fix: issues after rebasing from main

fix: sti
fix: openapi specs
2026-03-20 19:50:26 +00:00 · 2026-03-19 17:12:38 +05:30 · 2026-03-19 16:20:23 +05:30 · 2026-03-19 16:20:23 +05:30 · 2026-03-19 16:20:23 +05:30 · 2026-03-19 16:20:23 +05:30
159 changed files with 6013 additions and 1037 deletions
--- a/.github/workflows/integrationci.yaml
+++ b/.github/workflows/integrationci.yaml
@@ -49,6 +49,7 @@ jobs:
          - ttl
          - alerts
          - ingestionkeys
+          - rootuser
        sqlstore-provider:
          - postgres
          - sqlite
--- a/conf/example.yaml
+++ b/conf/example.yaml
@@ -328,15 +328,18 @@ user:
 ##################### IdentN #####################
 identn:
  tokenizer:
-    # toggle the identN resolver
+    # toggle tokenizer identN
    enabled: true
    # headers to use for tokenizer identN resolver
    headers:
      - Authorization
      - Sec-WebSocket-Protocol
  apikey:
-    # toggle the identN resolver
+    # toggle apikey identN
    enabled: true
    # headers to use for apikey identN resolver
    headers:
      - SIGNOZ-API-KEY
+  impersonation:
+    # toggle impersonation identN, when enabled, all requests will impersonate the root user
+    enabled: false
--- a/docs/api/openapi.yml
+++ b/docs/api/openapi.yml
@@ -598,6 +598,39 @@ components:
      required:
      - config
      type: object
+    GlobaltypesAPIKeyConfig:
+      properties:
+        enabled:
+          type: boolean
+      type: object
+    GlobaltypesConfig:
+      properties:
+        external_url:
+          type: string
+        identN:
+          $ref: '#/components/schemas/GlobaltypesIdentNConfig'
+        ingestion_url:
+          type: string
+      type: object
+    GlobaltypesIdentNConfig:
+      properties:
+        apikey:
+          $ref: '#/components/schemas/GlobaltypesAPIKeyConfig'
+        impersonation:
+          $ref: '#/components/schemas/GlobaltypesImpersonationConfig'
+        tokenizer:
+          $ref: '#/components/schemas/GlobaltypesTokenizerConfig'
+      type: object
+    GlobaltypesImpersonationConfig:
+      properties:
+        enabled:
+          type: boolean
+      type: object
+    GlobaltypesTokenizerConfig:
+      properties:
+        enabled:
+          type: boolean
+      type: object
    MetricsexplorertypesListMetric:
      properties:
        description:
@@ -2030,13 +2063,6 @@ components:
      required:
      - id
      type: object
-    TypesGettableGlobalConfig:
-      properties:
-        external_url:
-          type: string
-        ingestion_url:
-          type: string
-      type: object
    TypesIdentifiable:
      properties:
        id:
@@ -2061,6 +2087,11 @@ components:
          type: string
        role:
          type: string
+        roles:
+          items:
+            type: string
+          nullable: true
+          type: array
        token:
          type: string
        updatedAt:
@@ -2101,6 +2132,17 @@ components:
        role:
          type: string
      type: object
+    TypesPostableAcceptInvite:
+      properties:
+        displayName:
+          type: string
+        password:
+          type: string
+        sourceUrl:
+          type: string
+        token:
+          type: string
+      type: object
    TypesPostableBulkInviteRequest:
      properties:
        invites:
@@ -2132,6 +2174,11 @@ components:
          type: string
        role:
          type: string
+        roles:
+          items:
+            type: string
+          nullable: true
+          type: array
      type: object
    TypesPostableResetPassword:
      properties:
@@ -2198,6 +2245,11 @@ components:
          type: string
        role:
          type: string
+        roles:
+          items:
+            type: string
+          nullable: true
+          type: array
        status:
          type: string
        updatedAt:
@@ -3244,7 +3296,38 @@ paths:
              schema:
                properties:
                  data:
-                    $ref: '#/components/schemas/TypesGettableGlobalConfig'
+                    $ref: '#/components/schemas/GlobaltypesConfig'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      summary: Get global config
+      tags:
+      - global
+  /api/v1/invite:
+    get:
+      deprecated: false
+      description: This endpoint lists all invites
+      operationId: ListInvite
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    items:
+                      $ref: '#/components/schemas/TypesInvite'
+                    type: array
                  status:
                    type: string
                required:
@@ -3272,13 +3355,12 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - EDITOR
+        - ADMIN
      - tokenizer:
-        - EDITOR
-      summary: Get global config
+        - ADMIN
+      summary: List invites
      tags:
-      - global
-  /api/v1/invite:
+      - users
    post:
      deprecated: false
      description: This endpoint creates an invite for a user
@@ -3341,6 +3423,151 @@ paths:
      summary: Create invite
      tags:
      - users
+  /api/v1/invite/{id}:
+    delete:
+      deprecated: false
+      description: This endpoint deletes an invite by id
+      operationId: DeleteInvite
+      parameters:
+      - in: path
+        name: id
+        required: true
+        schema:
+          type: string
+      responses:
+        "204":
+          description: No Content
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "401":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Unauthorized
+        "403":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Forbidden
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      security:
+      - api_key:
+        - ADMIN
+      - tokenizer:
+        - ADMIN
+      summary: Delete invite
+      tags:
+      - users
+  /api/v1/invite/{token}:
+    get:
+      deprecated: false
+      description: This endpoint gets an invite by token
+      operationId: GetInvite
+      parameters:
+      - in: path
+        name: token
+        required: true
+        schema:
+          type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesInvite'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: OK
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      summary: Get invite
+      tags:
+      - users
+  /api/v1/invite/accept:
+    post:
+      deprecated: false
+      description: This endpoint accepts an invite by token
+      operationId: AcceptInvite
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TypesPostableAcceptInvite'
+      responses:
+        "201":
+          content:
+            application/json:
+              schema:
+                properties:
+                  data:
+                    $ref: '#/components/schemas/TypesUser'
+                  status:
+                    type: string
+                required:
+                - status
+                - data
+                type: object
+          description: Created
+        "400":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Bad Request
+        "404":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Not Found
+        "500":
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/RenderErrorResponse'
+          description: Internal Server Error
+      summary: Accept invite
+      tags:
+      - users
  /api/v1/invite/bulk:
    post:
      deprecated: false
@@ -5611,9 +5838,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Get ingestion keys for workspace
      tags:
      - gateway
@@ -5661,9 +5888,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Create ingestion key for workspace
      tags:
      - gateway
@@ -5701,9 +5928,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Delete ingestion key for workspace
      tags:
      - gateway
@@ -5745,9 +5972,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Update ingestion key for workspace
      tags:
      - gateway
@@ -5802,9 +6029,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Create limit for the ingestion key
      tags:
      - gateway
@@ -5842,9 +6069,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Delete limit for the ingestion key
      tags:
      - gateway
@@ -5886,9 +6113,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Update limit for the ingestion key
      tags:
      - gateway
@@ -5946,9 +6173,9 @@ paths:
          description: Internal Server Error
      security:
      - api_key:
-        - ADMIN
+        - EDITOR
      - tokenizer:
-        - ADMIN
+        - EDITOR
      summary: Search ingestion keys for workspace
      tags:
      - gateway
--- a/ee/licensing/httplicensing/provider.go
+++ b/ee/licensing/httplicensing/provider.go
@@ -198,7 +198,10 @@ func (provider *provider) Checkout(ctx context.Context, organizationID valuer.UU

 	response, err := provider.zeus.GetCheckoutURL(ctx, activeLicense.Key, body)
 	if err != nil {
-		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to generate checkout session")
+		if errors.Ast(err, errors.TypeAlreadyExists) {
+			return nil, errors.WithAdditionalf(err, "checkout has already been completed for this account. Please click 'Refresh Status' to sync your subscription")
+		}
+		return nil, err
 	}

 	return &licensetypes.GettableSubscription{RedirectURL: gjson.GetBytes(response, "url").String()}, nil
@@ -217,7 +220,7 @@ func (provider *provider) Portal(ctx context.Context, organizationID valuer.UUID

 	response, err := provider.zeus.GetPortalURL(ctx, activeLicense.Key, body)
 	if err != nil {
-		return nil, errors.Wrapf(err, errors.TypeInternal, errors.CodeInternal, "failed to generate portal session")
+		return nil, err
 	}

 	return &licensetypes.GettableSubscription{RedirectURL: gjson.GetBytes(response, "url").String()}, nil
--- a/ee/query-service/app/api/cloudIntegrations.go
+++ b/ee/query-service/app/api/cloudIntegrations.go
@@ -10,6 +10,8 @@ import (
 	"strings"
 	"time"

+	"log/slog"
+
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/http/render"
 	"github.com/SigNoz/signoz/pkg/modules/user"
@@ -18,7 +20,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 	"github.com/gorilla/mux"
-	"log/slog"
 )

 type CloudIntegrationConnectionParamsResponse struct {
@@ -169,7 +170,7 @@ func (ah *APIHandler) getOrCreateCloudIntegrationUser(
 	cloudIntegrationUserName := fmt.Sprintf("%s-integration", cloudProvider)
 	email := valuer.MustNewEmail(fmt.Sprintf("%s@signoz.io", cloudIntegrationUserName))

-	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, valuer.MustNewUUID(orgId), types.UserStatusActive)
+	cloudIntegrationUser, err := types.NewUser(cloudIntegrationUserName, email, types.RoleViewer, []string{authtypes.SigNozViewerRoleName}, valuer.MustNewUUID(orgId), types.UserStatusActive)
 	if err != nil {
 		return nil, basemodel.InternalError(fmt.Errorf("couldn't create cloud integration user: %w", err))
 	}
--- a/ee/sqlstore/postgressqlstore/provider.go
+++ b/ee/sqlstore/postgressqlstore/provider.go
@@ -101,7 +101,7 @@ func (provider *provider) WrapNotFoundErrf(err error, code errors.Code, format s

 func (provider *provider) WrapAlreadyExistsErrf(err error, code errors.Code, format string, args ...any) error {
 	var pgErr *pgconn.PgError
-	if errors.As(err, &pgErr) && pgErr.Code == "23505" {
+	if errors.As(err, &pgErr) && (pgErr.Code == "23505" || pgErr.Code == "23503") {
 		return errors.Wrapf(err, errors.TypeAlreadyExists, code, format, args...)
 	}

--- a/frontend/.eslintrc.cjs
+++ b/frontend/.eslintrc.cjs
@@ -193,6 +193,16 @@ module.exports = {
 				],
 			},
 		],
+		'no-restricted-syntax': [
+			'error',
+			{
+				selector:
+					// TODO: Make this generic on removal of redux
+					"CallExpression[callee.property.name='getState'][callee.object.name=/^use/]",
+				message:
+					'Avoid calling .getState() directly. Export a standalone action from the store instead.',
+			},
+		],
 	},
 	overrides: [
 		{
@@ -217,5 +227,13 @@ module.exports = {
 				'@typescript-eslint/no-unused-vars': 'warn',
 			},
 		},
+		{
+			// Store definition files are the only place .getState() is permitted —
+			// they are the canonical source for standalone action exports.
+			files: ['**/*Store.{ts,tsx}'],
+			rules: {
+				'no-restricted-syntax': 'off',
+			},
+		},
 	],
 };
--- a/frontend/src/api/generated/services/sigNoz.schemas.ts
+++ b/frontend/src/api/generated/services/sigNoz.schemas.ts
@@ -776,6 +776,45 @@ export interface GatewaytypesUpdatableIngestionKeyLimitDTO {
 	tags?: string[] | null;
 }

+export interface GlobaltypesAPIKeyConfigDTO {
+	/**
+	 * @type boolean
+	 */
+	enabled?: boolean;
+}
+
+export interface GlobaltypesConfigDTO {
+	/**
+	 * @type string
+	 */
+	external_url?: string;
+	identN?: GlobaltypesIdentNConfigDTO;
+	/**
+	 * @type string
+	 */
+	ingestion_url?: string;
+}
+
+export interface GlobaltypesIdentNConfigDTO {
+	apikey?: GlobaltypesAPIKeyConfigDTO;
+	impersonation?: GlobaltypesImpersonationConfigDTO;
+	tokenizer?: GlobaltypesTokenizerConfigDTO;
+}
+
+export interface GlobaltypesImpersonationConfigDTO {
+	/**
+	 * @type boolean
+	 */
+	enabled?: boolean;
+}
+
+export interface GlobaltypesTokenizerConfigDTO {
+	/**
+	 * @type boolean
+	 */
+	enabled?: boolean;
+}
+
 export interface MetricsexplorertypesListMetricDTO {
 	/**
 	 * @type string
@@ -2402,17 +2441,6 @@ export interface TypesGettableAPIKeyDTO {
 	userId?: string;
 }

-export interface TypesGettableGlobalConfigDTO {
-	/**
-	 * @type string
-	 */
-	external_url?: string;
-	/**
-	 * @type string
-	 */
-	ingestion_url?: string;
-}
-
 export interface TypesIdentifiableDTO {
 	/**
 	 * @type string
@@ -2450,6 +2478,11 @@ export interface TypesInviteDTO {
 	 * @type string
 	 */
 	role?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: string[] | null;
 	/**
 	 * @type string
 	 */
@@ -2511,6 +2544,25 @@ export interface TypesPostableAPIKeyDTO {
 	role?: string;
 }

+export interface TypesPostableAcceptInviteDTO {
+	/**
+	 * @type string
+	 */
+	displayName?: string;
+	/**
+	 * @type string
+	 */
+	password?: string;
+	/**
+	 * @type string
+	 */
+	sourceUrl?: string;
+	/**
+	 * @type string
+	 */
+	token?: string;
+}
+
 export interface TypesPostableBulkInviteRequestDTO {
 	/**
 	 * @type array
@@ -2550,6 +2602,11 @@ export interface TypesPostableInviteDTO {
 	 * @type string
 	 */
 	role?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: string[] | null;
 }

 export interface TypesPostableResetPasswordDTO {
@@ -2658,6 +2715,11 @@ export interface TypesUserDTO {
 	 * @type string
 	 */
 	role?: string;
+	/**
+	 * @type array
+	 * @nullable true
+	 */
+	roles?: string[] | null;
 	/**
 	 * @type string
 	 */
@@ -3007,7 +3069,18 @@ export type GetResetPasswordToken200 = {
 };

 export type GetGlobalConfig200 = {
-	data: TypesGettableGlobalConfigDTO;
+	data: GlobaltypesConfigDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type ListInvite200 = {
+	/**
+	 * @type array
+	 */
+	data: TypesInviteDTO[];
 	/**
 	 * @type string
 	 */
@@ -3022,6 +3095,28 @@ export type CreateInvite201 = {
 	status: string;
 };

+export type DeleteInvitePathParameters = {
+	id: string;
+};
+export type GetInvitePathParameters = {
+	token: string;
+};
+export type GetInvite200 = {
+	data: TypesInviteDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
+export type AcceptInvite201 = {
+	data: TypesUserDTO;
+	/**
+	 * @type string
+	 */
+	status: string;
+};
+
 export type ListPromotedAndIndexedPaths200 = {
 	/**
 	 * @type array
--- a/frontend/src/api/generated/services/users/index.ts
+++ b/frontend/src/api/generated/services/users/index.ts
@@ -20,20 +20,26 @@ import { useMutation, useQuery } from 'react-query';
 import type { BodyType, ErrorType } from '../../../generatedAPIInstance';
 import { GeneratedAPIInstance } from '../../../generatedAPIInstance';
 import type {
+	AcceptInvite201,
 	ChangePasswordPathParameters,
 	CreateAPIKey201,
 	CreateInvite201,
+	DeleteInvitePathParameters,
 	DeleteUserPathParameters,
+	GetInvite200,
+	GetInvitePathParameters,
 	GetMyUser200,
 	GetResetPasswordToken200,
 	GetResetPasswordTokenPathParameters,
 	GetUser200,
 	GetUserPathParameters,
 	ListAPIKeys200,
+	ListInvite200,
 	ListUsers200,
 	RenderErrorResponseDTO,
 	RevokeAPIKeyPathParameters,
 	TypesChangePasswordRequestDTO,
+	TypesPostableAcceptInviteDTO,
 	TypesPostableAPIKeyDTO,
 	TypesPostableBulkInviteRequestDTO,
 	TypesPostableForgotPasswordDTO,
@@ -249,6 +255,84 @@ export const invalidateGetResetPasswordToken = async (
 	return queryClient;
 };

