([a-z-]{1,50}|\*)$`)
-	typeAnonymousSelectorRegex    = regexp.MustCompile(`^\*$`)
-	typeOrganizationSelectorRegex = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
-	typeMetaResourceSelectorRegex = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeUserSelectorRegex           = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeServiceAccountSelectorRegex = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeRoleSelectorRegex           = regexp.MustCompile(`^([a-z-]{1,50}|\*)$`)
+	typeAnonymousSelectorRegex      = regexp.MustCompile(`^\*$`)
+	typeOrganizationSelectorRegex   = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
+	typeMetaResourceSelectorRegex   = regexp.MustCompile(`^(^[0-9a-f]{8}(?:\-[0-9a-f]{4}){3}-[0-9a-f]{12}$|\*)$`)
 	// metaresources selectors are used to select either all or none until we introduce some hierarchy here.
 	typeMetaResourcesSelectorRegex = regexp.MustCompile(`^\*$`)
 )
@@ -98,6 +99,11 @@ func IsValidSelector(typed Type, selector string) error {
 			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidSelector, "selector must conform to regex %s", typeUserSelectorRegex.String())
 		}
 		return nil
+	case TypeServiceAccount:
+		if !typeServiceAccountSelectorRegex.MatchString(selector) {
+			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidSelector, "selector must conform to regex %s", typeServiceAccountSelectorRegex.String())
+		}
+		return nil
 	case TypeRole:
 		if !typeRoleSelectorRegex.MatchString(selector) {
 			return errors.Newf(errors.TypeInvalidInput, ErrCodeAuthZInvalidSelector, "selector must conform to regex %s", typeRoleSelectorRegex.String())

pkg/types/authtypes/typeable.go

@@ -15,19 +15,21 @@ var (
 )
 
 var (
-	TypeUser          = Type{valuer.NewString("user")}
-	TypeAnonymous     = Type{valuer.NewString("anonymous")}
-	TypeRole          = Type{valuer.NewString("role")}
-	TypeOrganization  = Type{valuer.NewString("organization")}
-	TypeMetaResource  = Type{valuer.NewString("metaresource")}
-	TypeMetaResources = Type{valuer.NewString("metaresources")}
+	TypeUser           = Type{valuer.NewString("user")}
+	TypeServiceAccount = Type{valuer.NewString("serviceaccount")}
+	TypeAnonymous      = Type{valuer.NewString("anonymous")}
+	TypeRole           = Type{valuer.NewString("role")}
+	TypeOrganization   = Type{valuer.NewString("organization")}
+	TypeMetaResource   = Type{valuer.NewString("metaresource")}
+	TypeMetaResources  = Type{valuer.NewString("metaresources")}
 )
 
 var (
-	TypeableUser         = &typeableUser{}
-	TypeableAnonymous    = &typeableAnonymous{}
-	TypeableRole         = &typeableRole{}
-	TypeableOrganization = &typeableOrganization{}
+	TypeableUser           = &typeableUser{}
+	TypeableServiceAccount = &typeableServiceAccount{}
+	TypeableAnonymous      = &typeableAnonymous{}
+	TypeableRole           = &typeableRole{}
+	TypeableOrganization   = &typeableOrganization{}
 )
 
 type Typeable interface {
@@ -53,6 +55,8 @@ func NewType(input string) (Type, error) {
 	switch input {
 	case "user":
 		return TypeUser, nil
+	case "serviceaccount":
+		return TypeServiceAccount, nil
 	case "role":
 		return TypeRole, nil
 	case "organization":
@@ -88,6 +92,8 @@ func NewTypeableFromType(typed Type, name Name) (Typeable, error) {
 		return TypeableRole, nil
 	case TypeUser:
 		return TypeableUser, nil
+	case TypeServiceAccount:
+		return TypeableServiceAccount, nil
 	case TypeOrganization:
 		return TypeableOrganization, nil
 	case TypeMetaResource:

pkg/types/authtypes/typeable_serviceaccount.go

@@ -0,0 +1,38 @@
+package authtypes
+
+import (
+	"github.com/SigNoz/signoz/pkg/valuer"
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
+)
+
+var _ Typeable = new(typeableServiceAccount)
+
+type typeableServiceAccount struct{}
+
+func (typeableServiceAccount *typeableServiceAccount) Tuples(subject string, relation Relation, selectors []Selector, orgID valuer.UUID) ([]*openfgav1.TupleKey, error) {
+	tuples := make([]*openfgav1.TupleKey, 0)
+
+	for _, selector := range selectors {
+		object := typeableServiceAccount.Prefix(orgID) + "/" + selector.String()
+		tuples = append(tuples, &openfgav1.TupleKey{User: subject, Relation: relation.StringValue(), Object: object})
+	}
+
+	return tuples, nil
+}
+
+func (typeableServiceAccount *typeableServiceAccount) Type() Type {
+	return TypeServiceAccount
+}
+
+func (typeableServiceAccount *typeableServiceAccount) Name() Name {
+	return MustNewName("serviceaccount")
+}
+
+// example: serviceaccount:organization/0199c47d-f61b-7833-bc5f-c0730f12f046/serviceaccount
+func (typeableServiceAccount *typeableServiceAccount) Prefix(orgID valuer.UUID) string {
+	return typeableServiceAccount.Type().StringValue() + ":" + "organization" + "/" + orgID.StringValue() + "/" + typeableServiceAccount.Name().String()
+}
+
+func (typeableServiceAccount *typeableServiceAccount) Scope(relation Relation) string {
+	return typeableServiceAccount.Name().String() + ":" + relation.StringValue()
+}

pkg/types/authtypes/uuid.go

@@ -1,41 +0,0 @@
-package authtypes
-
-import (
-	"context"
-
-	"github.com/SigNoz/signoz/pkg/errors"
-)
-
-type uuidKey struct{}
-
-type UUID struct {
-}
-
-func NewUUID() *UUID {
-	return &UUID{}
-}
-
-func (u *UUID) ContextFromRequest(ctx context.Context, values ...string) (context.Context, error) {
-	var value string
-	for _, v := range values {
-		if v != "" {
-			value = v
-			break
-		}
-	}
-
-	if value == "" {
-		return ctx, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "missing Authorization header")
-	}
-
-	return NewContextWithUUID(ctx, value), nil
-}
-
-func NewContextWithUUID(ctx context.Context, uuid string) context.Context {
-	return context.WithValue(ctx, uuidKey{}, uuid)
-}
-
-func UUIDFromContext(ctx context.Context) (string, bool) {
-	uuid, ok := ctx.Value(uuidKey{}).(string)
-	return uuid, ok
-}

pkg/types/emailtypes/template.go

@@ -18,6 +18,7 @@ var (
 var (
 	TemplateNameInvitationEmail = TemplateName{valuer.NewString("invitation")}
 	TemplateNameResetPassword   = TemplateName{valuer.NewString("reset_password")}
+	TemplateNameAPIKeyEvent     = TemplateName{valuer.NewString("api_key_event")}
 )
 
 type TemplateName struct{ valuer.String }
@@ -28,6 +29,8 @@ func NewTemplateName(name string) (TemplateName, error) {
 		return TemplateNameInvitationEmail, nil
 	case TemplateNameResetPassword.StringValue():
 		return TemplateNameResetPassword, nil
+	case TemplateNameAPIKeyEvent.StringValue():
+		return TemplateNameAPIKeyEvent, nil
 	default:
 		return TemplateName{}, errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "invalid template name: %s", name)
 	}

pkg/types/integration.go

@@ -1,4 +1,4 @@
-package integrationtypes
+package types
 
 import (
 	"database/sql/driver"
@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/SigNoz/signoz/pkg/errors"
-	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/uptrace/bun"
 )
 
@@ -27,17 +26,17 @@ var AllIntegrationUserEmails = []IntegrationUserEmail{
 type InstalledIntegration struct {
 	bun.BaseModel `bun:"table:installed_integration"`
 
-	types.Identifiable
+	Identifiable
 	Type        string                     `json:"type" bun:"type,type:text,unique:org_id_type"`
 	Config      InstalledIntegrationConfig `json:"config" bun:"config,type:text"`
 	InstalledAt time.Time                  `json:"installed_at" bun:"installed_at,default:current_timestamp"`
 	OrgID       string                     `json:"org_id" bun:"org_id,type:text,unique:org_id_type,references:organizations(id),on_delete:cascade"`
 }
 
-type InstalledIntegrationConfig map[string]any
+type InstalledIntegrationConfig map[string]interface{}
 
 // For serializing from db
-func (c *InstalledIntegrationConfig) Scan(src any) error {
+func (c *InstalledIntegrationConfig) Scan(src interface{}) error {
 	var data []byte
 	switch v := src.(type) {
 	case []byte:
@@ -68,8 +67,8 @@ func (c *InstalledIntegrationConfig) Value() (driver.Value, error) {
 type CloudIntegration struct {
 	bun.BaseModel `bun:"table:cloud_integration"`
 
-	types.Identifiable
-	types.TimeAuditable
+	Identifiable
+	TimeAuditable
 	Provider        string         `json:"provider" bun:"provider,type:text,unique:provider_id"`
 	Config          *AccountConfig `json:"config" bun:"config,type:text"`
 	AccountID       *string        `json:"account_id" bun:"account_id,type:text"`
@@ -195,8 +194,8 @@ func (r *AgentReport) Value() (driver.Value, error) {
 type CloudIntegrationService struct {
 	bun.BaseModel `bun:"table:cloud_integration_service,alias:cis"`
 
-	types.Identifiable
-	types.TimeAuditable
+	Identifiable
+	TimeAuditable
 	Type               string             `bun:"type,type:text,notnull,unique:cloud_integration_id_type"`
 	Config             CloudServiceConfig `bun:"config,type:text"`
 	CloudIntegrationID string             `bun:"cloud_integration_id,type:text,notnull,unique:cloud_integration_id_type,references:cloud_integrations(id),on_delete:cascade"`

pkg/types/roletypes/store.go

@@ -12,6 +12,7 @@ type Store interface {
 	GetByOrgIDAndName(context.Context, valuer.UUID, string) (*StorableRole, error)
 	List(context.Context, valuer.UUID) ([]*StorableRole, error)
 	ListByOrgIDAndNames(context.Context, valuer.UUID, []string) ([]*StorableRole, error)
+	ListByOrgIDAndIDs(context.Context, valuer.UUID, []valuer.UUID) ([]*StorableRole, error)
 	Update(context.Context, valuer.UUID, *StorableRole) error
 	Delete(context.Context, valuer.UUID, valuer.UUID) error
 	RunInTx(context.Context, func(ctx context.Context) error) error

pkg/types/savedview.go

@@ -1,18 +1,17 @@
-package savedviewtypes
+package types
 
 import (
 	"strings"
 
-	"github.com/SigNoz/signoz/pkg/types"
 	"github.com/uptrace/bun"
 )
 
 type SavedView struct {
 	bun.BaseModel `bun:"table:saved_views"`
 
-	types.Identifiable
-	types.TimeAuditable
-	types.UserAuditable
+	Identifiable
+	TimeAuditable
+	UserAuditable
 	OrgID      string `json:"orgId" bun:"org_id,notnull"`
 	Name       string `json:"name" bun:"name,type:text,notnull"`
 	Category   string `json:"category" bun:"category,type:text,notnull"`