+/**
+ * This endpoint lists all invites
+ * @summary List invites
+ */
+export const listInvite = (signal?: AbortSignal) => {
+	return GeneratedAPIInstance<ListInvite200>({
+		url: `/api/v1/invite`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getListInviteQueryKey = () => {
+	return [`/api/v1/invite`] as const;
+};
+
+export const getListInviteQueryOptions = <
+	TData = Awaited<ReturnType<typeof listInvite>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<Awaited<ReturnType<typeof listInvite>>, TError, TData>;
+}) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getListInviteQueryKey();
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof listInvite>>> = ({
+		signal,
+	}) => listInvite(signal);
+
+	return { queryKey, queryFn, ...queryOptions } as UseQueryOptions<
+		Awaited<ReturnType<typeof listInvite>>,
+		TError,
+		TData
+	> & { queryKey: QueryKey };
+};
+
+export type ListInviteQueryResult = NonNullable<
+	Awaited<ReturnType<typeof listInvite>>
+>;
+export type ListInviteQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary List invites
+ */
+
+export function useListInvite<
+	TData = Awaited<ReturnType<typeof listInvite>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(options?: {
+	query?: UseQueryOptions<Awaited<ReturnType<typeof listInvite>>, TError, TData>;
+}): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getListInviteQueryOptions(options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary List invites
+ */
+export const invalidateListInvite = async (
+	queryClient: QueryClient,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getListInviteQueryKey() },
+		options,
+	);
+
+	return queryClient;
+};
+
 /**
 * This endpoint creates an invite for a user
 * @summary Create invite
@@ -332,6 +416,257 @@ export const useCreateInvite = <

 	return useMutation(mutationOptions);
 };
+/**
+ * This endpoint deletes an invite by id
+ * @summary Delete invite
+ */
+export const deleteInvite = ({ id }: DeleteInvitePathParameters) => {
+	return GeneratedAPIInstance<void>({
+		url: `/api/v1/invite/${id}`,
+		method: 'DELETE',
+	});
+};
+
+export const getDeleteInviteMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof deleteInvite>>,
+		TError,
+		{ pathParams: DeleteInvitePathParameters },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof deleteInvite>>,
+	TError,
+	{ pathParams: DeleteInvitePathParameters },
+	TContext
+> => {
+	const mutationKey = ['deleteInvite'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof deleteInvite>>,
+		{ pathParams: DeleteInvitePathParameters }
+	> = (props) => {
+		const { pathParams } = props ?? {};
+
+		return deleteInvite(pathParams);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type DeleteInviteMutationResult = NonNullable<
+	Awaited<ReturnType<typeof deleteInvite>>
+>;
+
+export type DeleteInviteMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Delete invite
+ */
+export const useDeleteInvite = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof deleteInvite>>,
+		TError,
+		{ pathParams: DeleteInvitePathParameters },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof deleteInvite>>,
+	TError,
+	{ pathParams: DeleteInvitePathParameters },
+	TContext
+> => {
+	const mutationOptions = getDeleteInviteMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
+/**
+ * This endpoint gets an invite by token
+ * @summary Get invite
+ */
+export const getInvite = (
+	{ token }: GetInvitePathParameters,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<GetInvite200>({
+		url: `/api/v1/invite/${token}`,
+		method: 'GET',
+		signal,
+	});
+};
+
+export const getGetInviteQueryKey = ({ token }: GetInvitePathParameters) => {
+	return [`/api/v1/invite/${token}`] as const;
+};
+
+export const getGetInviteQueryOptions = <
+	TData = Awaited<ReturnType<typeof getInvite>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ token }: GetInvitePathParameters,
+	options?: {
+		query?: UseQueryOptions<Awaited<ReturnType<typeof getInvite>>, TError, TData>;
+	},
+) => {
+	const { query: queryOptions } = options ?? {};
+
+	const queryKey = queryOptions?.queryKey ?? getGetInviteQueryKey({ token });
+
+	const queryFn: QueryFunction<Awaited<ReturnType<typeof getInvite>>> = ({
+		signal,
+	}) => getInvite({ token }, signal);
+
+	return {
+		queryKey,
+		queryFn,
+		enabled: !!token,
+		...queryOptions,
+	} as UseQueryOptions<Awaited<ReturnType<typeof getInvite>>, TError, TData> & {
+		queryKey: QueryKey;
+	};
+};
+
+export type GetInviteQueryResult = NonNullable<
+	Awaited<ReturnType<typeof getInvite>>
+>;
+export type GetInviteQueryError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Get invite
+ */
+
+export function useGetInvite<
+	TData = Awaited<ReturnType<typeof getInvite>>,
+	TError = ErrorType<RenderErrorResponseDTO>
+>(
+	{ token }: GetInvitePathParameters,
+	options?: {
+		query?: UseQueryOptions<Awaited<ReturnType<typeof getInvite>>, TError, TData>;
+	},
+): UseQueryResult<TData, TError> & { queryKey: QueryKey } {
+	const queryOptions = getGetInviteQueryOptions({ token }, options);
+
+	const query = useQuery(queryOptions) as UseQueryResult<TData, TError> & {
+		queryKey: QueryKey;
+	};
+
+	query.queryKey = queryOptions.queryKey;
+
+	return query;
+}
+
+/**
+ * @summary Get invite
+ */
+export const invalidateGetInvite = async (
+	queryClient: QueryClient,
+	{ token }: GetInvitePathParameters,
+	options?: InvalidateOptions,
+): Promise<QueryClient> => {
+	await queryClient.invalidateQueries(
+		{ queryKey: getGetInviteQueryKey({ token }) },
+		options,
+	);
+
+	return queryClient;
+};
+
+/**
+ * This endpoint accepts an invite by token
+ * @summary Accept invite
+ */
+export const acceptInvite = (
+	typesPostableAcceptInviteDTO: BodyType<TypesPostableAcceptInviteDTO>,
+	signal?: AbortSignal,
+) => {
+	return GeneratedAPIInstance<AcceptInvite201>({
+		url: `/api/v1/invite/accept`,
+		method: 'POST',
+		headers: { 'Content-Type': 'application/json' },
+		data: typesPostableAcceptInviteDTO,
+		signal,
+	});
+};
+
+export const getAcceptInviteMutationOptions = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof acceptInvite>>,
+		TError,
+		{ data: BodyType<TypesPostableAcceptInviteDTO> },
+		TContext
+	>;
+}): UseMutationOptions<
+	Awaited<ReturnType<typeof acceptInvite>>,
+	TError,
+	{ data: BodyType<TypesPostableAcceptInviteDTO> },
+	TContext
+> => {
+	const mutationKey = ['acceptInvite'];
+	const { mutation: mutationOptions } = options
+		? options.mutation &&
+		  'mutationKey' in options.mutation &&
+		  options.mutation.mutationKey
+			? options
+			: { ...options, mutation: { ...options.mutation, mutationKey } }
+		: { mutation: { mutationKey } };
+
+	const mutationFn: MutationFunction<
+		Awaited<ReturnType<typeof acceptInvite>>,
+		{ data: BodyType<TypesPostableAcceptInviteDTO> }
+	> = (props) => {
+		const { data } = props ?? {};
+
+		return acceptInvite(data);
+	};
+
+	return { mutationFn, ...mutationOptions };
+};
+
+export type AcceptInviteMutationResult = NonNullable<
+	Awaited<ReturnType<typeof acceptInvite>>
+>;
+export type AcceptInviteMutationBody = BodyType<TypesPostableAcceptInviteDTO>;
+export type AcceptInviteMutationError = ErrorType<RenderErrorResponseDTO>;
+
+/**
+ * @summary Accept invite
+ */
+export const useAcceptInvite = <
+	TError = ErrorType<RenderErrorResponseDTO>,
+	TContext = unknown
+>(options?: {
+	mutation?: UseMutationOptions<
+		Awaited<ReturnType<typeof acceptInvite>>,
+		TError,
+		{ data: BodyType<TypesPostableAcceptInviteDTO> },
+		TContext
+	>;
+}): UseMutationResult<
+	Awaited<ReturnType<typeof acceptInvite>>,
+	TError,
+	{ data: BodyType<TypesPostableAcceptInviteDTO> },
+	TContext
+> => {
+	const mutationOptions = getAcceptInviteMutationOptions(options);
+
+	return useMutation(mutationOptions);
+};
 /**
 * This endpoint creates a bulk invite for a user
 * @summary Create bulk invite
--- a/frontend/src/api/index.ts
+++ b/frontend/src/api/index.ts
@@ -81,7 +81,8 @@ export const interceptorRejected = async (
 				response.config.url !== '/sessions/email_password' &&
 				!(
 					response.config.url === '/sessions' && response.config.method === 'delete'
-				)
+				) &&
+				response.config.url !== '/authz/check'
 			) {
 				try {
 					const accessToken = getLocalStorageApi(LOCALSTORAGE.AUTH_TOKEN);
--- a/frontend/src/api/interceptors.test.ts
+++ b/frontend/src/api/interceptors.test.ts
@@ -0,0 +1,152 @@
+import axios, { AxiosHeaders, AxiosResponse } from 'axios';
+
+import { interceptorRejected } from './index';
+
+jest.mock('api/browser/localstorage/get', () => ({
+	__esModule: true,
+	default: jest.fn(() => 'mock-token'),
+}));
+
+jest.mock('api/v2/sessions/rotate/post', () => ({
+	__esModule: true,
+	default: jest.fn(() =>
+		Promise.resolve({
+			data: { accessToken: 'new-token', refreshToken: 'new-refresh' },
+		}),
+	),
+}));
+
+jest.mock('AppRoutes/utils', () => ({
+	__esModule: true,
+	default: jest.fn(),
+}));
+
+jest.mock('axios', () => {
+	const actualAxios = jest.requireActual('axios');
+	const mockAxios = jest.fn().mockResolvedValue({ data: 'success' });
+
+	return {
+		...actualAxios,
+		default: Object.assign(mockAxios, {
+			...actualAxios.default,
+			isAxiosError: jest.fn().mockReturnValue(true),
+			create: actualAxios.create,
+		}),
+		__esModule: true,
+	};
+});
+
+describe('interceptorRejected', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		((axios as unknown) as jest.Mock).mockResolvedValue({ data: 'success' });
+		((axios.isAxiosError as unknown) as jest.Mock).mockReturnValue(true);
+	});
+
+	it('should preserve array payload structure when retrying a 401 request', async () => {
+		const arrayPayload = [
+			{ relation: 'assignee', object: { resource: { name: 'role' } } },
+			{ relation: 'assignee', object: { resource: { name: 'editor' } } },
+		];
+
+		const error = ({
+			response: {
+				status: 401,
+				config: {
+					url: '/some-endpoint',
+					method: 'POST',
+					baseURL: 'http://localhost/',
+					headers: new AxiosHeaders(),
+					data: JSON.stringify(arrayPayload),
+				},
+			},
+			config: {
+				url: '/some-endpoint',
+				method: 'POST',
+				baseURL: 'http://localhost/',
+				headers: new AxiosHeaders(),
+				data: JSON.stringify(arrayPayload),
+			},
+		} as unknown) as AxiosResponse;
+
+		try {
+			await interceptorRejected(error);
+		} catch {
+			// Expected to reject after retry
+		}
+
+		const mockAxiosFn = (axios as unknown) as jest.Mock;
+		expect(mockAxiosFn.mock.calls.length).toBe(1);
+		const retryCallConfig = mockAxiosFn.mock.calls[0][0];
+		expect(Array.isArray(JSON.parse(retryCallConfig.data))).toBe(true);
+		expect(JSON.parse(retryCallConfig.data)).toEqual(arrayPayload);
+	});
+
+	it('should preserve object payload structure when retrying a 401 request', async () => {
+		const objectPayload = { key: 'value', nested: { data: 123 } };
+
+		const error = ({
+			response: {
+				status: 401,
+				config: {
+					url: '/some-endpoint',
+					method: 'POST',
+					baseURL: 'http://localhost/',
+					headers: new AxiosHeaders(),
+					data: JSON.stringify(objectPayload),
+				},
+			},
+			config: {
+				url: '/some-endpoint',
+				method: 'POST',
+				baseURL: 'http://localhost/',
+				headers: new AxiosHeaders(),
+				data: JSON.stringify(objectPayload),
+			},
+		} as unknown) as AxiosResponse;
+
+		try {
+			await interceptorRejected(error);
+		} catch {
+			// Expected to reject after retry
+		}
+
+		const mockAxiosFn = (axios as unknown) as jest.Mock;
+		expect(mockAxiosFn.mock.calls.length).toBe(1);
+		const retryCallConfig = mockAxiosFn.mock.calls[0][0];
+		expect(JSON.parse(retryCallConfig.data)).toEqual(objectPayload);
+	});
+
+	it('should handle undefined data gracefully when retrying', async () => {
+		const error = ({
+			response: {
+				status: 401,
+				config: {
+					url: '/some-endpoint',
+					method: 'GET',
+					baseURL: 'http://localhost/',
+					headers: new AxiosHeaders(),
+					data: undefined,
+				},
+			},
+			config: {
+				url: '/some-endpoint',
+				method: 'GET',
+				baseURL: 'http://localhost/',
+				headers: new AxiosHeaders(),
+				data: undefined,
+			},
+		} as unknown) as AxiosResponse;
+
+		try {
+			await interceptorRejected(error);
+		} catch {
+			// Expected to reject after retry
+		}
+
+		const mockAxiosFn = (axios as unknown) as jest.Mock;
+		expect(mockAxiosFn.mock.calls.length).toBe(1);
+		const retryCallConfig = mockAxiosFn.mock.calls[0][0];
+		expect(retryCallConfig.data).toBeUndefined();
+	});
+});
--- a/frontend/src/api/v1/invite/get.ts
+++ b/frontend/src/api/v1/invite/get.ts
@@ -0,0 +1,19 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import { PayloadProps, PendingInvite } from 'types/api/user/getPendingInvites';
+
+const get = async (): Promise<SuccessResponseV2<PendingInvite[]>> => {
+	try {
+		const response = await axios.get<PayloadProps>(`/invite`);
+		return {
+			httpStatusCode: response.status,
+			data: response.data.data,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default get;
--- a/frontend/src/api/v1/invite/id/accept.ts
+++ b/frontend/src/api/v1/invite/id/accept.ts
@@ -0,0 +1,22 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import { PayloadProps, Props } from 'types/api/user/accept';
+import { UserResponse } from 'types/api/user/getUser';
+
+const accept = async (
+	props: Props,
+): Promise<SuccessResponseV2<UserResponse>> => {
+	try {
+		const response = await axios.post<PayloadProps>(`/invite/accept`, props);
+		return {
+			httpStatusCode: response.status,
+			data: response.data.data,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default accept;
--- a/frontend/src/api/v1/invite/id/delete.ts
+++ b/frontend/src/api/v1/invite/id/delete.ts
@@ -0,0 +1,20 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import { Props } from 'types/api/user/deleteInvite';
+
+const del = async (props: Props): Promise<SuccessResponseV2<null>> => {
+	try {
+		const response = await axios.delete(`/invite/${props.id}`);
+
+		return {
+			httpStatusCode: response.status,
+			data: null,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default del;
--- a/frontend/src/api/v1/invite/id/get.ts
+++ b/frontend/src/api/v1/invite/id/get.ts
@@ -0,0 +1,28 @@
+import axios from 'api';
+import { ErrorResponseHandlerV2 } from 'api/ErrorResponseHandlerV2';
+import { AxiosError } from 'axios';
+import { ErrorV2Resp, SuccessResponseV2 } from 'types/api';
+import {
+	InviteDetails,
+	PayloadProps,
+	Props,
+} from 'types/api/user/getInviteDetails';
+
+const getInviteDetails = async (
+	props: Props,
+): Promise<SuccessResponseV2<InviteDetails>> => {
+	try {
+		const response = await axios.get<PayloadProps>(
+			`/invite/${props.inviteId}?ref=${window.location.href}`,
+		);
+
+		return {
+			httpStatusCode: response.status,
+			data: response.data.data,
+		};
+	} catch (error) {
+		ErrorResponseHandlerV2(error as AxiosError<ErrorV2Resp>);
+	}
+};
+
+export default getInviteDetails;
--- a/frontend/src/assets/UnAuthorized.tsx
+++ b/frontend/src/assets/UnAuthorized.tsx
@@ -1,8 +1,14 @@
-function UnAuthorized(): JSX.Element {
+function UnAuthorized({
+	width = 137,
+	height = 137,
+}: {
+	height?: number;
+	width?: number;
+}): JSX.Element {
 	return (
 		<svg
-			width="137"
-			height="137"
+			width={width}
+			height={height}
 			viewBox="0 0 137 137"
 			fill="none"
 			xmlns="http://www.w3.org/2000/svg"
--- a/frontend/src/components/EditMemberDrawer/EditMemberDrawer.tsx
+++ b/frontend/src/components/EditMemberDrawer/EditMemberDrawer.tsx
@@ -7,6 +7,7 @@ import {
 	Check,
 	ChevronDown,
 	Copy,
+	Link,
 	LockKeyhole,
 	RefreshCw,
 	Trash2,
@@ -16,11 +17,14 @@ import { Input } from '@signozhq/input';
 import { toast } from '@signozhq/sonner';
 import { Select } from 'antd';
 import getResetPasswordToken from 'api/v1/factor_password/getResetPasswordToken';
+import sendInvite from 'api/v1/invite/create';
+import cancelInvite from 'api/v1/invite/id/delete';
 import deleteUser from 'api/v1/user/id/delete';
 import update from 'api/v1/user/id/update';
 import { MemberRow } from 'components/MembersTable/MembersTable';
 import { DATE_TIME_FORMATS } from 'constants/dateTimeFormats';
-import { MemberStatus } from 'container/MembersSettings/utils';
+import ROUTES from 'constants/routes';
+import { INVITE_PREFIX, MemberStatus } from 'container/MembersSettings/utils';
 import { capitalize } from 'lodash-es';
 import { useTimezone } from 'providers/Timezone';
 import { ROLES } from 'types/roles';
@@ -32,6 +36,7 @@ export interface EditMemberDrawerProps {
 	open: boolean;
 	onClose: () => void;
 	onComplete: () => void;
+	onRefetch?: () => void;
 }

 // eslint-disable-next-line sonarjs/cognitive-complexity
@@ -40,6 +45,7 @@ function EditMemberDrawer({
 	open,
 	onClose,
 	onComplete,
+	onRefetch,
 }: EditMemberDrawerProps): JSX.Element {
 	const { formatTimezoneAdjustedTimestamp } = useTimezone();

@@ -52,9 +58,11 @@ function EditMemberDrawer({
 	const [resetLink, setResetLink] = useState<string | null>(null);
 	const [showResetLinkDialog, setShowResetLinkDialog] = useState(false);
 	const [hasCopiedResetLink, setHasCopiedResetLink] = useState(false);
-	const [linkType, setLinkType] = useState<'invite' | 'reset' | null>(null);

 	const isInvited = member?.status === MemberStatus.Invited;
+	// Invited member IDs are prefixed with 'invite-'; strip it to get the real invite ID
+	const inviteId =
+		isInvited && member ? member.id.slice(INVITE_PREFIX.length) : null;

 	useEffect(() => {
 		if (member) {
@@ -65,7 +73,7 @@ function EditMemberDrawer({

 	const isDirty =
 		member !== null &&
-		(displayName !== (member.name ?? '') || selectedRole !== member.role);
+		(displayName !== member.name || selectedRole !== member.role);

 	const formatTimestamp = useCallback(
 		(ts: string | null | undefined): string => {
@@ -81,22 +89,80 @@ function EditMemberDrawer({
 		[formatTimezoneAdjustedTimestamp],
 	);

+	const saveInvitedMember = useCallback(async (): Promise<void> => {
+		if (!member || !inviteId) {
+			return;
+		}
+		await cancelInvite({ id: inviteId });
+		try {
+			await sendInvite({
+				email: member.email,
+				name: displayName,
+				role: selectedRole,
+				frontendBaseUrl: window.location.origin,
+			});
+			toast.success('Invite updated successfully', { richColors: true });
+			onComplete();
+			onClose();
+		} catch {
+			onRefetch?.();
+			onClose();
+			toast.error(
+				'Failed to send the updated invite. Please re-invite this member.',
+				{ richColors: true },
+			);
+		}
+	}, [
+		member,
+		inviteId,
+		displayName,
+		selectedRole,
+		onComplete,
+		onClose,
+		onRefetch,
+	]);
+
+	const saveActiveMember = useCallback(async (): Promise<void> => {
+		if (!member) {
+			return;
+		}
+		await update({
+			userId: member.id,
+			displayName,
+			role: selectedRole,
+		});
+		toast.success('Member details updated successfully', { richColors: true });
+		onComplete();
+		onClose();
+	}, [member, displayName, selectedRole, onComplete, onClose]);
+
 	const handleSave = useCallback(async (): Promise<void> => {
 		if (!member || !isDirty) {
 			return;
 		}
 		setIsSaving(true);
 		try {
-			await update({ userId: member.id, displayName, role: selectedRole });
-			toast.success('Member details updated successfully', { richColors: true });
-			onComplete();
-			onClose();
+			if (isInvited && inviteId) {
+				await saveInvitedMember();
+			} else {
+				await saveActiveMember();
+			}
 		} catch {
-			toast.error('Failed to update member details', { richColors: true });
+			toast.error(
+				isInvited ? 'Failed to update invite' : 'Failed to update member details',
+				{ richColors: true },
+			);
 		} finally {
 			setIsSaving(false);
 		}
-	}, [member, isDirty, displayName, selectedRole, onComplete, onClose]);
+	}, [
+		member,
+		isDirty,
+		isInvited,
+		inviteId,
+		saveInvitedMember,
+		saveActiveMember,
+	]);

 	const handleDelete = useCallback(async (): Promise<void> => {
 		if (!member) {
@@ -104,23 +170,25 @@ function EditMemberDrawer({
 		}
 		setIsDeleting(true);
 		try {
-			await deleteUser({ userId: member.id });
-			toast.success(
-				isInvited ? 'Invite revoked successfully' : 'Member deleted successfully',
-				{ richColors: true },
-			);
+			if (isInvited && inviteId) {
+				await cancelInvite({ id: inviteId });
+				toast.success('Invitation cancelled successfully', { richColors: true });
+			} else {
+				await deleteUser({ userId: member.id });
+				toast.success('Member deleted successfully', { richColors: true });
+			}
 			setShowDeleteConfirm(false);
 			onComplete();
 			onClose();
 		} catch {
 			toast.error(
-				isInvited ? 'Failed to revoke invite' : 'Failed to delete member',
+				isInvited ? 'Failed to cancel invitation' : 'Failed to delete member',
 				{ richColors: true },
 			);
 		} finally {
 			setIsDeleting(false);
 		}
-	}, [member, isInvited, onComplete, onClose]);
+	}, [member, isInvited, inviteId, onComplete, onClose]);

 	const handleGenerateResetLink = useCallback(async (): Promise<void> => {
 		if (!member) {
@@ -133,7 +201,6 @@ function EditMemberDrawer({
 				const link = `${window.location.origin}/password-reset?token=${response.data.token}`;
 				setResetLink(link);
 				setHasCopiedResetLink(false);
-				setLinkType(isInvited ? 'invite' : 'reset');
 				setShowResetLinkDialog(true);
 				onClose();
 			} else {
@@ -150,7 +217,7 @@ function EditMemberDrawer({
 		} finally {
 			setIsGeneratingLink(false);
 		}
-	}, [member, isInvited, setLinkType, onClose]);
+	}, [member, onClose]);

 	const handleCopyResetLink = useCallback(async (): Promise<void> => {
 		if (!resetLink) {
@@ -160,18 +227,36 @@ function EditMemberDrawer({
 			await navigator.clipboard.writeText(resetLink);
 			setHasCopiedResetLink(true);
 			setTimeout(() => setHasCopiedResetLink(false), 2000);
-			toast.success(
-				linkType === 'invite'
-					? 'Invite link copied to clipboard'
-					: 'Reset link copied to clipboard',
-				{ richColors: true },
-			);
+			toast.success('Reset link copied to clipboard', { richColors: true });
 		} catch {
 			toast.error('Failed to copy link', {
 				richColors: true,
 			});
 		}
-	}, [resetLink, linkType]);
+	}, [resetLink]);
+
+	const handleCopyInviteLink = useCallback(async (): Promise<void> => {
+		if (!member?.token) {
+			toast.error('Invite link is not available', {
+				richColors: true,
+				position: 'top-right',
+			});
+			return;
+		}
+		const inviteLink = `${window.location.origin}${ROUTES.SIGN_UP}?token=${member.token}`;
+		try {
+			await navigator.clipboard.writeText(inviteLink);
+			toast.success('Invite link copied to clipboard', {
+				richColors: true,
+				position: 'top-right',
+			});
+		} catch {
+			toast.error('Failed to copy invite link', {
+				richColors: true,
+				position: 'top-right',
+			});
+		}
+	}, [member]);

 	const handleClose = useCallback((): void => {
 		setShowDeleteConfirm(false);
@@ -263,22 +348,30 @@ function EditMemberDrawer({
 						onClick={(): void => setShowDeleteConfirm(true)}
 					>
 						<Trash2 size={12} />
-						{isInvited ? 'Revoke Invite' : 'Delete Member'}
+						{isInvited ? 'Cancel Invite' : 'Delete Member'}
 					</Button>

 					<div className="edit-member-drawer__footer-divider" />
-					<Button
-						className="edit-member-drawer__footer-btn edit-member-drawer__footer-btn--warning"
-						onClick={handleGenerateResetLink}
-						disabled={isGeneratingLink}
-					>
-						<RefreshCw size={12} />
-						{isGeneratingLink
-							? 'Generating...'
-							: isInvited
-							? 'Copy Invite Link'
-							: 'Generate Password Reset Link'}
-					</Button>
+
+					{isInvited ? (
+						<Button
+							className="edit-member-drawer__footer-btn edit-member-drawer__footer-btn--warning"
+							onClick={handleCopyInviteLink}
+							disabled={!member?.token}
+						>
+							<Link size={12} />
+							Copy Invite Link
+						</Button>
+					) : (
+						<Button
+							className="edit-member-drawer__footer-btn edit-member-drawer__footer-btn--warning"
+							onClick={handleGenerateResetLink}
+							disabled={isGeneratingLink}
+						>
+							<RefreshCw size={12} />
+							{isGeneratingLink ? 'Generating...' : 'Generate Password Reset Link'}
+						</Button>
+					)}
 				</div>

 				<div className="edit-member-drawer__footer-right">
@@ -301,21 +394,21 @@ function EditMemberDrawer({
 		</div>
 	);

-	const deleteDialogTitle = isInvited ? 'Revoke Invite' : 'Delete Member';
+	const deleteDialogTitle = isInvited ? 'Cancel Invitation' : 'Delete Member';
 	const deleteDialogBody = isInvited ? (
 		<>
-			Are you sure you want to revoke the invite for{' '}
+			Are you sure you want to cancel the invitation for{' '}
 			<strong>{member?.email}</strong>? They will no longer be able to join the
 			workspace using this invite.
 		</>
 	) : (
 		<>
 			Are you sure you want to delete{' '}
-			<strong>{member?.name || member?.email}</strong>? This will remove their
-			access to the workspace.
+			<strong>{member?.name || member?.email}</strong>? This will permanently
+			remove their access to the workspace.
 		</>
 	);
-	const deleteConfirmLabel = isInvited ? 'Revoke Invite' : 'Delete Member';
+	const deleteConfirmLabel = isInvited ? 'Cancel Invite' : 'Delete Member';

 	return (
 		<>
@@ -341,19 +434,17 @@ function EditMemberDrawer({
 				onOpenChange={(isOpen): void => {
 					if (!isOpen) {
 						setShowResetLinkDialog(false);
-						setLinkType(null);
 					}
 				}}
-				title={linkType === 'invite' ? 'Invite Link' : 'Password Reset Link'}
+				title="Password Reset Link"
 				showCloseButton
 				width="base"
 				className="reset-link-dialog"
 			>
 				<div className="reset-link-dialog__content">
 					<p className="reset-link-dialog__description">
-						{linkType === 'invite'
-							? 'Share this one-time link with the team member to complete their account setup.'
-							: 'This creates a one-time link the team member can use to set a new password for their SigNoz account.'}
+						This creates a one-time link the team member can use to set a new password
+						for their SigNoz account.
 					</p>
 					<div className="reset-link-dialog__link-row">
 						<div className="reset-link-dialog__link-text-wrap">
--- a/frontend/src/components/EditMemberDrawer/tests/EditMemberDrawer.test.tsx
+++ b/frontend/src/components/EditMemberDrawer/tests/EditMemberDrawer.test.tsx
@@ -1,6 +1,7 @@
 import type { ReactNode } from 'react';
 import { toast } from '@signozhq/sonner';
 import getResetPasswordToken from 'api/v1/factor_password/getResetPasswordToken';
+import cancelInvite from 'api/v1/invite/id/delete';
 import deleteUser from 'api/v1/user/id/delete';
 import update from 'api/v1/user/id/update';
 import { MemberStatus } from 'container/MembersSettings/utils';
@@ -47,6 +48,8 @@ jest.mock('@signozhq/dialog', () => ({

 jest.mock('api/v1/user/id/update');
 jest.mock('api/v1/user/id/delete');
+jest.mock('api/v1/invite/id/delete');
+jest.mock('api/v1/invite/create');
 jest.mock('api/v1/factor_password/getResetPasswordToken');
 jest.mock('@signozhq/sonner', () => ({
 	toast: {
@@ -57,6 +60,7 @@ jest.mock('@signozhq/sonner', () => ({

 const mockUpdate = jest.mocked(update);
 const mockDeleteUser = jest.mocked(deleteUser);
+const mockCancelInvite = jest.mocked(cancelInvite);
 const mockGetResetPasswordToken = jest.mocked(getResetPasswordToken);

 const activeMember = {
@@ -70,12 +74,13 @@ const activeMember = {
 };

 const invitedMember = {
-	id: 'abc123',
+	id: 'invite-abc123',
 	name: '',
 	email: 'bob@signoz.io',
 	role: 'VIEWER' as ROLES,
 	status: MemberStatus.Invited,
 	joinedOn: '1700000000000',
+	token: 'tok-xyz',
 };

 function renderDrawer(
@@ -97,6 +102,7 @@ describe('EditMemberDrawer', () => {
 		jest.clearAllMocks();
 		mockUpdate.mockResolvedValue({ httpStatusCode: 200, data: null });
 		mockDeleteUser.mockResolvedValue({ httpStatusCode: 200, data: null });
+		mockCancelInvite.mockResolvedValue({ httpStatusCode: 200, data: null });
 	});

 	it('renders active member details and disables Save when form is not dirty', () => {
@@ -157,61 +163,36 @@ describe('EditMemberDrawer', () => {
 		});
 	});

-	it('shows revoke invite and copy invite link for invited members; hides Last Modified', () => {
+	it('shows Cancel Invite and Copy Invite Link for invited members; hides Last Modified', () => {
 		renderDrawer({ member: invitedMember });

 		expect(
-			screen.getByRole('button', { name: /revoke invite/i }),
+			screen.getByRole('button', { name: /cancel invite/i }),
 		).toBeInTheDocument();
 		expect(
 			screen.getByRole('button', { name: /copy invite link/i }),
 		).toBeInTheDocument();
-		expect(
-			screen.queryByRole('button', { name: /generate password reset link/i }),
-		).not.toBeInTheDocument();
 		expect(screen.getByText('Invited On')).toBeInTheDocument();
 		expect(screen.queryByText('Last Modified')).not.toBeInTheDocument();
 	});

-	it('calls deleteUser after confirming revoke invite for invited members', async () => {
+	it('calls cancelInvite after confirming Cancel Invite for invited members', async () => {
 		const onComplete = jest.fn();
 		const user = userEvent.setup({ pointerEventsCheck: 0 });

 		renderDrawer({ member: invitedMember, onComplete });

-		await user.click(screen.getByRole('button', { name: /revoke invite/i }));
+		await user.click(screen.getByRole('button', { name: /cancel invite/i }));

 		expect(
-			await screen.findByText(/Are you sure you want to revoke the invite/i),
+			await screen.findByText(/are you sure you want to cancel the invitation/i),
 		).toBeInTheDocument();

-		const confirmBtns = screen.getAllByRole('button', { name: /revoke invite/i });
+		const confirmBtns = screen.getAllByRole('button', { name: /cancel invite/i });
 		await user.click(confirmBtns[confirmBtns.length - 1]);

 		await waitFor(() => {
-			expect(mockDeleteUser).toHaveBeenCalledWith({ userId: 'abc123' });
-			expect(onComplete).toHaveBeenCalled();
-		});
-	});
-
-	it('calls update API when saving changes for an invited member', async () => {
-		const onComplete = jest.fn();
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-
-		renderDrawer({ member: { ...invitedMember, name: 'Bob' }, onComplete });
-
-		const nameInput = screen.getByDisplayValue('Bob');
-		await user.clear(nameInput);
-		await user.type(nameInput, 'Bob Updated');
-
-		const saveBtn = screen.getByRole('button', { name: /save member details/i });
-		await waitFor(() => expect(saveBtn).not.toBeDisabled());
-		await user.click(saveBtn);
-
-		await waitFor(() => {
-			expect(mockUpdate).toHaveBeenCalledWith(
-				expect.objectContaining({ userId: 'abc123', displayName: 'Bob Updated' }),
-			);
+			expect(mockCancelInvite).toHaveBeenCalledWith({ id: 'abc123' });
 			expect(onComplete).toHaveBeenCalled();
 		});
 	});
@@ -279,6 +260,7 @@ describe('EditMemberDrawer', () => {

 			fireEvent.click(screen.getByRole('button', { name: /^copy$/i }));

+			// Verify success path: writeText called with the correct link
 			await waitFor(() => {
 				expect(mockToast.success).toHaveBeenCalledWith(
 					'Reset link copied to clipboard',
--- a/frontend/src/components/MembersTable/MembersTable.tsx
+++ b/frontend/src/components/MembersTable/MembersTable.tsx
@@ -1,6 +1,6 @@
 import type React from 'react';
 import { Badge } from '@signozhq/badge';
-import { Table, Tooltip } from 'antd';
+import { Pagination, Table, Tooltip } from 'antd';
 import type { ColumnsType, SorterResult } from 'antd/es/table/interface';
 import { DATE_TIME_FORMATS } from 'constants/dateTimeFormats';
 import { MemberStatus } from 'container/MembersSettings/utils';
@@ -18,6 +18,7 @@ export interface MemberRow {
 	status: MemberStatus;
 	joinedOn: string | null;
 	updatedAt?: string | null;
+	token?: string | null;
 }

 interface MembersTableProps {
@@ -63,23 +64,11 @@ function StatusBadge({ status }: { status: MemberRow['status'] }): JSX.Element {
 			</Badge>
 		);
 	}
-	if (status === MemberStatus.Deleted) {
-		return (
-			<Badge color="cherry" variant="outline">
-				DELETED
-			</Badge>
-		);
-	}
-
-	if (status === MemberStatus.Invited) {
-		return (
-			<Badge color="amber" variant="outline">
-				INVITED
-			</Badge>
-		);
-	}
-
-	return <Badge color="vanilla">⎯</Badge>;
+	return (
+		<Badge color="amber" variant="outline">
+			INVITED
+		</Badge>
+	);
 }

 function MembersEmptyState({
@@ -210,30 +199,14 @@ function MembersTable({
 				dataSource={data}
 				rowKey="id"
 				loading={loading}
-				pagination={{
-					current: currentPage,
-					pageSize,
-					total,
-					showTotal: showPaginationTotal,
-					showSizeChanger: false,
-					onChange: onPageChange,
-					className: 'members-table-pagination',
-					hideOnSinglePage: true,
-				}}
+				pagination={false}
 				rowClassName={(_, index): string =>
 					index % 2 === 0 ? 'members-table-row--tinted' : ''
 				}
-				onRow={(record): React.HTMLAttributes<HTMLElement> => {
-					const isClickable = onRowClick && record.status !== MemberStatus.Deleted;
-					return {
-						onClick: (): void => {
-							if (isClickable) {
-								onRowClick(record);
-							}
-						},
-						style: isClickable ? { cursor: 'pointer' } : undefined,
-					};
-				}}
+				onRow={(record): React.HTMLAttributes<HTMLElement> => ({
+					onClick: (): void => onRowClick?.(record),
+					style: onRowClick ? { cursor: 'pointer' } : undefined,
+				})}
 				onChange={(_, __, sorter): void => {
 					if (onSortChange) {
 						onSortChange(
@@ -247,6 +220,17 @@ function MembersTable({
 				}}
 				className="members-table"
 			/>
+			{total > pageSize && (
+				<Pagination
+					current={currentPage}
+					pageSize={pageSize}
+					total={total}
+					showTotal={showPaginationTotal}
+					showSizeChanger={false}
+					onChange={onPageChange}
+					className="members-table-pagination"
+				/>
+			)}
 		</div>
 	);
 }
--- a/frontend/src/components/MembersTable/tests/MembersTable.test.tsx
+++ b/frontend/src/components/MembersTable/tests/MembersTable.test.tsx
@@ -24,12 +24,13 @@ const mockActiveMembers: MemberRow[] = [
 ];

 const mockInvitedMember: MemberRow = {
-	id: 'inv-abc',
+	id: 'invite-abc',
 	name: '',
 	email: 'charlie@signoz.io',
 	role: 'EDITOR' as ROLES,
 	status: MemberStatus.Invited,
 	joinedOn: null,
+	token: 'tok-123',
 };

 const defaultProps = {
@@ -92,34 +93,6 @@ describe('MembersTable', () => {
 		);
 	});

-	it('renders DELETED badge and does not call onRowClick when a deleted member row is clicked', async () => {
-		const onRowClick = jest.fn();
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-		const deletedMember: MemberRow = {
-			id: 'user-del',
-			name: 'Dave Deleted',
-			email: 'dave@signoz.io',
-			role: 'VIEWER' as ROLES,
-			status: MemberStatus.Deleted,
-			joinedOn: null,
-		};
-
-		render(
-			<MembersTable
-				{...defaultProps}
-				data={[...mockActiveMembers, deletedMember]}
-				total={3}
-				onRowClick={onRowClick}
-			/>,
-		);
-
-		expect(screen.getByText('DELETED')).toBeInTheDocument();
-		await user.click(screen.getByText('Dave Deleted'));
-		expect(onRowClick).not.toHaveBeenCalledWith(
-			expect.objectContaining({ id: 'user-del' }),
-		);
-	});
-
 	it('shows "No members found" empty state when no data and no search query', () => {
 		render(<MembersTable {...defaultProps} data={[]} total={0} searchQuery="" />);

--- a/frontend/src/components/ShiftOverlay/ShiftHoldOverlayController.tsx
+++ b/frontend/src/components/ShiftOverlay/ShiftHoldOverlayController.tsx
@@ -1,13 +1,13 @@
 import { createShortcutActions } from '../../constants/shortcutActions';
 import { useCmdK } from '../../providers/cmdKProvider';
+import { ROLES } from '../../types/roles';
 import { ShiftOverlay } from './ShiftOverlay';
 import { useShiftHoldOverlay } from './useShiftHoldOverlay';

-type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
 export function ShiftHoldOverlayController({
 	userRole,
 }: {
-	userRole: UserRole;
+	userRole: ROLES;
 }): JSX.Element | null {
 	const { open: isCmdKOpen } = useCmdK();
 	const noop = (): void => undefined;
--- a/frontend/src/components/ShiftOverlay/ShiftOverlay.tsx
+++ b/frontend/src/components/ShiftOverlay/ShiftOverlay.tsx
@@ -1,18 +1,18 @@
 import { useMemo } from 'react';
 import ReactDOM from 'react-dom';
+import { ROLES } from 'types/roles';

 import { formatShortcut } from './formatShortcut';

 import './shiftOverlay.scss';

-export type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
 export type CmdAction = {
 	id: string;
 	name: string;
 	shortcut?: string[];
 	keywords?: string;
 	section?: string;
-	roles?: UserRole[];
+	roles?: ROLES[];
 	perform: () => void;
 };

@@ -33,7 +33,7 @@ function Shortcut({ label, keyHint }: ShortcutProps): JSX.Element {
 interface ShiftOverlayProps {
 	visible: boolean;
 	actions: CmdAction[];
-	userRole: UserRole;
+	userRole: ROLES;
 }

 export function ShiftOverlay({
--- a/frontend/src/components/cmdKPalette/cmdKPalette.tsx
+++ b/frontend/src/components/cmdKPalette/cmdKPalette.tsx
@@ -11,6 +11,7 @@ import {
 import logEvent from 'api/common/logEvent';
 import { useThemeMode } from 'hooks/useDarkMode';
 import history from 'lib/history';
+import { ROLES as UserRole } from 'types/roles';

 import { createShortcutActions } from '../../constants/shortcutActions';
 import { useCmdK } from '../../providers/cmdKProvider';
@@ -28,7 +29,6 @@ type CmdAction = {
 	perform: () => void;
 };