pkg/types/serviceaccounttypes/factor_api_key.go

@@ -0,0 +1,151 @@
+package serviceaccounttypes
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+var (
+	ErrCodeServiceAccountFactorAPIkeyInvalidInput  = errors.MustNewCode("service_account_factor_api_key_invalid_input")
+	ErrCodeServiceAccountFactorAPIKeyAlreadyExists = errors.MustNewCode("service_account_factor_api_key_already_exists")
+	ErrCodeServiceAccounFactorAPIKeytNotFound      = errors.MustNewCode("service_account_factor_api_key_not_found")
+)
+
+type StorableFactorAPIKey struct {
+	bun.BaseModel `bun:"table:factor_api_key"`
+
+	types.Identifiable
+	types.TimeAuditable
+	Name             string    `bun:"name"`
+	Key              string    `bun:"key"`
+	ExpiresAt        uint64    `bun:"expires_at"`
+	LastUsed         time.Time `bun:"last_used"`
+	ServiceAccountID string    `bun:"service_account_id"`
+}
+
+type FactorAPIKey struct {
+	types.Identifiable
+	types.TimeAuditable
+	Name             string      `json:"name" requrired:"true"`
+	Key              string      `json:"key" required:"true"`
+	ExpiresAt        uint64      `json:"expires_at" required:"true"`
+	LastUsed         time.Time   `json:"last_used" required:"true"`
+	ServiceAccountID valuer.UUID `json:"service_account_id" required:"true"`
+}
+
+type GettableFactorAPIKey struct {
+	types.Identifiable
+	types.TimeAuditable
+	Name             string      `json:"name" requrired:"true"`
+	ExpiresAt        uint64      `json:"expires_at" required:"true"`
+	LastUsed         time.Time   `json:"last_used" required:"true"`
+	ServiceAccountID valuer.UUID `json:"service_account_id" required:"true"`
+}
+
+type PostableFactorAPIKey struct {
+	Name      string `json:"name" required:"true"`
+	ExpiresAt uint64 `json:"expires_at" required:"true"`
+}
+
+type UpdatableFactorAPIKey struct {
+	Name      string `json:"name" required:"true"`
+	ExpiresAt uint64 `json:"expires_at" required:"true"`
+}
+
+func NewFactorAPIKeyFromStorable(storable *StorableFactorAPIKey) *FactorAPIKey {
+	return &FactorAPIKey{
+		Identifiable:     storable.Identifiable,
+		TimeAuditable:    storable.TimeAuditable,
+		Name:             storable.Name,
+		Key:              storable.Key,
+		ExpiresAt:        storable.ExpiresAt,
+		LastUsed:         storable.LastUsed,
+		ServiceAccountID: valuer.MustNewUUID(storable.ServiceAccountID),
+	}
+}
+
+func NewFactorAPIKeyFromStorables(storables []*StorableFactorAPIKey) []*FactorAPIKey {
+	factorAPIKeys := make([]*FactorAPIKey, len(storables))
+
+	for idx, storable := range storables {
+		factorAPIKeys[idx] = NewFactorAPIKeyFromStorable(storable)
+	}
+
+	return factorAPIKeys
+}
+
+func NewStorableFactorAPIKey(factorAPIKey *FactorAPIKey) *StorableFactorAPIKey {
+	return &StorableFactorAPIKey{
+		Identifiable:     factorAPIKey.Identifiable,
+		TimeAuditable:    factorAPIKey.TimeAuditable,
+		Name:             factorAPIKey.Name,
+		Key:              factorAPIKey.Key,
+		ExpiresAt:        factorAPIKey.ExpiresAt,
+		LastUsed:         factorAPIKey.LastUsed,
+		ServiceAccountID: factorAPIKey.ServiceAccountID.String(),
+	}
+}
+
+func NewGettableFactorAPIKeys(keys []*FactorAPIKey) []*GettableFactorAPIKey {
+	gettables := make([]*GettableFactorAPIKey, len(keys))
+
+	for idx, key := range keys {
+		gettables[idx] = &GettableFactorAPIKey{
+			Identifiable:     key.Identifiable,
+			TimeAuditable:    key.TimeAuditable,
+			Name:             key.Name,
+			ExpiresAt:        key.ExpiresAt,
+			LastUsed:         key.LastUsed,
+			ServiceAccountID: key.ServiceAccountID,
+		}
+	}
+
+	return gettables
+}
+
+func (apiKey *FactorAPIKey) Update(name string, expiresAt uint64) {
+	apiKey.Name = name
+	apiKey.ExpiresAt = expiresAt
+	apiKey.UpdatedAt = time.Now()
+}
+
+func (apiKey *FactorAPIKey) SetLastObservedAt(time time.Time) {
+	apiKey.LastUsed = time
+}
+
+func (key *PostableFactorAPIKey) UnmarshalJSON(data []byte) error {
+	type Alias PostableFactorAPIKey
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	if temp.Name == "" {
+		return errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountFactorAPIkeyInvalidInput, "name cannot be empty")
+	}
+
+	*key = PostableFactorAPIKey(temp)
+	return nil
+}
+
+func (key *UpdatableFactorAPIKey) UnmarshalJSON(data []byte) error {
+	type Alias UpdatableFactorAPIKey
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	if temp.Name == "" {
+		return errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountFactorAPIkeyInvalidInput, "name cannot be empty")
+	}
+
+	*key = UpdatableFactorAPIKey(temp)
+	return nil
+}