-type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
 export function CmdKPalette({
 	userRole,
 }: {
--- a/frontend/src/constants/shortcutActions.tsx
+++ b/frontend/src/constants/shortcutActions.tsx
@@ -18,8 +18,7 @@ import {
 	TowerControl,
 	Workflow,
 } from 'lucide-react';
-
-export type UserRole = 'ADMIN' | 'EDITOR' | 'AUTHOR' | 'VIEWER';
+import { ROLES } from 'types/roles';

 export type CmdAction = {
 	id: string;
@@ -28,7 +27,7 @@ export type CmdAction = {
 	keywords?: string;
 	section?: string;
 	icon?: React.ReactNode;
-	roles?: UserRole[];
+	roles?: ROLES[];
 	perform: () => void;
 };

--- a/frontend/src/container/DashboardContainer/visualization/charts/ChartWrapper/ChartWrapper.tsx
+++ b/frontend/src/container/DashboardContainer/visualization/charts/ChartWrapper/ChartWrapper.tsx
@@ -5,7 +5,7 @@ import {
 	LegendPosition,
 	TooltipRenderArgs,
 } from 'lib/uPlotV2/components/types';
-import UPlotChart from 'lib/uPlotV2/components/UPlotChart';
+import UPlotChart from 'lib/uPlotV2/components/UPlotChart/UPlotChart';
 import { PlotContextProvider } from 'lib/uPlotV2/context/PlotContext';
 import TooltipPlugin from 'lib/uPlotV2/plugins/TooltipPlugin/TooltipPlugin';
 import noop from 'lodash-es/noop';
--- a/frontend/src/container/DashboardContainer/visualization/panels/TimeSeriesPanel/utils.ts
+++ b/frontend/src/container/DashboardContainer/visualization/panels/TimeSeriesPanel/utils.ts
@@ -123,7 +123,7 @@ export const prepareUPlotConfig = ({
 			drawStyle: hasSingleValidPoint ? DrawStyle.Points : DrawStyle.Line,
 			label: label,
 			colorMapping: widget.customLegendColors ?? {},
-			spanGaps: true,
+			spanGaps: widget.spanGaps ?? true,
 			lineStyle: widget.lineStyle || LineStyle.Solid,
 			lineInterpolation: widget.lineInterpolation || LineInterpolation.Spline,
 			showPoints:
--- a/frontend/src/container/MembersSettings/MembersSettings.tsx
+++ b/frontend/src/container/MembersSettings/MembersSettings.tsx
@@ -6,6 +6,7 @@ import { Check, ChevronDown, Plus } from '@signozhq/icons';
 import { Input } from '@signozhq/input';
 import type { MenuProps } from 'antd';
 import { Dropdown } from 'antd';
+import getPendingInvites from 'api/v1/invite/get';
 import getAll from 'api/v1/user/get';
 import EditMemberDrawer from 'components/EditMemberDrawer/EditMemberDrawer';
 import InviteMembersModal from 'components/InviteMembersModal/InviteMembersModal';
@@ -13,7 +14,7 @@ import MembersTable, { MemberRow } from 'components/MembersTable/MembersTable';
 import useUrlQuery from 'hooks/useUrlQuery';
 import { useAppContext } from 'providers/App/App';

-import { FilterMode, MemberStatus, toMemberStatus } from './utils';
+import { FilterMode, INVITE_PREFIX, MemberStatus } from './utils';

 import './MembersSettings.styles.scss';

@@ -33,24 +34,51 @@ function MembersSettings(): JSX.Element {
 	const [isInviteModalOpen, setIsInviteModalOpen] = useState(false);
 	const [selectedMember, setSelectedMember] = useState<MemberRow | null>(null);

-	const { data: usersData, isLoading, refetch: refetchUsers } = useQuery({
+	const {
+		data: usersData,
+		isLoading: isUsersLoading,
+		refetch: refetchUsers,
+	} = useQuery({
 		queryFn: getAll,
 		queryKey: ['getOrgUser', org?.[0]?.id],
 	});

-	const allMembers = useMemo(
-		(): MemberRow[] =>
-			(usersData?.data ?? []).map((user) => ({
-				id: user.id,
-				name: user.displayName,
-				email: user.email,
-				role: user.role,
-				status: toMemberStatus(user.status ?? ''),
-				joinedOn: user.createdAt ? String(user.createdAt) : null,
-				updatedAt: user.updatedAt ? String(user.updatedAt) : null,
-			})),
-		[usersData],
-	);
+	const {
+		data: invitesData,
+		isLoading: isInvitesLoading,
+		refetch: refetchInvites,
+	} = useQuery({
+		queryFn: getPendingInvites,
+		queryKey: ['getPendingInvites'],
+	});
+
+	const isLoading = isUsersLoading || isInvitesLoading;
+
+	const allMembers = useMemo((): MemberRow[] => {
+		const activeMembers: MemberRow[] = (usersData?.data ?? []).map((user) => ({
+			id: user.id,
+			name: user.displayName,
+			email: user.email,
+			role: user.role,
+			status: MemberStatus.Active,
+			joinedOn: user.createdAt ? String(user.createdAt) : null,
+			updatedAt: user?.updatedAt ? String(user.updatedAt) : null,
+		}));
+
+		const pendingInvites: MemberRow[] = (invitesData?.data ?? []).map(
+			(invite) => ({
+				id: `${INVITE_PREFIX}${invite.id}`,
+				name: invite.name ?? '',
+				email: invite.email,
+				role: invite.role,
+				status: MemberStatus.Invited,
+				joinedOn: invite.createdAt ? String(invite.createdAt) : null,
+				token: invite.token ?? null,
+			}),
+		);
+
+		return [...activeMembers, ...pendingInvites];
+	}, [usersData, invitesData]);

 	const filteredMembers = useMemo((): MemberRow[] => {
 		let result = allMembers;
@@ -72,6 +100,11 @@ function MembersSettings(): JSX.Element {
 		return result;
 	}, [allMembers, filterMode, searchQuery]);

+	const paginatedMembers = useMemo((): MemberRow[] => {
+		const start = (currentPage - 1) * PAGE_SIZE;
+		return filteredMembers.slice(start, start + PAGE_SIZE);
+	}, [filteredMembers, currentPage]);
+
 	// TODO(nuqs): Replace with nuqs once the nuqs setup and integration is done
 	const setPage = useCallback(
 		(page: number): void => {
@@ -91,9 +124,7 @@ function MembersSettings(): JSX.Element {
 		}
 	}, [filteredMembers.length, currentPage, setPage]);

-	const pendingCount = allMembers.filter(
-		(m) => m.status === MemberStatus.Invited,
-	).length;
+	const pendingCount = invitesData?.data?.length ?? 0;
 	const totalCount = allMembers.length;

 	const filterMenuItems: MenuProps['items'] = [
@@ -132,7 +163,8 @@ function MembersSettings(): JSX.Element {

 	const handleInviteComplete = useCallback((): void => {
 		refetchUsers();
-	}, [refetchUsers]);
+		refetchInvites();
+	}, [refetchUsers, refetchInvites]);

 	const handleRowClick = useCallback((member: MemberRow): void => {
 		setSelectedMember(member);
@@ -144,8 +176,9 @@ function MembersSettings(): JSX.Element {

 	const handleMemberEditComplete = useCallback((): void => {
 		refetchUsers();
+		refetchInvites();
 		setSelectedMember(null);
-	}, [refetchUsers]);
+	}, [refetchUsers, refetchInvites]);

 	return (
 		<>
@@ -199,7 +232,7 @@ function MembersSettings(): JSX.Element {
 				</div>
 			</div>
 			<MembersTable
-				data={filteredMembers}
+				data={paginatedMembers}
 				loading={isLoading}
 				total={filteredMembers.length}
 				currentPage={currentPage}
@@ -220,6 +253,7 @@ function MembersSettings(): JSX.Element {
 				open={selectedMember !== null}
 				onClose={handleDrawerClose}
 				onComplete={handleMemberEditComplete}
+				onRefetch={handleInviteComplete}
 			/>
 		</>
 	);
--- a/frontend/src/container/MembersSettings/tests/MembersSettings.integration.test.tsx
+++ b/frontend/src/container/MembersSettings/tests/MembersSettings.integration.test.tsx
@@ -1,5 +1,6 @@
 import { rest, server } from 'mocks-server/server';
 import { render, screen, userEvent } from 'tests/test-utils';
+import { PendingInvite } from 'types/api/user/getPendingInvites';
 import { UserResponse } from 'types/api/user/getUser';

 import MembersSettings from '../MembersSettings';
@@ -12,6 +13,7 @@ jest.mock('@signozhq/sonner', () => ({
 }));

 const USERS_ENDPOINT = '*/api/v1/user';
+const INVITES_ENDPOINT = '*/api/v1/invite';

 const mockUsers: UserResponse[] = [
 	{
@@ -19,8 +21,7 @@ const mockUsers: UserResponse[] = [
 		displayName: 'Alice Smith',
 		email: 'alice@signoz.io',
 		role: 'ADMIN',
-		status: 'active',
-		createdAt: '2024-01-01T00:00:00.000Z',
+		createdAt: 1700000000,
 		organization: 'TestOrg',
 		orgId: 'org-1',
 	},
@@ -29,30 +30,20 @@ const mockUsers: UserResponse[] = [
 		displayName: 'Bob Jones',
 		email: 'bob@signoz.io',
 		role: 'VIEWER',
-		status: 'active',
-		createdAt: '2024-01-02T00:00:00.000Z',
+		createdAt: 1700000001,
 		organization: 'TestOrg',
 		orgId: 'org-1',
 	},
+];
+
+const mockInvites: PendingInvite[] = [
 	{
 		id: 'inv-1',
-		displayName: '',
 		email: 'charlie@signoz.io',
+		name: 'Charlie',
 		role: 'EDITOR',
-		status: 'pending_invite',
-		createdAt: '2024-01-03T00:00:00.000Z',
-		organization: 'TestOrg',
-		orgId: 'org-1',
-	},
-	{
-		id: 'user-3',
-		displayName: 'Dave Deleted',
-		email: 'dave@signoz.io',
-		role: 'VIEWER',
-		status: 'deleted',
-		createdAt: '2024-01-04T00:00:00.000Z',
-		organization: 'TestOrg',
-		orgId: 'org-1',
+		createdAt: 1700000002,
+		token: 'tok-abc',
 	},
 ];

@@ -63,6 +54,9 @@ describe('MembersSettings (integration)', () => {
 			rest.get(USERS_ENDPOINT, (_, res, ctx) =>
 				res(ctx.status(200), ctx.json({ data: mockUsers })),
 			),
+			rest.get(INVITES_ENDPOINT, (_, res, ctx) =>
+				res(ctx.status(200), ctx.json({ data: mockInvites })),
+			),
 		);
 	});

@@ -70,16 +64,14 @@ describe('MembersSettings (integration)', () => {
 		server.resetHandlers();
 	});

-	it('loads and displays active users, pending invites, and deleted members', async () => {
+	it('loads and displays active users and pending invites', async () => {
 		render(<MembersSettings />);

 		await screen.findByText('Alice Smith');
 		expect(screen.getByText('Bob Jones')).toBeInTheDocument();
 		expect(screen.getByText('charlie@signoz.io')).toBeInTheDocument();
-		expect(screen.getByText('Dave Deleted')).toBeInTheDocument();
 		expect(screen.getAllByText('ACTIVE')).toHaveLength(2);
 		expect(screen.getByText('INVITED')).toBeInTheDocument();
-		expect(screen.getByText('DELETED')).toBeInTheDocument();
 	});

 	it('filters to pending invites via the filter dropdown', async () => {
@@ -115,7 +107,7 @@ describe('MembersSettings (integration)', () => {
 		expect(screen.queryByText('charlie@signoz.io')).not.toBeInTheDocument();
 	});

-	it('opens EditMemberDrawer when an active member row is clicked', async () => {
+	it('opens EditMemberDrawer when a member row is clicked', async () => {
 		const user = userEvent.setup({ pointerEventsCheck: 0 });

 		render(<MembersSettings />);
@@ -125,16 +117,6 @@ describe('MembersSettings (integration)', () => {
 		await screen.findByText('Member Details');
 	});

-	it('does not open EditMemberDrawer when a deleted member row is clicked', async () => {
-		const user = userEvent.setup({ pointerEventsCheck: 0 });
-
-		render(<MembersSettings />);
-
-		await user.click(await screen.findByText('Dave Deleted'));
-
-		expect(screen.queryByText('Member Details')).not.toBeInTheDocument();
-	});
-
 	it('opens InviteMembersModal when "Invite member" button is clicked', async () => {
 		const user = userEvent.setup({ pointerEventsCheck: 0 });

--- a/frontend/src/container/MembersSettings/utils.ts
+++ b/frontend/src/container/MembersSettings/utils.ts
@@ -1,3 +1,5 @@
+export const INVITE_PREFIX = 'invite-';
+
 export enum FilterMode {
 	All = 'all',
 	Invited = 'invited',
@@ -6,25 +8,4 @@ export enum FilterMode {
 export enum MemberStatus {
 	Active = 'Active',
 	Invited = 'Invited',
-	Deleted = 'Deleted',
-	Anonymous = 'Anonymous',
-}
-
-export enum UserApiStatus {
-	Active = 'active',
-	PendingInvite = 'pending_invite',
-	Deleted = 'deleted',
-}
-
-export function toMemberStatus(apiStatus: string): MemberStatus {
-	switch (apiStatus) {
-		case UserApiStatus.PendingInvite:
-			return MemberStatus.Invited;
-		case UserApiStatus.Deleted:
-			return MemberStatus.Deleted;
-		case UserApiStatus.Active:
-			return MemberStatus.Active;
-		default:
-			return MemberStatus.Anonymous;
-	}
 }
--- a/frontend/src/container/NewWidget/RightContainer/RightContainer.styles.scss
+++ b/frontend/src/container/NewWidget/RightContainer/RightContainer.styles.scss
@@ -4,6 +4,10 @@
 	font-family: 'Space Mono';
 	padding-bottom: 48px;

+	.panel-type-select {
+		width: 100%;
+	}
+
 	.section-heading {
 		font-family: 'Space Mono';
 		color: var(--bg-vanilla-400);
@@ -26,10 +30,6 @@
 		letter-spacing: 0.48px;
 	}

-	.panel-type-select {
-		width: 100%;
-	}
-
 	.header {
 		display: flex;
 		padding: 14px 14px 14px 12px;
@@ -216,7 +216,8 @@
 .lightMode {
 	.right-container {
 		background-color: var(--bg-vanilla-100);
-		.section-heading {
+		.section-heading,
+		.section-heading-small {
 			color: var(--bg-ink-400);
 		}
 		.header {
--- a/frontend/src/container/NewWidget/RightContainer/SettingSections/ChartAppearanceSection/ChartAppearanceSection.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/SettingSections/ChartAppearanceSection/ChartAppearanceSection.tsx
@@ -7,9 +7,10 @@ import {
 } from 'lib/uPlotV2/config/types';
 import { Paintbrush } from 'lucide-react';

-import { FillModeSelector } from '../../components/FillModeSelector/FillModeSelector';
-import { LineInterpolationSelector } from '../../components/LineInterpolationSelector/LineInterpolationSelector';
-import { LineStyleSelector } from '../../components/LineStyleSelector/LineStyleSelector';
+import DisconnectValuesSelector from '../../components/DisconnectValuesSelector/DisconnectValuesSelector';
+import FillModeSelector from '../../components/FillModeSelector/FillModeSelector';
+import LineInterpolationSelector from '../../components/LineInterpolationSelector/LineInterpolationSelector';
+import LineStyleSelector from '../../components/LineStyleSelector/LineStyleSelector';
 import SettingsSection from '../../components/SettingsSection/SettingsSection';

 interface ChartAppearanceSectionProps {
@@ -21,10 +22,14 @@ interface ChartAppearanceSectionProps {
 	setLineInterpolation: Dispatch<SetStateAction<LineInterpolation>>;
 	showPoints: boolean;
 	setShowPoints: Dispatch<SetStateAction<boolean>>;
+	spanGaps: boolean | number;
+	setSpanGaps: Dispatch<SetStateAction<boolean | number>>;
 	allowFillMode: boolean;
 	allowLineStyle: boolean;
 	allowLineInterpolation: boolean;
 	allowShowPoints: boolean;
+	allowSpanGaps: boolean;
+	stepInterval: number;
 }

 export default function ChartAppearanceSection({
@@ -36,10 +41,14 @@ export default function ChartAppearanceSection({
 	setLineInterpolation,
 	showPoints,
 	setShowPoints,
+	spanGaps,
+	setSpanGaps,
 	allowFillMode,
 	allowLineStyle,
 	allowLineInterpolation,
 	allowShowPoints,
+	allowSpanGaps,
+	stepInterval,
 }: ChartAppearanceSectionProps): JSX.Element {
 	return (
 		<SettingsSection title="Chart Appearance" icon={<Paintbrush size={14} />}>
@@ -66,6 +75,13 @@ export default function ChartAppearanceSection({
 					<Switch size="small" checked={showPoints} onChange={setShowPoints} />
 				</section>
 			)}
+			{allowSpanGaps && (
+				<DisconnectValuesSelector
+					value={spanGaps}
+					minValue={stepInterval}
+					onChange={setSpanGaps}
+				/>
+			)}
 		</SettingsSection>
 	);
 }
--- a/frontend/src/container/NewWidget/RightContainer/tests/RightContainer.test.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/tests/RightContainer.test.tsx
@@ -178,6 +178,8 @@ describe('RightContainer - Alerts Section', () => {
 		setLineStyle: jest.fn(),
 		showPoints: false,
 		setShowPoints: jest.fn(),
+		spanGaps: false,
+		setSpanGaps: jest.fn(),
 	};