pkg/types/serviceaccounttypes/service_acccount.go

@@ -0,0 +1,290 @@
+package serviceaccounttypes
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"slices"
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+var (
+	ErrCodeServiceAccountInvalidInput      = errors.MustNewCode("service_account_invalid_input")
+	ErrCodeServiceAccountAlreadyExists     = errors.MustNewCode("service_account_already_exists")
+	ErrCodeServiceAccountNotFound          = errors.MustNewCode("service_account_not_found")
+	ErrCodeServiceAccountRoleAlreadyExists = errors.MustNewCode("service_account_role_already_exists")
+)
+
+var (
+	StatusActive   = valuer.NewString("active")
+	StatusDisabled = valuer.NewString("disabled")
+	ValidStatus    = []valuer.String{StatusActive, StatusDisabled}
+)
+
+type StorableServiceAccount struct {
+	bun.BaseModel `bun:"table:service_account,alias:service_account"`
+
+	types.Identifiable
+	types.TimeAuditable
+	Name   string        `bun:"name"`
+	Email  string        `bun:"email"`
+	Status valuer.String `bun:"status"`
+	OrgID  string        `bun:"org_id"`
+}
+
+type ServiceAccount struct {
+	types.Identifiable
+	types.TimeAuditable
+	Name   string        `json:"name" required:"true"`
+	Email  valuer.Email  `json:"email" required:"true"`
+	Roles  []string      `json:"roles" required:"true" nullable:"false"`
+	Status valuer.String `json:"status" required:"true"`
+	OrgID  valuer.UUID   `json:"orgID" required:"true"`
+}
+
+type ServiceAccountWithKey struct {
+	*ServiceAccount
+	*FactorAPIKey
+}
+
+type PostableServiceAccount struct {
+	Name  string       `json:"name" required:"true"`
+	Email valuer.Email `json:"email" required:"true"`
+	Roles []string     `json:"roles" required:"true" nullable:"false"`
+}
+
+type UpdatableServiceAccount struct {
+	Name  string       `json:"name" required:"true"`
+	Email valuer.Email `json:"email" required:"true"`
+	Roles []string     `json:"roles" required:"true" nullable:"false"`
+}
+
+type UpdatableServiceAccountStatus struct {
+	Status valuer.String `json:"status" required:"true"`
+}
+
+func NewServiceAccount(name string, email valuer.Email, roles []string, status valuer.String, orgID valuer.UUID) *ServiceAccount {
+	return &ServiceAccount{
+		Identifiable: types.Identifiable{
+			ID: valuer.GenerateUUID(),
+		},
+		TimeAuditable: types.TimeAuditable{
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		},
+		Name:   name,
+		Email:  email,
+		Roles:  roles,
+		Status: status,
+		OrgID:  orgID,
+	}
+}
+
+func NewServiceAccountFromStorables(storableServiceAccount *StorableServiceAccount, roles []string) *ServiceAccount {
+	return &ServiceAccount{
+		Identifiable:  storableServiceAccount.Identifiable,
+		TimeAuditable: storableServiceAccount.TimeAuditable,
+		Name:          storableServiceAccount.Name,
+		Email:         valuer.MustNewEmail(storableServiceAccount.Email),
+		Roles:         roles,
+		Status:        storableServiceAccount.Status,
+		OrgID:         valuer.MustNewUUID(storableServiceAccount.OrgID),
+	}
+}
+
+func NewServiceAccountsFromRoles(storableServiceAccounts []*StorableServiceAccount, roles []*roletypes.Role, serviceAccountIDToRoleIDsMap map[string][]valuer.UUID) []*ServiceAccount {
+	serviceAccounts := make([]*ServiceAccount, 0, len(storableServiceAccounts))
+
+	roleIDToRole := make(map[string]*roletypes.Role, len(roles))
+	for _, role := range roles {
+		roleIDToRole[role.ID.String()] = role
+	}
+
+	for _, sa := range storableServiceAccounts {
+		roleIDs := serviceAccountIDToRoleIDsMap[sa.ID.String()]
+
+		roleNames := make([]string, len(roleIDs))
+		for idx, rid := range roleIDs {
+			if role, ok := roleIDToRole[rid.String()]; ok {
+				roleNames[idx] = role.Name
+			}
+		}
+
+		account := NewServiceAccountFromStorables(sa, roleNames)
+		serviceAccounts = append(serviceAccounts, account)
+	}
+
+	return serviceAccounts
+}
+
+func NewStorableServiceAccount(serviceAccount *ServiceAccount) *StorableServiceAccount {
+	return &StorableServiceAccount{
+		Identifiable:  serviceAccount.Identifiable,
+		TimeAuditable: serviceAccount.TimeAuditable,
+		Name:          serviceAccount.Name,
+		Email:         serviceAccount.Email.String(),
+		Status:        serviceAccount.Status,
+		OrgID:         serviceAccount.OrgID.String(),
+	}
+}
+
+func NewServiceAccountWithKey(storableServiceAccount *StorableServiceAccount, storableFactorAPIKey *StorableFactorAPIKey) *ServiceAccountWithKey {
+	return &ServiceAccountWithKey{
+		&ServiceAccount{
+			Identifiable:  storableFactorAPIKey.Identifiable,
+			TimeAuditable: storableFactorAPIKey.TimeAuditable,
+			Name:          storableFactorAPIKey.Name,
+			Email:         valuer.MustNewEmail(storableServiceAccount.Email),
+			Status:        storableServiceAccount.Status,
+			OrgID:         valuer.MustNewUUID(storableServiceAccount.OrgID),
+		},
+		&FactorAPIKey{
+			Identifiable:     storableFactorAPIKey.Identifiable,
+			TimeAuditable:    storableFactorAPIKey.TimeAuditable,
+			Name:             storableFactorAPIKey.Name,
+			Key:              storableFactorAPIKey.Key,
+			ExpiresAt:        storableFactorAPIKey.ExpiresAt,
+			LastUsed:         storableFactorAPIKey.LastUsed,
+			ServiceAccountID: valuer.MustNewUUID(storableFactorAPIKey.ServiceAccountID),
+		},
+	}
+}
+
+func (sa *ServiceAccount) Update(name string, email valuer.Email, roles []string) {
+	sa.Name = name
+	sa.Email = email
+	sa.Roles = roles
+	sa.UpdatedAt = time.Now()
+}
+
+func (sa *ServiceAccount) UpdateStatus(status valuer.String) {
+	sa.Status = status
+	sa.UpdatedAt = time.Now()
+}
+
+func (sa *ServiceAccount) NewFactorAPIKey(name string, expiresAt uint64) (*FactorAPIKey, error) {
+	key := make([]byte, 32)
+	_, err := rand.Read(key)
+	if err != nil {
+		return nil, errors.New(errors.TypeInternal, errors.CodeInternal, "failed to generate token")
+	}
+	// Encode the token in base64.
+	encodedKey := base64.StdEncoding.EncodeToString(key)
+
+	return &FactorAPIKey{
+		Identifiable: types.Identifiable{
+			ID: valuer.GenerateUUID(),
+		},
+		TimeAuditable: types.TimeAuditable{
+			CreatedAt: time.Now(),
+			UpdatedAt: time.Now(),
+		},
+		Name:             name,
+		Key:              encodedKey,
+		ExpiresAt:        expiresAt,
+		LastUsed:         time.Now(),
+		ServiceAccountID: sa.ID,
+	}, nil
+}
+
+func (sa *ServiceAccount) PatchRoles(input *ServiceAccount) ([]string, []string) {
+	currentRolesSet := make(map[string]struct{}, len(sa.Roles))
+	inputRolesSet := make(map[string]struct{}, len(input.Roles))
+
+	for _, role := range sa.Roles {
+		currentRolesSet[role] = struct{}{}
+	}
+	for _, role := range input.Roles {
+		inputRolesSet[role] = struct{}{}
+	}
+
+	// additions: roles present in input but not in current
+	additions := []string{}
+	for _, role := range input.Roles {
+		if _, exists := currentRolesSet[role]; !exists {
+			additions = append(additions, role)
+		}
+	}
+
+	// deletions: roles present in current but not in input
+	deletions := []string{}
+	for _, role := range sa.Roles {
+		if _, exists := inputRolesSet[role]; !exists {
+			deletions = append(deletions, role)
+		}
+	}
+
+	return additions, deletions
+}
+
+func (sa *PostableServiceAccount) UnmarshalJSON(data []byte) error {
+	type Alias PostableServiceAccount
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	if temp.Name == "" {
+		return errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountInvalidInput, "name cannot be empty")
+	}
+
+	if len(temp.Roles) == 0 {
+		return errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountInvalidInput, "roles cannot be empty")
+	}
+
+	*sa = PostableServiceAccount(temp)
+	return nil
+}
+
+func (sa *UpdatableServiceAccount) UnmarshalJSON(data []byte) error {
+	type Alias UpdatableServiceAccount
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	if temp.Name == "" {
+		return errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountInvalidInput, "name cannot be empty")
+	}
+
+	if len(temp.Roles) == 0 {
+		return errors.New(errors.TypeInvalidInput, ErrCodeServiceAccountInvalidInput, "roles cannot be empty")
+	}
+
+	*sa = UpdatableServiceAccount(temp)
+	return nil
+}
+
+func (sa *UpdatableServiceAccountStatus) UnmarshalJSON(data []byte) error {
+	type Alias UpdatableServiceAccountStatus
+
+	var temp Alias
+	if err := json.Unmarshal(data, &temp); err != nil {
+		return err
+	}
+
+	if !slices.Contains(ValidStatus, temp.Status) {
+		return errors.Newf(errors.TypeInvalidInput, ErrCodeServiceAccountInvalidInput, "invalid status: %s, allowed status are: %v", temp.Status, ValidStatus)
+	}
+
+	*sa = UpdatableServiceAccountStatus(temp)
+	return nil
+}
+
+func (sa *ServiceAccountWithKey) ToClaims() authtypes.Claims {
+	return authtypes.Claims{
+		ServiceAccountID: sa.ServiceAccount.ID.String(),
+		Principal:        authtypes.PrincipalServiceAccount.String(),
+		OrgID:            sa.ServiceAccount.OrgID.String(),
+		Email:            sa.Email.String(),
+	}
+}