 	beforeEach(() => {
--- a/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesModeToggle.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesModeToggle.tsx
@@ -0,0 +1,38 @@
+import { ToggleGroup, ToggleGroupItem } from '@signozhq/toggle-group';
+import { Typography } from 'antd';
+import { DisconnectedValuesMode } from 'lib/uPlotV2/config/types';
+
+interface DisconnectValuesModeToggleProps {
+	value: DisconnectedValuesMode;
+	onChange: (value: DisconnectedValuesMode) => void;
+}
+
+export default function DisconnectValuesModeToggle({
+	value,
+	onChange,
+}: DisconnectValuesModeToggleProps): JSX.Element {
+	return (
+		<ToggleGroup
+			type="single"
+			value={value}
+			size="lg"
+			onValueChange={(newValue): void => {
+				if (newValue) {
+					onChange(newValue as DisconnectedValuesMode);
+				}
+			}}
+		>
+			<ToggleGroupItem value={DisconnectedValuesMode.Never} aria-label="Never">
+				<Typography.Text className="section-heading-small">Never</Typography.Text>
+			</ToggleGroupItem>
+			<ToggleGroupItem
+				value={DisconnectedValuesMode.Threshold}
+				aria-label="Threshold"
+			>
+				<Typography.Text className="section-heading-small">
+					Threshold
+				</Typography.Text>
+			</ToggleGroupItem>
+		</ToggleGroup>
+	);
+}
--- a/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesSelector.styles.scss
+++ b/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesSelector.styles.scss
@@ -0,0 +1,21 @@
+.disconnect-values-selector {
+	.disconnect-values-input-wrapper {
+		display: flex;
+		flex-direction: column;
+		gap: 16px;
+
+		.disconnect-values-threshold-wrapper {
+			display: flex;
+			flex-direction: column;
+			gap: 8px;
+			.disconnect-values-threshold-input {
+				max-width: 160px;
+				height: auto;
+				.disconnect-values-threshold-prefix {
+					padding: 0 8px;
+					font-size: 20px;
+				}
+			}
+		}
+	}
+}
--- a/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesSelector.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesSelector.tsx
@@ -0,0 +1,91 @@
+import { useEffect, useState } from 'react';
+import { Typography } from 'antd';
+import { DisconnectedValuesMode } from 'lib/uPlotV2/config/types';
+
+import DisconnectValuesModeToggle from './DisconnectValuesModeToggle';
+import DisconnectValuesThresholdInput from './DisconnectValuesThresholdInput';
+
+import './DisconnectValuesSelector.styles.scss';
+
+const DEFAULT_THRESHOLD_SECONDS = 60;
+
+interface DisconnectValuesSelectorProps {
+	value: boolean | number;
+	minValue: number;
+	onChange: (value: boolean | number) => void;
+}
+
+export default function DisconnectValuesSelector({
+	value,
+	minValue,
+	onChange,
+}: DisconnectValuesSelectorProps): JSX.Element {
+	const [mode, setMode] = useState<DisconnectedValuesMode>(() => {
+		if (typeof value === 'number') {
+			return DisconnectedValuesMode.Threshold;
+		}
+		return DisconnectedValuesMode.Never;
+	});
+	const [thresholdSeconds, setThresholdSeconds] = useState<number>(
+		typeof value === 'number' ? value : minValue ?? DEFAULT_THRESHOLD_SECONDS,
+	);
+
+	useEffect(() => {
+		if (typeof value === 'boolean') {
+			setMode(DisconnectedValuesMode.Never);
+		} else if (typeof value === 'number') {
+			setMode(DisconnectedValuesMode.Threshold);
+			setThresholdSeconds(value);
+		}
+	}, [value]);
+
+	useEffect(() => {
+		if (minValue !== undefined) {
+			setThresholdSeconds(minValue);
+			if (mode === DisconnectedValuesMode.Threshold) {
+				onChange(minValue);
+			}
+		}
+		// eslint-disable-next-line react-hooks/exhaustive-deps
+	}, [minValue]);
+
+	const handleModeChange = (newMode: DisconnectedValuesMode): void => {
+		setMode(newMode);
+		switch (newMode) {
+			case DisconnectedValuesMode.Never:
+				onChange(true);
+				break;
+			case DisconnectedValuesMode.Threshold:
+				onChange(thresholdSeconds);
+				break;
+		}
+	};
+
+	const handleThresholdChange = (seconds: number): void => {
+		setThresholdSeconds(seconds);
+		onChange(seconds);
+	};
+
+	return (
+		<section className="disconnect-values-selector control-container">
+			<Typography.Text className="section-heading">
+				Disconnect values
+			</Typography.Text>
+			<div className="disconnect-values-input-wrapper">
+				<DisconnectValuesModeToggle value={mode} onChange={handleModeChange} />
+				{mode === DisconnectedValuesMode.Threshold && (
+					<section className="control-container">
+						<Typography.Text className="section-heading">
+							Threshold Value
+						</Typography.Text>
+						<DisconnectValuesThresholdInput
+							value={thresholdSeconds}
+							minValue={minValue}
+							onChange={handleThresholdChange}
+						/>
+					</section>
+				)}
+			</div>
+		</section>
+	);
+}
--- a/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesThresholdInput.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/components/DisconnectValuesSelector/DisconnectValuesThresholdInput.tsx
@@ -0,0 +1,92 @@
+import { ChangeEvent, useEffect, useState } from 'react';
+import { rangeUtil } from '@grafana/data';
+import { Callout, Input } from '@signozhq/ui';
+interface DisconnectValuesThresholdInputProps {
+	value: number;
+	onChange: (seconds: number) => void;
+	minValue: number;
+}
+
+export default function DisconnectValuesThresholdInput({
+	value,
+	onChange,
+	minValue,
+}: DisconnectValuesThresholdInputProps): JSX.Element {
+	const [inputValue, setInputValue] = useState<string>(
+		rangeUtil.secondsToHms(value),
+	);
+	const [error, setError] = useState<string | null>(null);
+
+	useEffect(() => {
+		setInputValue(rangeUtil.secondsToHms(value));
+		setError(null);
+	}, [value]);
+
+	const updateValue = (txt: string): void => {
+		if (!txt) {
+			return;
+		}
+		try {
+			let seconds: number;
+			if (rangeUtil.isValidTimeSpan(txt)) {
+				seconds = rangeUtil.intervalToSeconds(txt);
+			} else {
+				const parsed = Number(txt);
+				if (Number.isNaN(parsed) || parsed <= 0) {
+					setError('Enter a valid duration (e.g. 1h, 10m, 1d)');
+					return;
+				}
+				seconds = parsed;
+			}
+			if (minValue !== undefined && seconds < minValue) {
+				setError(`Threshold should be > ${rangeUtil.secondsToHms(minValue)}`);
+				return;
+			}
+			setError(null);
+			setInputValue(txt);
+			onChange(seconds);
+		} catch {
+			setError('Invalid threshold value');
+		}
+	};
+
+	const handleKeyDown = (e: React.KeyboardEvent<HTMLInputElement>): void => {
+		if (e.key === 'Enter') {
+			updateValue(e.currentTarget.value);
+		}
+	};
+
+	const handleBlur = (e: React.FocusEvent<HTMLInputElement>): void => {
+		updateValue(e.currentTarget.value);
+	};
+
+	const handleChange = (e: ChangeEvent<HTMLInputElement>): void => {
+		setInputValue(e.currentTarget.value);
+		if (error) {
+			setError(null);
+		}
+	};
+
+	return (
+		<div className="disconnect-values-threshold-wrapper">
+			<Input
+				name="disconnect-values-threshold"
+				type="text"
+				className="disconnect-values-threshold-input"
+				prefix={<span className="disconnect-values-threshold-prefix">&gt;</span>}
+				value={inputValue}
+				onChange={handleChange}
+				onKeyDown={handleKeyDown}
+				onBlur={handleBlur}
+				autoFocus={true}
+				aria-invalid={!!error}
+				aria-describedby={error ? 'threshold-error' : undefined}
+			/>
+			{error && (
+				<Callout type="error" size="small" showIcon>
+					{error}
+				</Callout>
+			)}
+		</div>
+	);
+}
--- a/frontend/src/container/NewWidget/RightContainer/components/FillModeSelector/FillModeSelector.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/components/FillModeSelector/FillModeSelector.tsx
@@ -9,7 +9,7 @@ interface FillModeSelectorProps {
 	onChange: (value: FillMode) => void;
 }

-export function FillModeSelector({
+export default function FillModeSelector({
 	value,
 	onChange,
 }: FillModeSelectorProps): JSX.Element {
--- a/frontend/src/container/NewWidget/RightContainer/components/LineInterpolationSelector/LineInterpolationSelector.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/components/LineInterpolationSelector/LineInterpolationSelector.tsx
@@ -9,7 +9,7 @@ interface LineInterpolationSelectorProps {
 	onChange: (value: LineInterpolation) => void;
 }

-export function LineInterpolationSelector({
+export default function LineInterpolationSelector({
 	value,
 	onChange,
 }: LineInterpolationSelectorProps): JSX.Element {
--- a/frontend/src/container/NewWidget/RightContainer/components/LineStyleSelector/LineStyleSelector.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/components/LineStyleSelector/LineStyleSelector.tsx
@@ -9,7 +9,7 @@ interface LineStyleSelectorProps {
 	onChange: (value: LineStyle) => void;
 }

-export function LineStyleSelector({
+export default function LineStyleSelector({
 	value,
 	onChange,
 }: LineStyleSelectorProps): JSX.Element {
--- a/frontend/src/container/NewWidget/RightContainer/constants.ts
+++ b/frontend/src/container/NewWidget/RightContainer/constants.ts
@@ -262,3 +262,17 @@ export const panelTypeVsShowPoints: {
 	[PANEL_TYPES.TRACE]: false,
 	[PANEL_TYPES.EMPTY_WIDGET]: false,
 } as const;
+
+export const panelTypeVsSpanGaps: {
+	[key in PANEL_TYPES]: boolean;
+} = {
+	[PANEL_TYPES.TIME_SERIES]: true,
+	[PANEL_TYPES.VALUE]: false,
+	[PANEL_TYPES.TABLE]: false,
+	[PANEL_TYPES.LIST]: false,
+	[PANEL_TYPES.PIE]: false,
+	[PANEL_TYPES.BAR]: false,
+	[PANEL_TYPES.HISTOGRAM]: false,
+	[PANEL_TYPES.TRACE]: false,
+	[PANEL_TYPES.EMPTY_WIDGET]: false,
+} as const;
--- a/frontend/src/container/NewWidget/RightContainer/index.tsx
+++ b/frontend/src/container/NewWidget/RightContainer/index.tsx
@@ -1,6 +1,7 @@
 import { Dispatch, SetStateAction, useMemo } from 'react';
 import { UseQueryResult } from 'react-query';
 import { Typography } from 'antd';
+import { ExecStats } from 'api/v5/v5';
 import { PrecisionOption, PrecisionOptionsEnum } from 'components/Graph/types';
 import { PANEL_TYPES, PanelDisplay } from 'constants/queryBuilder';
 import { PanelTypesWithData } from 'container/DashboardContainer/PanelTypeSelectionModal/menuItems';
@@ -11,6 +12,7 @@ import {
 	LineInterpolation,
 	LineStyle,
 } from 'lib/uPlotV2/config/types';
+import get from 'lodash-es/get';
 import { SuccessResponse } from 'types/api';
 import {
 	ColumnUnit,
@@ -36,6 +38,7 @@ import {
 	panelTypeVsPanelTimePreferences,
 	panelTypeVsShowPoints,
 	panelTypeVsSoftMinMax,
+	panelTypeVsSpanGaps,
 	panelTypeVsStackingChartPreferences,
 	panelTypeVsThreshold,
 	panelTypeVsYAxisUnit,
@@ -68,6 +71,8 @@ function RightContainer({
 	setLineStyle,
 	showPoints,
 	setShowPoints,
+	spanGaps,
+	setSpanGaps,
 	bucketCount,
 	bucketWidth,
 	stackedBarChart,
@@ -138,6 +143,7 @@ function RightContainer({
 	const allowLineStyle = panelTypeVsLineStyle[selectedGraph];
 	const allowFillMode = panelTypeVsFillMode[selectedGraph];
 	const allowShowPoints = panelTypeVsShowPoints[selectedGraph];
+	const allowSpanGaps = panelTypeVsSpanGaps[selectedGraph];

 	const decimapPrecisionOptions = useMemo(
 		() => [
@@ -176,10 +182,26 @@ function RightContainer({
 			(allowFillMode ||
 				allowLineStyle ||
 				allowLineInterpolation ||
-				allowShowPoints),
-		[allowFillMode, allowLineStyle, allowLineInterpolation, allowShowPoints],
+				allowShowPoints ||
+				allowSpanGaps),
+		[
+			allowFillMode,
+			allowLineStyle,
+			allowLineInterpolation,
+			allowShowPoints,
+			allowSpanGaps,
+		],
 	);

+	const stepInterval = useMemo(() => {
+		const stepIntervals: ExecStats['stepIntervals'] = get(
+			queryResponse,
+			'data.payload.data.newResult.meta.stepIntervals',
+			{},
+		);
+		return Math.min(...Object.values(stepIntervals));
+	}, [queryResponse]);
+
 	return (
 		<div className="right-container">
 			<section className="header">
@@ -237,10 +259,14 @@ function RightContainer({
 						setLineInterpolation={setLineInterpolation}
 						showPoints={showPoints}
 						setShowPoints={setShowPoints}
+						spanGaps={spanGaps}
+						setSpanGaps={setSpanGaps}
 						allowFillMode={allowFillMode}
 						allowLineStyle={allowLineStyle}
 						allowLineInterpolation={allowLineInterpolation}
 						allowShowPoints={allowShowPoints}
+						allowSpanGaps={allowSpanGaps}
+						stepInterval={stepInterval}
 					/>
 				)}

@@ -364,6 +390,8 @@ export interface RightContainerProps {
 	setLineStyle: Dispatch<SetStateAction<LineStyle>>;
 	showPoints: boolean;
 	setShowPoints: Dispatch<SetStateAction<boolean>>;
+	spanGaps: boolean | number;
+	setSpanGaps: Dispatch<SetStateAction<boolean | number>>;
 }

 RightContainer.defaultProps = {
--- a/frontend/src/container/NewWidget/test/NewWidget.test.tsx
+++ b/frontend/src/container/NewWidget/test/NewWidget.test.tsx
@@ -14,7 +14,6 @@ import { DashboardProvider } from 'providers/Dashboard/Dashboard';
 import { PreferenceContextProvider } from 'providers/preferences/context/PreferenceContextProvider';
 import i18n from 'ReactI18';
 import {
-	fireEvent,
 	getByText as getByTextUtil,
 	render,
 	userEvent,
@@ -342,9 +341,8 @@ describe('Stacking bar in new panel', () => {
 const STACKING_STATE_ATTR = 'data-stacking-state';

 describe('when switching to BAR panel type', () => {
-	jest.setTimeout(10000);
-
 	beforeEach(() => {
+		jest.useFakeTimers();
 		jest.clearAllMocks();

 		// Mock useSearchParams to return the expected values
@@ -354,7 +352,15 @@ describe('when switching to BAR panel type', () => {
 		]);
 	});

+	afterEach(() => {
+		jest.useRealTimers();
+	});
+
 	it('should preserve saved stacking value of true', async () => {
+		const user = userEvent.setup({
+			advanceTimers: jest.advanceTimersByTime.bind(jest),
+		});
+
 		const { getByTestId, getByText, container } = render(
 			<DashboardProvider dashboardId="">
 				<NewWidget
@@ -370,7 +376,7 @@ describe('when switching to BAR panel type', () => {
 			'true',
 		);

-		await userEvent.click(getByText('Bar')); // Panel Type Selected
+		await user.click(getByText('Bar')); // Panel Type Selected

 		// find dropdown with - .ant-select-dropdown
 		const panelDropdown = document.querySelector(
@@ -380,7 +386,7 @@ describe('when switching to BAR panel type', () => {

 		// Select TimeSeries from dropdown
 		const option = within(panelDropdown).getByText('Time Series');
-		fireEvent.click(option);
+		await user.click(option);

 		expect(getByTestId('panel-change-select')).toHaveAttribute(
 			STACKING_STATE_ATTR,
@@ -395,7 +401,7 @@ describe('when switching to BAR panel type', () => {
 		expect(panelTypeDropdown2).toBeInTheDocument();

 		expect(getByTextUtil(panelTypeDropdown2, 'Time Series')).toBeInTheDocument();
-		fireEvent.click(getByTextUtil(panelTypeDropdown2, 'Time Series'));
+		await user.click(getByTextUtil(panelTypeDropdown2, 'Time Series'));

 		// find dropdown with - .ant-select-dropdown
 		const panelDropdown2 = document.querySelector(
@@ -403,7 +409,7 @@ describe('when switching to BAR panel type', () => {
 		) as HTMLElement;
 		// // Select BAR from dropdown
 		const BarOption = within(panelDropdown2).getByText('Bar');
-		fireEvent.click(BarOption);
+		await user.click(BarOption);

 		// Stack series should be true
 		checkStackSeriesState(container, true);
--- a/frontend/src/container/NewWidget/index.tsx
+++ b/frontend/src/container/NewWidget/index.tsx
@@ -220,6 +220,9 @@ function NewWidget({
 	const [showPoints, setShowPoints] = useState<boolean>(
 		selectedWidget?.showPoints ?? false,
 	);
+	const [spanGaps, setSpanGaps] = useState<boolean | number>(
+		selectedWidget?.spanGaps ?? true,
+	);
 	const [customLegendColors, setCustomLegendColors] = useState<
 		Record<string, string>
 	>(selectedWidget?.customLegendColors || {});
@@ -289,6 +292,7 @@ function NewWidget({
 				fillMode,
 				lineStyle,
 				showPoints,
+				spanGaps,
 				columnUnits,
 				bucketCount,
 				stackedBarChart,
@@ -328,6 +332,7 @@ function NewWidget({
 		fillMode,
 		lineStyle,
 		showPoints,
+		spanGaps,
 		customLegendColors,
 		contextLinks,
 		selectedWidget.columnWidths,
@@ -541,6 +546,7 @@ function NewWidget({
 								softMin: selectedWidget?.softMin || 0,
 								softMax: selectedWidget?.softMax || 0,
 								fillSpans: selectedWidget?.fillSpans,
+								spanGaps: selectedWidget?.spanGaps ?? true,
 								isLogScale: selectedWidget?.isLogScale || false,
 								bucketWidth: selectedWidget?.bucketWidth || 0,
 								bucketCount: selectedWidget?.bucketCount || 0,
@@ -572,6 +578,7 @@ function NewWidget({
 								softMin: selectedWidget?.softMin || 0,
 								softMax: selectedWidget?.softMax || 0,
 								fillSpans: selectedWidget?.fillSpans,
+								spanGaps: selectedWidget?.spanGaps ?? true,
 								isLogScale: selectedWidget?.isLogScale || false,
 								bucketWidth: selectedWidget?.bucketWidth || 0,
 								bucketCount: selectedWidget?.bucketCount || 0,
@@ -889,6 +896,8 @@ function NewWidget({
 							setLineStyle={setLineStyle}
 							showPoints={showPoints}
 							setShowPoints={setShowPoints}
+							spanGaps={spanGaps}
+							setSpanGaps={setSpanGaps}
 							opacity={opacity}
 							yAxisUnit={yAxisUnit}
 							columnUnits={columnUnits}
--- a/frontend/src/hooks/useAuthZ/constants.ts
+++ b/frontend/src/hooks/useAuthZ/constants.ts
@@ -0,0 +1,2 @@
+export const SINGLE_FLIGHT_WAIT_TIME_MS = 50;
+export const AUTHZ_CACHE_TIME = 20_000;
--- a/frontend/src/hooks/useAuthZ/legacy.ts
+++ b/frontend/src/hooks/useAuthZ/legacy.ts
@@ -0,0 +1,18 @@
+import { buildPermission } from './utils';
+
+export const IsAdminPermission = buildPermission(
+	'assignee',
+	'role:signoz-admin',
+);
+export const IsEditorPermission = buildPermission(
+	'assignee',
+	'role:signoz-editor',
+);
+export const IsViewerPermission = buildPermission(
+	'assignee',
+	'role:signoz-viewer',
+);
+export const IsAnonymousPermission = buildPermission(
+	'assignee',
+	'role:signoz-anonymous',
+);
--- a/frontend/src/hooks/useAuthZ/types.ts
+++ b/frontend/src/hooks/useAuthZ/types.ts
@@ -14,7 +14,7 @@ type ResourceTypeMap = {

 type RelationName = keyof RelationsByType;

-type ResourcesForRelation<R extends RelationName> = Extract<
+export type ResourcesForRelation<R extends RelationName> = Extract<
 	Resource,
 	{ type: RelationsByType[R][number] }
 >['name'];
@@ -50,8 +50,26 @@ export type AuthZCheckResponse = Record<
 	}
 >;