pkg/types/serviceaccounttypes/service_account_role.go

@@ -0,0 +1,81 @@
+package serviceaccounttypes
+
+import (
+	"time"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/roletypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+type StorableServiceAccountRole struct {
+	bun.BaseModel `bun:"table:service_account_role,alias:service_account_role"`
+
+	types.Identifiable
+	types.TimeAuditable
+	ServiceAccountID string `bun:"service_account_id"`
+	RoleID           string `bun:"role_id"`
+}
+
+func NewStorableServiceAccountRoles(serviceAccountID valuer.UUID, roles []*roletypes.Role) []*StorableServiceAccountRole {
+	storableServiceAccountRoles := make([]*StorableServiceAccountRole, len(roles))
+	for idx, role := range roles {
+		storableServiceAccountRoles[idx] = &StorableServiceAccountRole{
+			Identifiable: types.Identifiable{
+				ID: valuer.GenerateUUID(),
+			},
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: time.Now(),
+				UpdatedAt: time.Now(),
+			},
+			ServiceAccountID: serviceAccountID.String(),
+			RoleID:           role.ID.String(),
+		}
+	}
+
+	return storableServiceAccountRoles
+}
+
+func NewRolesFromStorableServiceAccountRoles(storable []*StorableServiceAccountRole, roles []*roletypes.Role) ([]string, error) {
+	roleIDToName := make(map[string]string, len(roles))
+	for _, role := range roles {
+		roleIDToName[role.ID.String()] = role.Name
+	}
+
+	names := make([]string, 0, len(storable))
+	for _, sar := range storable {
+		roleName, ok := roleIDToName[sar.RoleID]
+		if !ok {
+			return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "role id %s not found in provided roles", sar.RoleID)
+		}
+		names = append(names, roleName)
+	}
+
+	return names, nil
+}
+
+func GetUniqueRolesAndServiceAccountMapping(storableServiceAccountRoles []*StorableServiceAccountRole) (map[string][]valuer.UUID, []valuer.UUID) {
+	serviceAccountIDRoles := make(map[string][]valuer.UUID)
+	uniqueRoleIDSet := make(map[string]struct{})
+
+	for _, sar := range storableServiceAccountRoles {
+		saID := sar.ServiceAccountID
+		roleID := sar.RoleID
+		if _, ok := serviceAccountIDRoles[saID]; !ok {
+			serviceAccountIDRoles[saID] = make([]valuer.UUID, 0)
+		}
+
+		roleUUID := valuer.MustNewUUID(roleID)
+		serviceAccountIDRoles[saID] = append(serviceAccountIDRoles[saID], roleUUID)
+		uniqueRoleIDSet[roleID] = struct{}{}
+	}
+
+	roleIDs := make([]valuer.UUID, 0, len(uniqueRoleIDSet))
+	for rid := range uniqueRoleIDSet {
+		roleIDs = append(roleIDs, valuer.MustNewUUID(rid))
+	}
+
+	return serviceAccountIDRoles, roleIDs
+}

pkg/types/serviceaccounttypes/store.go

@@ -0,0 +1,34 @@
+package serviceaccounttypes
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/valuer"
+)
+
+type Store interface {
+	// Service Account
+	Create(context.Context, *StorableServiceAccount) error
+	Get(context.Context, valuer.UUID, valuer.UUID) (*StorableServiceAccount, error)
+	GetByID(context.Context, valuer.UUID) (*StorableServiceAccount, error)
+	List(context.Context, valuer.UUID) ([]*StorableServiceAccount, error)
+	Update(context.Context, valuer.UUID, *StorableServiceAccount) error
+	Delete(context.Context, valuer.UUID, valuer.UUID) error
+
+	// Service Account Role
+	CreateServiceAccountRoles(context.Context, []*StorableServiceAccountRole) error
+	GetServiceAccountRoles(context.Context, valuer.UUID) ([]*StorableServiceAccountRole, error)
+	ListServiceAccountRolesByOrgID(context.Context, valuer.UUID) ([]*StorableServiceAccountRole, error)
+	DeleteServiceAccountRoles(context.Context, valuer.UUID) error
+
+	// Service Account Factor API Key
+	CreateFactorAPIKey(context.Context, *StorableFactorAPIKey) error
+	GetFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) (*StorableFactorAPIKey, error)
+	GetFactorAPIKeyByKey(context.Context, string) (*StorableFactorAPIKey, error)
+	ListFactorAPIKey(context.Context, valuer.UUID) ([]*StorableFactorAPIKey, error)
+	UpdateFactorAPIKey(context.Context, valuer.UUID, *StorableFactorAPIKey) error
+	RevokeFactorAPIKey(context.Context, valuer.UUID, valuer.UUID) error
+	RevokeAllFactorAPIKeys(context.Context, valuer.UUID) error
+
+	RunInTx(context.Context, func(context.Context) error) error
+}