+export type UseAuthZOptions = {
+	/**
+	 * If false, the query/permissions will not be fetched.
+	 * Useful when you want to disable the query/permissions for a specific use case, like logout.
+	 *
+	 * @default true
+	 */
+	enabled?: boolean;
+};
+
 export type UseAuthZResult = {
+	/**
+	 * If query is cached, and refetch happens in background, this is false.
+	 */
 	isLoading: boolean;
+	/**
+	 * If query is fetching, even if happens in background, this is true.
+	 */
+	isFetching: boolean;
 	error: Error | null;
 	permissions: AuthZCheckResponse | null;
+	refetchPermissions: () => void;
 };
--- a/frontend/src/hooks/useAuthZ/useAuthZ.tsx
+++ b/frontend/src/hooks/useAuthZ/useAuthZ.tsx
@@ -1,4 +1,4 @@
-import { useMemo } from 'react';
+import { useCallback, useMemo } from 'react';
 import { useQueries } from 'react-query';
 import { authzCheck } from 'api/generated/services/authz';
 import type {
@@ -6,7 +6,13 @@ import type {
 	AuthtypesTransactionDTO,
 } from 'api/generated/services/sigNoz.schemas';

-import { AuthZCheckResponse, BrandedPermission, UseAuthZResult } from './types';
+import { AUTHZ_CACHE_TIME, SINGLE_FLIGHT_WAIT_TIME_MS } from './constants';
+import {
+	AuthZCheckResponse,
+	BrandedPermission,
+	UseAuthZOptions,
+	UseAuthZResult,
+} from './types';
 import {
 	gettableTransactionToPermission,
 	permissionToTransactionDto,
@@ -14,8 +20,6 @@ import {

 let ctx: Promise<AuthZCheckResponse> | null;
 let pendingPermissions: BrandedPermission[] = [];
-const SINGLE_FLIGHT_WAIT_TIME_MS = 50;
-const AUTHZ_CACHE_TIME = 20_000;

 function dispatchPermission(
 	permission: BrandedPermission,
@@ -70,7 +74,12 @@ async function fetchManyPermissions(
 	}, {} as AuthZCheckResponse);
 }

-export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
+export function useAuthZ(
+	permissions: BrandedPermission[],
+	options?: UseAuthZOptions,
+): UseAuthZResult {
+	const { enabled } = options ?? { enabled: true };
+
 	const queryResults = useQueries(
 		permissions.map((permission) => {
 			return {
@@ -80,6 +89,7 @@ export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
 				refetchIntervalInBackground: false,
 				refetchOnWindowFocus: false,
 				refetchOnReconnect: true,
+				enabled,
 				queryFn: async (): Promise<AuthZCheckResponse> => {
 					const response = await dispatchPermission(permission);

@@ -96,6 +106,10 @@ export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
 	const isLoading = useMemo(() => queryResults.some((q) => q.isLoading), [
 		queryResults,
 	]);
+	const isFetching = useMemo(() => queryResults.some((q) => q.isFetching), [
+		queryResults,
+	]);
+
 	const error = useMemo(
 		() =>
 			!isLoading
@@ -121,9 +135,17 @@ export function useAuthZ(permissions: BrandedPermission[]): UseAuthZResult {
 		}, {} as AuthZCheckResponse);
 	}, [isLoading, error, queryResults]);

+	const refetchPermissions = useCallback(() => {
+		for (const query of queryResults) {
+			query.refetch();
+		}
+	}, [queryResults]);
+
 	return {
 		isLoading,
+		isFetching,
 		error,
 		permissions: data ?? null,
+		refetchPermissions,
 	};
 }
--- a/frontend/src/hooks/useAuthZ/utils.ts
+++ b/frontend/src/hooks/useAuthZ/utils.ts
@@ -3,9 +3,9 @@ import permissionsType from './permissions.type';
 import {
 	AuthZObject,
 	AuthZRelation,
-	AuthZResource,
 	BrandedPermission,
 	ResourceName,
+	ResourcesForRelation,
 	ResourceType,
 } from './types';

@@ -19,11 +19,10 @@ export function buildPermission<R extends AuthZRelation>(
 	return `${relation}${PermissionSeparator}${object}` as BrandedPermission;
 }

-export function buildObjectString(
-	resource: AuthZResource,
-	objectId: string,
-): `${AuthZResource}${typeof ObjectSeparator}${string}` {
-	return `${resource}${ObjectSeparator}${objectId}` as const;
+export function buildObjectString<
+	R extends 'delete' | 'read' | 'update' | 'assignee'
+>(resource: ResourcesForRelation<R>, objectId: string): AuthZObject<R> {
+	return `${resource}${ObjectSeparator}${objectId}` as AuthZObject<R>;
 }

 export function parsePermission(
--- a/frontend/src/lib/uPlotV2/components/UPlotChart/UPlotChart.tsx
+++ b/frontend/src/lib/uPlotV2/components/UPlotChart/UPlotChart.tsx
@@ -6,8 +6,9 @@ import { LineChart } from 'lucide-react';
 import ErrorBoundaryFallback from 'pages/ErrorBoundaryFallback/ErrorBoundaryFallback';
 import uPlot, { AlignedData, Options } from 'uplot';

-import { usePlotContext } from '../context/PlotContext';
-import { UPlotChartProps } from './types';
+import { usePlotContext } from '../../context/PlotContext';
+import { UPlotChartProps } from '../types';
+import { prepareAlignedData } from './utils';

 /**
 * Check if dimensions have changed
@@ -83,8 +84,11 @@ export default function UPlotChart({
 			...configOptions,
 		} as Options;

+		// prepare final AlignedData
+		const preparedData = prepareAlignedData({ data, config });
+
 		// Create new plot instance
-		const plot = new uPlot(plotConfig, data as AlignedData, containerRef.current);
+		const plot = new uPlot(plotConfig, preparedData, containerRef.current);

 		if (plotRef) {
 			plotRef(plot);
@@ -162,7 +166,8 @@ export default function UPlotChart({
 		}
 		// Update data if only data changed
 		else if (!sameData(prevProps, currentProps) && plotInstanceRef.current) {
-			plotInstanceRef.current.setData(data as AlignedData);
+			const preparedData = prepareAlignedData({ data, config });
+			plotInstanceRef.current.setData(preparedData as AlignedData);
 		}

 		prevPropsRef.current = currentProps;
--- a/frontend/src/lib/uPlotV2/components/UPlotChart/utils.ts
+++ b/frontend/src/lib/uPlotV2/components/UPlotChart/utils.ts
@@ -0,0 +1,16 @@
+import { UPlotConfigBuilder } from 'lib/uPlotV2/config/UPlotConfigBuilder';
+import { applySpanGapsToAlignedData } from 'lib/uPlotV2/utils/dataUtils';
+import { AlignedData } from 'uplot';
+
+export function prepareAlignedData({
+	data,
+	config,
+}: {
+	data: AlignedData;
+	config: UPlotConfigBuilder;
+}): AlignedData {
+	const seriesSpanGaps = config.getSeriesSpanGapsOptions();
+	return seriesSpanGaps.length > 0
+		? applySpanGapsToAlignedData(data as AlignedData, seriesSpanGaps)
+		: (data as AlignedData);
+}
--- a/frontend/src/lib/uPlotV2/components/tests/UPlotChart.test.tsx
+++ b/frontend/src/lib/uPlotV2/components/tests/UPlotChart.test.tsx
@@ -4,7 +4,7 @@ import { UPlotConfigBuilder } from 'lib/uPlotV2/config/UPlotConfigBuilder';
 import type { AlignedData } from 'uplot';

 import { PlotContextProvider } from '../../context/PlotContext';
-import UPlotChart from '../UPlotChart';
+import UPlotChart from '../UPlotChart/UPlotChart';

 // ---------------------------------------------------------------------------
 // Mocks
@@ -86,6 +86,7 @@ const createMockConfig = (): UPlotConfigBuilder => {
 		}),
 		getId: jest.fn().mockReturnValue(undefined),
 		getShouldSaveSelectionPreference: jest.fn().mockReturnValue(false),
+		getSeriesSpanGapsOptions: jest.fn().mockReturnValue([]),
 	} as unknown) as UPlotConfigBuilder;
 };

@@ -328,6 +329,78 @@ describe('UPlotChart', () => {
 		});
 	});

+	describe('spanGaps data transformation', () => {
+		it('inserts null break points before passing data to uPlot when a gap exceeds the numeric threshold', () => {
+			const config = createMockConfig();
+			// gap 0→100 = 100 > threshold 50 → null inserted at midpoint x=50
+			(config.getSeriesSpanGapsOptions as jest.Mock).mockReturnValue([
+				{ spanGaps: 50 },
+			]);
+			const data: AlignedData = [
+				[0, 100],
+				[1, 2],
+			];
+
+			render(<UPlotChart config={config} data={data} width={600} height={400} />, {
+				wrapper: Wrapper,
+			});
+
+			const [, receivedData] = mockUPlotConstructor.mock.calls[0];
+			expect(receivedData[0]).toEqual([0, 50, 100]);
+			expect(receivedData[1]).toEqual([1, null, 2]);
+		});
+
+		it('passes data through unchanged when no gap exceeds the numeric threshold', () => {
+			const config = createMockConfig();
+			// all gaps = 10, threshold = 50 → no insertions, same reference returned
+			(config.getSeriesSpanGapsOptions as jest.Mock).mockReturnValue([
+				{ spanGaps: 50 },
+			]);
+			const data: AlignedData = [
+				[0, 10, 20],
+				[1, 2, 3],
+			];
+
+			render(<UPlotChart config={config} data={data} width={600} height={400} />, {
+				wrapper: Wrapper,
+			});
+
+			const [, receivedData] = mockUPlotConstructor.mock.calls[0];
+			expect(receivedData).toBe(data);
+		});
+
+		it('transforms data passed to setData when data updates and a new gap exceeds the threshold', () => {
+			const config = createMockConfig();
+			(config.getSeriesSpanGapsOptions as jest.Mock).mockReturnValue([
+				{ spanGaps: 50 },
+			]);
+
+			// initial render: gap 10 < 50, no transformation
+			const initialData: AlignedData = [
+				[0, 10],
+				[1, 2],
+			];
+			// updated data: gap 100 > 50 → null inserted at midpoint x=50
+			const newData: AlignedData = [
+				[0, 100],
+				[3, 4],
+			];
+
+			const { rerender } = render(
+				<UPlotChart config={config} data={initialData} width={600} height={400} />,
+				{ wrapper: Wrapper },
+			);
+
+			rerender(
+				<UPlotChart config={config} data={newData} width={600} height={400} />,
+			);
+
+			const receivedData = instances[0].setData.mock.calls[0][0];
+			expect(receivedData[0]).toEqual([0, 50, 100]);
+			expect(receivedData[1]).toEqual([3, null, 4]);
+		});
+	});
+
 	describe('prop updates', () => {
 		it('calls setData without recreating the plot when only data changes', () => {
 			const config = createMockConfig();
--- a/frontend/src/lib/uPlotV2/config/UPlotConfigBuilder.ts
+++ b/frontend/src/lib/uPlotV2/config/UPlotConfigBuilder.ts
@@ -14,6 +14,7 @@ import {
 	STEP_INTERVAL_MULTIPLIER,
 } from '../constants';
 import { calculateWidthBasedOnStepInterval } from '../utils';
+import { SeriesSpanGapsOption } from '../utils/dataUtils';
 import {
 	ConfigBuilder,
 	ConfigBuilderProps,
@@ -161,6 +162,13 @@ export class UPlotConfigBuilder extends ConfigBuilder<
 		this.series.push(new UPlotSeriesBuilder(props));
 	}

+	getSeriesSpanGapsOptions(): SeriesSpanGapsOption[] {
+		return this.series.map((s) => {
+			const { spanGaps } = s.props;
+			return { spanGaps };
+		});
+	}
+
 	/**
 	 * Add a hook for extensibility
 	 */
--- a/frontend/src/lib/uPlotV2/config/UPlotSeriesBuilder.ts
+++ b/frontend/src/lib/uPlotV2/config/UPlotSeriesBuilder.ts
@@ -212,7 +212,12 @@ export class UPlotSeriesBuilder extends ConfigBuilder<SeriesProps, Series> {
 		return {
 			scale: scaleKey,
 			label,
-			spanGaps: typeof spanGaps === 'boolean' ? spanGaps : false,
+			// When spanGaps is numeric, we always disable uPlot's internal
+			// spanGaps behavior and rely on data-prep to implement the
+			// threshold-based null handling. When spanGaps is boolean we
+			// map it directly. When spanGaps is undefined we fall back to
+			// the default of true.
+			spanGaps: typeof spanGaps === 'number' ? false : spanGaps ?? true,
 			value: (): string => '',
 			pxAlign: true,
 			show,
--- a/frontend/src/lib/uPlotV2/config/tests/UPlotSeriesBuilder.test.ts
+++ b/frontend/src/lib/uPlotV2/config/tests/UPlotSeriesBuilder.test.ts
@@ -40,6 +40,37 @@ describe('UPlotSeriesBuilder', () => {
 		expect(typeof config.value).toBe('function');
 	});

+	it('maps boolean spanGaps directly to uPlot spanGaps', () => {
+		const trueBuilder = new UPlotSeriesBuilder(
+			createBaseProps({
+				spanGaps: true,
+			}),
+		);
+		const falseBuilder = new UPlotSeriesBuilder(
+			createBaseProps({
+				spanGaps: false,
+			}),
+		);
+
+		const trueConfig = trueBuilder.getConfig();
+		const falseConfig = falseBuilder.getConfig();
+
+		expect(trueConfig.spanGaps).toBe(true);
+		expect(falseConfig.spanGaps).toBe(false);
+	});
+
+	it('disables uPlot spanGaps when spanGaps is a number', () => {
+		const builder = new UPlotSeriesBuilder(
+			createBaseProps({
+				spanGaps: 10000,
+			}),
+		);
+
+		const config = builder.getConfig();
+
+		expect(config.spanGaps).toBe(false);
+	});
+
 	it('uses explicit lineColor when provided, regardless of mapping', () => {
 		const builder = new UPlotSeriesBuilder(
 			createBaseProps({
--- a/frontend/src/lib/uPlotV2/config/types.ts
+++ b/frontend/src/lib/uPlotV2/config/types.ts
@@ -99,6 +99,11 @@ export interface ScaleProps {
 	distribution?: DistributionType;
 }

+export enum DisconnectedValuesMode {
+	Never = 'never',
+	Threshold = 'threshold',
+}
+
 /**
 * Props for configuring a series
 */
@@ -175,7 +180,16 @@ export interface SeriesProps extends LineConfig, PointsConfig, BarConfig {
 	pointsFilter?: Series.Points.Filter;
 	pointsBuilder?: Series.Points.Show;
 	show?: boolean;
-	spanGaps?: boolean;
+	/**
+	 * Controls how nulls are treated for this series.
+	 *
+	 * - boolean: mapped directly to uPlot's spanGaps behavior
+	 * - number: interpreted as an X-axis threshold (same unit as ref values),
+	 *           where gaps smaller than this threshold are spanned by
+	 *           converting short null runs to undefined during data prep
+	 *           while uPlot's internal spanGaps is kept disabled.
+	 */
+	spanGaps?: boolean | number;
 	fillColor?: string;
 	fillMode?: FillMode;
 	isDarkMode?: boolean;
--- a/frontend/src/lib/uPlotV2/utils/tests/dataUtils.test.ts
+++ b/frontend/src/lib/uPlotV2/utils/tests/dataUtils.test.ts
@@ -1,4 +1,12 @@
-import { isInvalidPlotValue, normalizePlotValue } from '../dataUtils';
+import uPlot from 'uplot';
+
+import {
+	applySpanGapsToAlignedData,
+	insertLargeGapNullsIntoAlignedData,
+	isInvalidPlotValue,
+	normalizePlotValue,
+	SeriesSpanGapsOption,
+} from '../dataUtils';

 describe('dataUtils', () => {
 	describe('isInvalidPlotValue', () => {
@@ -59,4 +67,217 @@ describe('dataUtils', () => {
 			expect(normalizePlotValue(42.5)).toBe(42.5);
 		});
 	});
+
+	describe('insertLargeGapNullsIntoAlignedData', () => {
+		it('returns original data unchanged when no gap exceeds the threshold', () => {
+			// all gaps = 10, threshold = 25 → no insertions
+			const data: uPlot.AlignedData = [
+				[0, 10, 20, 30],
+				[1, 2, 3, 4],
+			];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 25 }];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result).toBe(data);
+		});
+
+		it('does not insert when the gap equals the threshold exactly', () => {
+			// gap = 50, threshold = 50 → condition is gap > threshold, not >=
+			const data: uPlot.AlignedData = [
+				[0, 50],
+				[1, 2],
+			];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 50 }];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result).toBe(data);
+		});
+
+		it('inserts a null at the midpoint when a single gap exceeds the threshold', () => {
+			// gap 0→100 = 100 > 50 → insert null at x=50
+			const data: uPlot.AlignedData = [
+				[0, 100],
+				[1, 2],
+			];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 50 }];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result[0]).toEqual([0, 50, 100]);
+			expect(result[1]).toEqual([1, null, 2]);
+		});
+
+		it('inserts nulls at every gap that exceeds the threshold', () => {
+			// gaps: 0→100=100, 100→110=10, 110→210=100; threshold=50
+			// → insert at 0→100 and 110→210
+			const data: uPlot.AlignedData = [
+				[0, 100, 110, 210],
+				[1, 2, 3, 4],
+			];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 50 }];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result[0]).toEqual([0, 50, 100, 110, 160, 210]);
+			expect(result[1]).toEqual([1, null, 2, 3, null, 4]);
+		});
+
+		it('inserts null for all series at a gap triggered by any one series', () => {
+			// series 0: threshold=50, gap=100 → triggers insertion
+			// series 1: threshold=200, gap=100 → would not trigger alone
+			// result: both series get null at the inserted x because the x-axis is shared
+			const data: uPlot.AlignedData = [
+				[0, 100],
+				[1, 2],
+				[3, 4],
+			];
+			const options: SeriesSpanGapsOption[] = [
+				{ spanGaps: 50 },
+				{ spanGaps: 200 },
+			];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result[0]).toEqual([0, 50, 100]);
+			expect(result[1]).toEqual([1, null, 2]);
+			expect(result[2]).toEqual([3, null, 4]);
+		});
+
+		it('ignores boolean spanGaps options (only numeric values trigger insertion)', () => {
+			const data: uPlot.AlignedData = [
+				[0, 100],
+				[1, 2],
+			];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: true }];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result).toBe(data);
+		});
+
+		it('returns original data when series options array is empty', () => {
+			const data: uPlot.AlignedData = [
+				[0, 100],
+				[1, 2],
+			];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, []);
+
+			expect(result).toBe(data);
+		});
+
+		it('returns original data when there is only one x point', () => {
+			const data: uPlot.AlignedData = [[0], [1]];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 10 }];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result).toBe(data);
+		});
+
+		it('preserves existing null values in the series alongside inserted ones', () => {
+			// original series already has a null; gap 0→100 also triggers insertion
+			const data: uPlot.AlignedData = [
+				[0, 100, 110],
+				[1, null, 2],
+			];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 50 }];
+
+			const result = insertLargeGapNullsIntoAlignedData(data, options);
+
+			expect(result[0]).toEqual([0, 50, 100, 110]);
+			expect(result[1]).toEqual([1, null, null, 2]);
+		});
+	});
+
+	describe('applySpanGapsToAlignedData', () => {
+		const xs: uPlot.AlignedData[0] = [0, 10, 20, 30];
+
+		it('returns original data when there are no series', () => {
+			const data: uPlot.AlignedData = [xs];
+			const result = applySpanGapsToAlignedData(data, []);
+
+			expect(result).toBe(data);
+		});
+
+		it('leaves data unchanged when spanGaps is undefined', () => {
+			const ys = [1, null, 2, null];
+			const data: uPlot.AlignedData = [xs, ys];
+			const options: SeriesSpanGapsOption[] = [{}];
+
+			const result = applySpanGapsToAlignedData(data, options);
+
+			expect(result[1]).toEqual(ys);
+		});
+
+		it('converts nulls to undefined when spanGaps is true', () => {
+			const ys = [1, null, 2, null];
+			const data: uPlot.AlignedData = [xs, ys];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: true }];
+
+			const result = applySpanGapsToAlignedData(data, options);
+
+			expect(result[1]).toEqual([1, undefined, 2, undefined]);
+		});
+
+		it('leaves data unchanged when spanGaps is false', () => {
+			const ys = [1, null, 2, null];
+			const data: uPlot.AlignedData = [xs, ys];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: false }];
+
+			const result = applySpanGapsToAlignedData(data, options);
+
+			expect(result[1]).toEqual(ys);
+		});
+
+		it('inserts a null break point when a gap exceeds the numeric threshold', () => {
+			// gap 0→100 = 100 > 50 → null inserted at midpoint x=50
+			const data: uPlot.AlignedData = [
+				[0, 100, 110],
+				[1, 2, 3],
+			];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 50 }];
+
+			const result = applySpanGapsToAlignedData(data, options);
+
+			expect(result[0]).toEqual([0, 50, 100, 110]);
+			expect(result[1]).toEqual([1, null, 2, 3]);
+		});
+
+		it('returns original data when no gap exceeds the numeric threshold', () => {
+			// all gaps = 10, threshold = 25 → no insertions
+			const data: uPlot.AlignedData = [xs, [1, 2, 3, 4]];
+			const options: SeriesSpanGapsOption[] = [{ spanGaps: 25 }];
+
+			const result = applySpanGapsToAlignedData(data, options);
+
+			expect(result).toBe(data);
+		});
+
+		it('applies both numeric gap insertion and boolean null-to-undefined in one pass', () => {
+			// series 0: spanGaps: 50 → gap 0→100 triggers a null break at midpoint x=50
+			// series 1: spanGaps: true → the inserted null at x=50 becomes undefined,
+			//   so the line spans over it rather than breaking
+			const data: uPlot.AlignedData = [
+				[0, 100],
+				[1, 2],
+				[3, 4],
+			];
+			const options: SeriesSpanGapsOption[] = [
+				{ spanGaps: 50 },
+				{ spanGaps: true },
+			];
+
+			const result = applySpanGapsToAlignedData(data, options);
+
+			// x-axis extended with the inserted midpoint
+			expect(result[0]).toEqual([0, 50, 100]);
+			// series 0: null at midpoint breaks the line
+			expect(result[1]).toEqual([1, null, 2]);
+			// series 1: null at midpoint converted to undefined → line spans over it
+			expect(result[2]).toEqual([3, undefined, 4]);
+		});
+	});
 });
--- a/frontend/src/lib/uPlotV2/utils/dataUtils.ts
+++ b/frontend/src/lib/uPlotV2/utils/dataUtils.ts
@@ -24,10 +24,10 @@ export function isInvalidPlotValue(value: unknown): boolean {
 		}

 		// Try to parse the string as a number
-		const numValue = parseFloat(value);
+		const parsedNumber = parseFloat(value);

 		// If parsing failed or resulted in a non-finite number, it's invalid
-		if (Number.isNaN(numValue) || !Number.isFinite(numValue)) {
+		if (Number.isNaN(parsedNumber) || !Number.isFinite(parsedNumber)) {
 			return true;
 		}
 	}
@@ -51,3 +51,178 @@ export function normalizePlotValue(
 	// Already a valid number
 	return value as number;
 }
+
+export interface SeriesSpanGapsOption {
+	spanGaps?: boolean | number;
+}
+
+// Internal type alias: a series value array that may contain nulls/undefineds.
+// uPlot uses null to draw a visible gap and undefined to represent "no sample"
+// (the line continues across undefined points but breaks at null ones).
+type SeriesArray = Array<number | null | undefined>;
+
+/**
+ * Returns true if the given gap size exceeds the numeric spanGaps threshold
+ * of at least one series. Used to decide whether to insert a null break point.
+ */
+function gapExceedsThreshold(
+	gapSize: number,
+	seriesOptions: SeriesSpanGapsOption[],
+): boolean {
+	return seriesOptions.some(
+		({ spanGaps }) =>
+			typeof spanGaps === 'number' && spanGaps > 0 && gapSize > spanGaps,
+	);
+}
+
+/**
+ * For each series with a numeric spanGaps threshold, insert a null data point
+ * between consecutive x timestamps whose gap exceeds the threshold.
+ *
+ * Why: uPlot draws a continuous line between all non-null points. When the
+ * time gap between two consecutive samples is larger than the configured
+ * spanGaps value, we inject a synthetic null at the midpoint so uPlot renders
+ * a visible break instead of a misleading straight line across the gap.
+ *
+ * Because uPlot's AlignedData shares a single x-axis across all series, a null
+ * is inserted for every series at each position where any series needs a break.
+ *
+ * Two-pass approach for performance:
+ *   Pass 1 — count how many nulls will be inserted (no allocations).
+ *   Pass 2 — fill pre-allocated output arrays by index (no push/reallocation).
+ */
+export function insertLargeGapNullsIntoAlignedData(
+	data: uPlot.AlignedData,
+	seriesOptions: SeriesSpanGapsOption[],
+): uPlot.AlignedData {
+	const [xValues, ...seriesValues] = data;
+
+	if (
+		!Array.isArray(xValues) ||
+		xValues.length < 2 ||
+		seriesValues.length === 0
+	) {
+		return data;
+	}
+
+	const timestamps = xValues as number[];
+	const totalPoints = timestamps.length;
+
+	// Pass 1: count insertions needed so we know the exact output length.
+	// This lets us pre-allocate arrays rather than growing them dynamically.
+	let insertionCount = 0;
+	for (let i = 0; i < totalPoints - 1; i += 1) {
+		if (gapExceedsThreshold(timestamps[i + 1] - timestamps[i], seriesOptions)) {
+			insertionCount += 1;
+		}
+	}
+
+	// No gaps exceed any threshold — return the original data unchanged.
+	if (insertionCount === 0) {
+		return data;
+	}
+
+	// Pass 2: build output arrays of exact size and fill them.
+	// `writeIndex` is the write cursor into the output arrays.
+	const outputLen = totalPoints + insertionCount;
+	const newX = new Array<number>(outputLen);
+	const newSeries: SeriesArray[] = seriesValues.map(
+		() => new Array<number | null | undefined>(outputLen),
+	);
+
+	let writeIndex = 0;
+	for (let i = 0; i < totalPoints; i += 1) {
+		// Copy the real data point at position i
+		newX[writeIndex] = timestamps[i];
+		for (
+			let seriesIndex = 0;
+			seriesIndex < seriesValues.length;
+			seriesIndex += 1
+		) {
+			newSeries[seriesIndex][writeIndex] = (seriesValues[
+				seriesIndex
+			] as SeriesArray)[i];
+		}
+		writeIndex += 1;
+
+		// If the gap to the next x timestamp exceeds the threshold, insert a
+		// synthetic null at the midpoint. The midpoint x is placed halfway
+		// between timestamps[i] and timestamps[i+1] (minimum 1 unit past timestamps[i] to stay unique).
+		if (
+			i < totalPoints - 1 &&
+			gapExceedsThreshold(timestamps[i + 1] - timestamps[i], seriesOptions)
+		) {
+			newX[writeIndex] =
+				timestamps[i] +
+				Math.max(1, Math.floor((timestamps[i + 1] - timestamps[i]) / 2));
+			for (
+				let seriesIndex = 0;
+				seriesIndex < seriesValues.length;
+				seriesIndex += 1
+			) {
+				newSeries[seriesIndex][writeIndex] = null; // null tells uPlot to break the line here
+			}
+			writeIndex += 1;
+		}
+	}
+
+	return [newX, ...newSeries] as uPlot.AlignedData;
+}
+
+/**
+ * Apply per-series spanGaps (boolean | number) handling to an aligned dataset.
+ *
+ * spanGaps controls how uPlot handles gaps in a series:
+ *   - boolean true  → convert null → undefined so uPlot spans over every gap
+ *                     (draws a continuous line, skipping missing samples)
+ *   - boolean false → no change; nulls render as visible breaks (default)
+ *   - number        → insert a null break point between any two consecutive
+ *                     timestamps whose difference exceeds the threshold;
+ *                     gaps smaller than the threshold are left as-is
+ *
+ * The input data is expected to be of the form:
+ * [xValues, series1Values, series2Values, ...]
+ */
+export function applySpanGapsToAlignedData(
+	data: uPlot.AlignedData,
+	seriesOptions: SeriesSpanGapsOption[],
+): uPlot.AlignedData {
+	const [xValues, ...seriesValues] = data;
+
+	if (!Array.isArray(xValues) || seriesValues.length === 0) {
+		return data;
+	}
+
+	// Numeric spanGaps: operates on the whole dataset at once because inserting
+	// null break points requires modifying the shared x-axis.
+	const hasNumericSpanGaps = seriesOptions.some(
+		({ spanGaps }) => typeof spanGaps === 'number',
+	);
+	const gapProcessed = hasNumericSpanGaps
+		? insertLargeGapNullsIntoAlignedData(data, seriesOptions)
+		: data;
+
+	// Boolean spanGaps === true: convert null → undefined per series so uPlot
+	// draws a continuous line across missing samples instead of breaking it.
+	// Skip this pass entirely if no series uses spanGaps: true.
+	const hasBooleanTrue = seriesOptions.some(({ spanGaps }) => spanGaps === true);
+	if (!hasBooleanTrue) {
+		return gapProcessed;
+	}
+
+	const [newX, ...newSeries] = gapProcessed;
+	const transformedSeries = newSeries.map((yValues, seriesIndex) => {
+		const { spanGaps } = seriesOptions[seriesIndex] ?? {};
+		if (spanGaps !== true) {
+			// This series doesn't use spanGaps: true — leave it unchanged.
+			return yValues;
+		}
+		// Replace null with undefined: uPlot skips undefined points without
+		// breaking the line, effectively spanning over the gap.
+		return (yValues as SeriesArray).map((pointValue) =>
+			pointValue === null ? undefined : pointValue,
+		) as uPlot.AlignedData[0];
+	});
+
+	return [newX, ...transformedSeries] as uPlot.AlignedData;
+}
--- a/frontend/src/mocks-server/mockdata/invite_user.ts
+++ b/frontend/src/mocks-server/mockdata/invite_user.ts
@@ -0,0 +1,25 @@
+export const inviteUser = {
+	status: 'success',
+	data: {
+		statusCode: 200,
+		error: null,
+		payload: [
+			{
+				email: 'jane@doe.com',
+				name: 'Jane',
+				token: 'testtoken',
+				createdAt: 1715741587,
+				role: 'VIEWER',
+				organization: 'test',
+			},
+			{
+				email: 'test+in@singoz.io',
+				name: '',
+				token: 'testtoken1',
+				createdAt: 1720095913,
+				role: 'VIEWER',
+				organization: 'test',
+			},
+		],
+	},
+};
--- a/frontend/src/mocks-server/handlers.ts
+++ b/frontend/src/mocks-server/handlers.ts
@@ -9,6 +9,7 @@ import {
 	getDashboardById,
 } from './__mockdata__/dashboards';
 import { explorerView } from './__mockdata__/explorer_views';
+import { inviteUser } from './__mockdata__/invite_user';
 import { licensesSuccessResponse } from './__mockdata__/licenses';
 import { membersResponse } from './__mockdata__/members';
 import { queryRangeSuccessResponse } from './__mockdata__/query_range';
@@ -174,14 +175,11 @@ export const handlers = [
 		res(ctx.status(200), ctx.json(getDashboardById)),
 	),

+	rest.get('http://localhost/api/v1/invite', (_, res, ctx) =>
+		res(ctx.status(200), ctx.json(inviteUser)),
+	),
 	rest.post('http://localhost/api/v1/invite', (_, res, ctx) =>
-		res(
-			ctx.status(200),
-			ctx.json({
-				status: 'success',
-				data: 'invite sent successfully',
-			}),
-		),
+		res(ctx.status(200), ctx.json(inviteUser)),
 	),
 	rest.put('http://localhost/api/v1/user/:id', (_, res, ctx) =>
 		res(
--- a/frontend/src/pages/SignUp/SignUp.tsx
+++ b/frontend/src/pages/SignUp/SignUp.tsx
@@ -1,9 +1,13 @@
-import { useMemo, useState } from 'react';
+import { useEffect, useMemo, useState } from 'react';
+import { useQuery } from 'react-query';
+import { useLocation } from 'react-router-dom';
 import { Button } from '@signozhq/button';
 import { Callout } from '@signozhq/callout';
 import { Input } from '@signozhq/input';
 import { Form, Input as AntdInput, Typography } from 'antd';
 import logEvent from 'api/common/logEvent';
+import accept from 'api/v1/invite/id/accept';
+import getInviteDetails from 'api/v1/invite/id/get';
 import signUpApi from 'api/v1/register/post';
 import passwordAuthNContext from 'api/v2/sessions/email_password/post';
 import afterLogin from 'AppRoutes/utils';
@@ -11,7 +15,9 @@ import AuthError from 'components/AuthError/AuthError';
 import AuthPageContainer from 'components/AuthPageContainer';
 import { useNotifications } from 'hooks/useNotifications';
 import { ArrowRight, CircleAlert } from 'lucide-react';
+import { SuccessResponseV2 } from 'types/api';
 import APIError from 'types/api/error';
+import { InviteDetails } from 'types/api/user/getInviteDetails';

 import { FormContainer, Label } from './styles';

@@ -33,6 +39,22 @@ function SignUp(): JSX.Element {
 		false,
 	);
 	const [formError, setFormError] = useState<APIError | null>();
+	const { search } = useLocation();
+	const params = new URLSearchParams(search);
+	const token = params.get('token');
+	const [isDetailsDisable, setIsDetailsDisable] = useState<boolean>(false);
+
+	const getInviteDetailsResponse = useQuery<
+		SuccessResponseV2<InviteDetails>,
+		APIError
+	>({
+		queryFn: () =>
+			getInviteDetails({
+				inviteId: token || '',
+			}),
+		queryKey: ['getInviteDetails', token],
+		enabled: token !== null,
+	});

 	const { notifications } = useNotifications();
 	const [form] = Form.useForm<FormValues>();
@@ -42,6 +64,49 @@ function SignUp(): JSX.Element {
 	const password = Form.useWatch('password', form);
 	const confirmPassword = Form.useWatch('confirmPassword', form);

+	useEffect(() => {
+		if (
+			getInviteDetailsResponse.status === 'success' &&
+			getInviteDetailsResponse.data.data
+		) {
+			const responseDetails = getInviteDetailsResponse.data.data;
+			form.setFieldValue('email', responseDetails.email);
+			form.setFieldValue('organizationName', responseDetails.organization);
+			setIsDetailsDisable(true);
+
+			logEvent('Account Creation Page Visited', {
+				email: responseDetails.email,
+				name: responseDetails.name,
+				company_name: responseDetails.organization,
+				source: 'SigNoz Cloud',
+			});
+		}
+	}, [
+		getInviteDetailsResponse.data?.data,
+		form,
+		getInviteDetailsResponse.status,
+	]);
+
+	useEffect(() => {
+		if (
+			getInviteDetailsResponse.status === 'success' &&
+			getInviteDetailsResponse?.error
+		) {
+			const { error } = getInviteDetailsResponse;
+			notifications.error({
+				message: (error as APIError).getErrorCode(),
+				description: (error as APIError).getErrorMessage(),
+			});
+		}
+	}, [
+		getInviteDetailsResponse,
+		getInviteDetailsResponse.data,
+		getInviteDetailsResponse.status,
+		notifications,
+	]);
+
+	const isSignUp = token === null;
+
 	const signUp = async (values: FormValues): Promise<void> => {
 		try {
 			const { organizationName, password, email } = values;
@@ -49,6 +114,7 @@ function SignUp(): JSX.Element {
 				email,
 				orgDisplayName: organizationName,
 				password,
+				token: params.get('token') || undefined,
 			});

 			const token = await passwordAuthNContext({
@@ -63,6 +129,25 @@ function SignUp(): JSX.Element {
 		}
 	};

+	const acceptInvite = async (values: FormValues): Promise<void> => {
+		try {
+			const { password, email } = values;
+			const user = await accept({
+				password,
+				token: params.get('token') || '',
+			});
+			const token = await passwordAuthNContext({
+				email,
+				password,
+				orgId: user.data.orgId,
+			});
+
+			await afterLogin(token.data.accessToken, token.data.refreshToken);
+		} catch (error) {
+			setFormError(error as APIError);
+		}
+	};
+
 	const handleSubmit = (): void => {
 		(async (): Promise<void> => {
 			try {
@@ -70,10 +155,14 @@ function SignUp(): JSX.Element {
 				setLoading(true);
 				setFormError(null);

-				await signUp(values);
-				logEvent('Account Created Successfully', {
-					email: values.email,
-				});
+				if (isSignUp) {
+					await signUp(values);
+					logEvent('Account Created Successfully', {
+						email: values.email,
+					});
+				} else {
+					await acceptInvite(values);
+				}

 				setLoading(false);
 			} catch (error) {
@@ -158,6 +247,7 @@ function SignUp(): JSX.Element {
 										autoFocus
 										required
 										id="signupEmail"
+										disabled={isDetailsDisable}
 										className="signup-form-input"
 									/>
 								</FormContainer.Item>
@@ -201,13 +291,15 @@ function SignUp(): JSX.Element {
 						</div>
 					</div>

-					<Callout
-						type="info"
-						size="small"
-						showIcon
-						className="signup-info-callout"
-						description="This will create an admin account. If you are not an admin, please ask your admin for an invite link"
-					/>
+					{isSignUp && (
+						<Callout
+							type="info"
+							size="small"
+							showIcon
+							className="signup-info-callout"
+							description="This will create an admin account. If you are not an admin, please ask your admin for an invite link"
+						/>
+					)}

 					{confirmPasswordError && (
 						<Callout
--- a/frontend/src/pages/SignUp/tests/SignUp.test.tsx
+++ b/frontend/src/pages/SignUp/tests/SignUp.test.tsx
@@ -1,6 +1,7 @@
 import afterLogin from 'AppRoutes/utils';
 import { rest, server } from 'mocks-server/server';
 import { render, screen, userEvent, waitFor } from 'tests/test-utils';
+import { InviteDetails } from 'types/api/user/getInviteDetails';
 import { SignupResponse } from 'types/api/v1/register/post';
 import { Token } from 'types/api/v2/sessions/email_password/post';