templates/email/api_key_event.gotmpl

@@ -0,0 +1,88 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <title>{{.subject}}</title>
+</head>
+
+<body style="margin:0;padding:0;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;line-height:1.6;color:#333;background:#fff">
+  <table role="presentation" width="100%" cellspacing="0" cellpadding="0" border="0" style="background:#fff">
+    <tr>
+      <td align="center" style="padding:0">
+        <table role="presentation" width="600" cellspacing="0" cellpadding="0" border="0" style="max-width:600px;width:100%">
+          {{ if .format.Header.Enabled }}
+          <tr>
+            <td align="center" style="padding:16px 20px 16px">
+              <img src="{{.format.Header.LogoURL}}" alt="SigNoz" width="160" height="40" style="display:block;border:0;outline:none;max-width:100%;height:auto">
+            </td>
+          </tr>
+          {{ end }}
+          <tr>
+            <td style="padding:16px 20px 16px">
+              <p style="margin:0 0 16px;font-size:16px;color:#333">
+                Hi there,
+              </p>
+              <p style="margin:0 0 16px;font-size:16px;color:#333;line-height:1.6">
+                An API key was {{.Event}} for your service account <strong>{{.Name}}</strong>.
+              </p>
+              <table role="presentation" width="100%" cellspacing="0" cellpadding="0" border="0" style="margin:0 0 16px">
+                <tr>
+                  <td style="padding:20px;background:#f5f5f5;border-radius:6px;border-left:4px solid #4E74F8">
+                    <table role="presentation" width="100%" cellspacing="0" cellpadding="0" border="0">
+                      <tr>
+                        <td style="padding:0 0 8px">
+                          <p style="margin:0;font-size:15px;color:#333;line-height:1.6">
+                            <strong>Key ID:</strong> {{.KeyID}}
+                          </p>
+                        </td>
+                      </tr>
+                      <tr>
+                        <td style="padding:0 0 8px">
+                          <p style="margin:0;font-size:15px;color:#333;line-height:1.6">
+                            <strong>Key Name:</strong> {{.KeyName}}
+                          </p>
+                        </td>
+                      </tr>
+                      <tr>
+                        <td style="padding:0 0 8px">
+                          <p style="margin:0;font-size:15px;color:#333;line-height:1.6">
+                            <strong>Created At:</strong> {{.KeyCreatedAt}}
+                          </p>
+                        </td>
+                      </tr>
+                    </table>
+                  </td>
+                </tr>
+              </table>
+              {{ if .format.Help.Enabled }}
+              <p style="margin:0 0 16px;font-size:16px;color:#333;line-height:1.6">
+                Need help? Chat with our team in the SigNoz application or email us at <a href="mailto:{{.format.Help.Email}}" style="color:#4E74F8;text-decoration:none">{{.format.Help.Email}}</a>.
+              </p>
+              {{ end }}
+              <p style="margin:0;font-size:16px;color:#333;line-height:1.6">
+                Thanks,<br><strong>The SigNoz Team</strong>
+              </p>
+            </td>
+          </tr>
+          {{ if .format.Footer.Enabled }}
+          <tr>
+            <td align="center" style="padding:8px 16px 8px">
+              <p style="margin:0 0 8px;font-size:12px;color:#999;line-height:1.5">
+                <a href="https://signoz.io/terms-of-service/" style="color:#4E74F8;text-decoration:none">Terms of Service</a> - <a href="https://signoz.io/privacy/" style="color:#4E74F8;text-decoration:none">Privacy Policy</a>
+              </p>
+              <p style="margin:0;font-size:12px;color:#999;line-height:1.5">
+                &#169; 2026 SigNoz Inc.
+              </p>
+            </td>
+          </tr>
+          {{ end }}
+        </table>
+      </td>
+    </tr>
+  </table>
+</body>
+
+</html>