@@ -31,8 +32,14 @@ jest.mock('lib/history', () => ({

 const REGISTER_ENDPOINT = '*/api/v1/register';
 const EMAIL_PASSWORD_ENDPOINT = '*/api/v2/sessions/email_password';
+const INVITE_DETAILS_ENDPOINT = '*/api/v1/invite/*';
+const ACCEPT_INVITE_ENDPOINT = '*/api/v1/invite/accept';

-const mockSignupResponse: SignupResponse = {
+interface MockSignupResponse extends SignupResponse {
+	orgId: string;
+}
+
+const mockSignupResponse: MockSignupResponse = {
 	orgId: 'test-org-id',
 	createdAt: Date.now(),
 	email: 'test@signoz.io',
@@ -46,6 +53,15 @@ const mockTokenResponse: Token = {
 	refreshToken: 'mock-refresh-token',
 };

+const mockInviteDetails: InviteDetails = {
+	email: 'invited@signoz.io',
+	name: 'Invited User',
+	organization: 'Test Org',
+	createdAt: Date.now(),
+	role: 'ADMIN',
+	token: 'invite-token-123',
+};
+
 describe('SignUp Component - Regular Signup', () => {
 	beforeEach(() => {
 		jest.clearAllMocks();
@@ -272,3 +288,242 @@ describe('SignUp Component - Regular Signup', () => {
 		});
 	});
 });
+
+describe('SignUp Component - Accept Invite', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		window.history.pushState({}, '', '/signup?token=invite-token-123');
+	});
+
+	afterEach(() => {
+		server.resetHandlers();
+	});
+
+	describe('Initial Render with Invite', () => {
+		it('pre-fills form fields from invite details', async () => {
+			server.use(
+				rest.get(INVITE_DETAILS_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(200),
+						ctx.json({
+							data: mockInviteDetails,
+							status: 'success',
+						}),
+					),
+				),
+			);
+
+			render(<SignUp />, undefined, {
+				initialRoute: '/signup?token=invite-token-123',
+			});
+
+			const emailInput = await screen.findByLabelText(/email address/i);
+
+			await waitFor(() => {
+				expect(emailInput).toHaveValue('invited@signoz.io');
+			});
+		});
+
+		it('disables email field when invite details are loaded', async () => {
+			server.use(
+				rest.get(INVITE_DETAILS_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(200),
+						ctx.json({
+							data: mockInviteDetails,
+							status: 'success',
+						}),
+					),
+				),
+			);
+
+			render(<SignUp />, undefined, {
+				initialRoute: '/signup?token=invite-token-123',
+			});
+
+			const emailInput = await screen.findByLabelText(/email address/i);
+
+			await waitFor(() => {
+				expect(emailInput).toBeDisabled();
+			});
+		});
+
+		it('does not show admin account info callout for invite flow', async () => {
+			server.use(
+				rest.get(INVITE_DETAILS_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(200),
+						ctx.json({
+							data: mockInviteDetails,
+							status: 'success',
+						}),
+					),
+				),
+			);
+
+			render(<SignUp />, undefined, {
+				initialRoute: '/signup?token=invite-token-123',
+			});
+
+			await waitFor(() => {
+				expect(
+					screen.queryByText(/this will create an admin account/i),
+				).not.toBeInTheDocument();
+			});
+		});
+	});
+
+	describe('Successful Invite Acceptance', () => {
+		it('successfully accepts invite and logs in user', async () => {
+			const user = userEvent.setup({ pointerEventsCheck: 0 });
+
+			server.use(
+				rest.get(INVITE_DETAILS_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(200),
+						ctx.json({
+							data: mockInviteDetails,
+							status: 'success',
+						}),
+					),
+				),
+				rest.post(ACCEPT_INVITE_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(200),
+						ctx.json({
+							data: mockSignupResponse,
+							status: 'success',
+						}),
+					),
+				),
+				rest.post(EMAIL_PASSWORD_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(200),
+						ctx.json({
+							data: mockTokenResponse,
+							status: 'success',
+						}),
+					),
+				),
+			);
+
+			render(<SignUp />, undefined, {
+				initialRoute: '/signup?token=invite-token-123',
+			});
+
+			const emailInput = await screen.findByLabelText(/email address/i);
+			await waitFor(() => {
+				expect(emailInput).toHaveValue('invited@signoz.io');
+			});
+
+			const passwordInput = screen.getByPlaceholderText(/enter new password/i);
+			const confirmPasswordInput = screen.getByPlaceholderText(
+				/confirm your new password/i,
+			);
+			const submitButton = screen.getByRole('button', {
+				name: /access my workspace/i,
+			});
+
+			await user.type(passwordInput, 'password123');
+			await user.type(confirmPasswordInput, 'password123');
+
+			await waitFor(() => {
+				expect(submitButton).not.toBeDisabled();
+			});
+
+			await user.click(submitButton);
+
+			await waitFor(() => {
+				expect(mockAfterLogin).toHaveBeenCalledWith(
+					'mock-access-token',
+					'mock-refresh-token',
+				);
+			});
+		});
+	});
+
+	describe('Error Handling for Invite', () => {
+		it('displays error when invite details fetch fails', async () => {
+			server.use(
+				rest.get(INVITE_DETAILS_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(404),
+						ctx.json({
+							error: {
+								code: 'INVITE_NOT_FOUND',
+								message: 'Invite not found',
+							},
+						}),
+					),
+				),
+			);
+
+			render(<SignUp />, undefined, {
+				initialRoute: '/signup?token=invalid-token',
+			});
+
+			// Verify form is still accessible and fields are enabled
+			const emailInput = await screen.findByLabelText(/email address/i);
+
+			expect(emailInput).toBeInTheDocument();
+			expect(emailInput).not.toBeDisabled();
+		});
+
+		it('displays error when accept invite API fails', async () => {
+			const user = userEvent.setup({ pointerEventsCheck: 0 });
+
+			server.use(
+				rest.get(INVITE_DETAILS_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(200),
+						ctx.json({
+							data: mockInviteDetails,
+							status: 'success',
+						}),
+					),
+				),
+				rest.post(ACCEPT_INVITE_ENDPOINT, (_req, res, ctx) =>
+					res(
+						ctx.status(400),
+						ctx.json({
+							error: {
+								code: 'INVALID_TOKEN',
+								message: 'Invalid or expired invite token',
+							},
+						}),
+					),
+				),
+			);
+
+			render(<SignUp />, undefined, {
+				initialRoute: '/signup?token=expired-token',
+			});
+
+			const emailInput = await screen.findByLabelText(/email address/i);
+			await waitFor(() => {
+				expect(emailInput).toHaveValue('invited@signoz.io');
+			});
+
+			const passwordInput = screen.getByPlaceholderText(/enter new password/i);
+			const confirmPasswordInput = screen.getByPlaceholderText(
+				/confirm your new password/i,
+			);
+			const submitButton = screen.getByRole('button', {
+				name: /access my workspace/i,
+			});
+
+			await user.type(passwordInput, 'password123');
+			await user.type(confirmPasswordInput, 'password123');
+
+			await waitFor(() => {
+				expect(submitButton).not.toBeDisabled();
+			});
+
+			await user.click(submitButton);
+
+			expect(
+				await screen.findByText(/invalid or expired invite token/i),
+			).toBeInTheDocument();
+		});
+	});
+});
--- a/frontend/src/pages/UnAuthorized/index.styles.scss
+++ b/frontend/src/pages/UnAuthorized/index.styles.scss
@@ -0,0 +1,5 @@
+.unauthorized-page {
+	&__description {
+		text-align: center;
+	}
+}
--- a/frontend/src/pages/UnAuthorized/index.tsx
+++ b/frontend/src/pages/UnAuthorized/index.tsx
@@ -1,20 +1,51 @@
+import { useCallback } from 'react';
 import { Space, Typography } from 'antd';
 import UnAuthorized from 'assets/UnAuthorized';
-import { Button, Container } from 'components/NotFound/styles';
-import ROUTES from 'constants/routes';
+import { Container } from 'components/NotFound/styles';
+import { useGetTenantLicense } from 'hooks/useGetTenantLicense';
+import { useQueryState } from 'nuqs';
+import { handleContactSupport } from 'pages/Integrations/utils';
+
+import { useAppContext } from '../../providers/App/App';
+import { USER_ROLES } from '../../types/roles';
+
+import './index.styles.scss';

 function UnAuthorizePage(): JSX.Element {
-	return (
-		<Container>
-			<Space align="center" direction="vertical">
-				<UnAuthorized />
-				<Typography.Title level={3}>
-					Oops.. you don&apos;t have permission to view this page
-				</Typography.Title>
+	const [debugCurrentRole] = useQueryState('currentRole');
+	const { user } = useAppContext();
+	const { isCloudUser: isCloudUserVal } = useGetTenantLicense();

-				<Button to={ROUTES.HOME} tabIndex={0} className="periscope-btn primary">
-					Return To Home
-				</Button>
+	const userIsAnonymous =
+		debugCurrentRole === USER_ROLES.ANONYMOUS ||
+		user.role === USER_ROLES.ANONYMOUS;
+	const mistakeMessage = userIsAnonymous
+		? 'If you believe this is a mistake, please contact your administrator or'
+		: 'Please contact your administrator.';
+
+	const handleContactSupportClick = useCallback((): void => {
+		handleContactSupport(isCloudUserVal);
+	}, [isCloudUserVal]);
+
+	return (
+		<Container className="unauthorized-page">
+			<Space align="center" direction="vertical">
+				<UnAuthorized width={64} height={64} />
+				<Typography.Title level={3}>Access Restricted</Typography.Title>
+
+				<p className="unauthorized-page__description">
+					It looks like you don&lsquo;t have permission to view this page. <br />
+					{mistakeMessage}
+					{userIsAnonymous ? (
+						<Typography.Link
+							className="contact-support-link"
+							onClick={handleContactSupportClick}
+						>
+							{' '}
+							reach out to us.
+						</Typography.Link>
+					) : null}
+				</p>
 			</Space>
 		</Container>
 	);
--- a/frontend/src/providers/App/App.tsx
+++ b/frontend/src/providers/App/App.tsx
@@ -19,6 +19,12 @@ import getUserVersion from 'api/v1/version/get';
 import { LOCALSTORAGE } from 'constants/localStorage';
 import dayjs from 'dayjs';
 import useActiveLicenseV3 from 'hooks/useActiveLicenseV3/useActiveLicenseV3';
+import {
+	IsAdminPermission,
+	IsEditorPermission,
+	IsViewerPermission,
+} from 'hooks/useAuthZ/legacy';
+import { useAuthZ } from 'hooks/useAuthZ/useAuthZ';
 import { useGetFeatureFlag } from 'hooks/useGetFeatureFlag';
 import { useGlobalEventListener } from 'hooks/useGlobalEventListener';
 import { ChangelogSchema } from 'types/api/changelog/getChangelogByVersion';
@@ -34,7 +40,7 @@ import {
 	UserPreference,
 } from 'types/api/preferences/preference';
 import { Organization } from 'types/api/user/getOrganization';
-import { USER_ROLES } from 'types/roles';
+import { ROLES, USER_ROLES } from 'types/roles';

 import { IAppContext, IUser } from './types';
 import { getUserDefaults } from './utils';
@@ -43,7 +49,7 @@ export const AppContext = createContext<IAppContext | undefined>(undefined);

 export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	// on load of the provider set the user defaults with access token , refresh token from local storage
-	const [user, setUser] = useState<IUser>(() => getUserDefaults());
+	const [defaultUser, setDefaultUser] = useState<IUser>(() => getUserDefaults());
 	const [activeLicense, setActiveLicense] = useState<LicenseResModel | null>(
 		null,
 	);
@@ -70,18 +76,51 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	// if logged out and trying to hit any route none of these calls will trigger
 	const {
 		data: userData,
-		isFetching: isFetchingUser,
-		error: userFetchError,
+		isFetching: isFetchingUserData,
+		error: userFetchDataError,
 	} = useQuery({
 		queryFn: get,
 		queryKey: ['/api/v1/user/me'],
 		enabled: isLoggedIn,
 	});

+	const {
+		permissions: permissionsResult,
+		isFetching: isFetchingPermissions,
+		error: errorOnPermissions,
+		refetchPermissions,
+	} = useAuthZ([IsAdminPermission, IsEditorPermission, IsViewerPermission], {
+		enabled: isLoggedIn,
+	});
+
+	const isFetchingUser = isFetchingUserData || isFetchingPermissions;
+	const userFetchError = userFetchDataError || errorOnPermissions;
+
+	const userRole = useMemo(() => {
+		if (permissionsResult?.[IsAdminPermission]?.isGranted) {
+			return USER_ROLES.ADMIN;
+		}
+		if (permissionsResult?.[IsEditorPermission]?.isGranted) {
+			return USER_ROLES.EDITOR;
+		}
+		if (permissionsResult?.[IsViewerPermission]?.isGranted) {
+			return USER_ROLES.VIEWER;
+		}
+		// if none of the permissions, so anonymous
+		return USER_ROLES.ANONYMOUS;
+	}, [permissionsResult]);
+
+	const user: IUser = useMemo(() => {
+		return {
+			...defaultUser,
+			role: userRole as ROLES,
+		};
+	}, [defaultUser, userRole]);
+
 	useEffect(() => {
 		if (!isFetchingUser && userData && userData.data) {
 			setLocalStorageApi(LOCALSTORAGE.LOGGED_IN_USER_EMAIL, userData.data.email);
-			setUser((prev) => ({
+			setDefaultUser((prev) => ({
 				...prev,
 				...userData.data,
 			}));
@@ -203,7 +242,7 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	}, [userPreferencesData, isFetchingUserPreferences, isLoggedIn]);

 	function updateUser(user: IUser): void {
-		setUser((prev) => ({
+		setDefaultUser((prev) => ({
 			...prev,
 			...user,
 		}));
@@ -244,7 +283,7 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 					...org.slice(orgIndex + 1, org.length),
 				];
 				setOrg(updatedOrg);
-				setUser((prev) => {
+				setDefaultUser((prev) => {
 					if (prev.orgId === orgId) {
 						return {
 							...prev,
@@ -272,7 +311,7 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 	// global event listener for AFTER_LOGIN event to start the user fetch post all actions are complete
 	useGlobalEventListener('AFTER_LOGIN', (event) => {
 		if (event.detail) {
-			setUser((prev) => ({
+			setDefaultUser((prev) => ({
 				...prev,
 				accessJwt: event.detail.accessJWT,
 				refreshJwt: event.detail.refreshJWT,
@@ -280,12 +319,14 @@ export function AppProvider({ children }: PropsWithChildren): JSX.Element {
 			}));
 			setIsLoggedIn(true);
 		}
+
+		refetchPermissions();
 	});

 	// global event listener for LOGOUT event to clean the app context state
 	useGlobalEventListener('LOGOUT', () => {
 		setIsLoggedIn(false);
-		setUser(getUserDefaults());
+		setDefaultUser(getUserDefaults());
 		setActiveLicense(null);
 		setTrialInfo(null);
 		setFeatureFlags(null);
--- a/frontend/src/providers/App/tests/App.test.tsx
+++ b/frontend/src/providers/App/tests/App.test.tsx
@@ -0,0 +1,273 @@
+import { ReactElement } from 'react';
+import { QueryClient, QueryClientProvider } from 'react-query';
+import { renderHook, waitFor } from '@testing-library/react';
+import setLocalStorageApi from 'api/browser/localstorage/set';
+import {
+	AuthtypesGettableTransactionDTO,
+	AuthtypesTransactionDTO,
+} from 'api/generated/services/sigNoz.schemas';
+import { LOCALSTORAGE } from 'constants/localStorage';
+import { SINGLE_FLIGHT_WAIT_TIME_MS } from 'hooks/useAuthZ/constants';
+import { server } from 'mocks-server/server';
+import { rest } from 'msw';
+import { USER_ROLES } from 'types/roles';
+
+import { AppProvider, useAppContext } from '../App';
+
+const AUTHZ_CHECK_URL = 'http://localhost/api/v1/authz/check';
+
+jest.mock('constants/env', () => ({
+	ENVIRONMENT: { baseURL: 'http://localhost', wsURL: '' },
+}));
+
+/**
+ * Since we are mocking the check permissions, this is needed
+ */
+const waitForSinglePreflightToFinish = async (): Promise<void> =>
+	await new Promise((r) => setTimeout(r, SINGLE_FLIGHT_WAIT_TIME_MS));
+
+function authzMockResponse(
+	payload: AuthtypesTransactionDTO[],
+	authorizedByIndex: boolean[],
+): { data: AuthtypesGettableTransactionDTO[]; status: string } {
+	return {
+		data: payload.map((txn, i) => ({
+			relation: txn.relation,
+			object: txn.object,
+			authorized: authorizedByIndex[i] ?? false,
+		})),
+		status: 'success',
+	};
+}
+
+const queryClient = new QueryClient({
+	defaultOptions: {
+		queries: {
+			refetchOnWindowFocus: false,
+			retry: false,
+		},
+	},
+});
+
+function createWrapper(): ({
+	children,
+}: {
+	children: ReactElement;
+}) => ReactElement {
+	return function Wrapper({
+		children,
+	}: {
+		children: ReactElement;
+	}): ReactElement {
+		return (
+			<QueryClientProvider client={queryClient}>
+				<AppProvider>{children}</AppProvider>
+			</QueryClientProvider>
+		);
+	};
+}
+
+describe('AppProvider user.role from permissions', () => {
+	beforeEach(() => {
+		queryClient.clear();
+		setLocalStorageApi(LOCALSTORAGE.IS_LOGGED_IN, 'true');
+	});
+
+	it('sets user.role to ADMIN and hasEditPermission to true when admin permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [true, false, false])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.ADMIN);
+				expect(result.current.hasEditPermission).toBe(true);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets user.role to EDITOR and hasEditPermission to true when only editor permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [false, true, false])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.EDITOR);
+				expect(result.current.hasEditPermission).toBe(true);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets user.role to VIEWER and hasEditPermission to false when only viewer permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [false, false, true])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.VIEWER);
+				expect(result.current.hasEditPermission).toBe(false);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets user.role to ANONYMOUS and hasEditPermission to false when no role permission is granted', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+				const payload = await req.json();
+				return res(
+					ctx.status(200),
+					ctx.json(authzMockResponse(payload, [false, false, false])),
+				);
+			}),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.user.role).toBe(USER_ROLES.ANONYMOUS);
+				expect(result.current.hasEditPermission).toBe(false);
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	/**
+	 * This is expected to not happen, but we'll test it just in case.
+	 */
+	describe('when multiple role permissions are granted', () => {
+		it('prefers ADMIN over EDITOR and VIEWER when multiple role permissions are granted', async () => {
+			server.use(
+				rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+					const payload = await req.json();
+					return res(
+						ctx.status(200),
+						ctx.json(authzMockResponse(payload, [true, true, true])),
+					);
+				}),
+			);
+
+			const wrapper = createWrapper();
+			const { result } = renderHook(() => useAppContext(), { wrapper });
+
+			await waitFor(
+				() => {
+					expect(result.current.user.role).toBe(USER_ROLES.ADMIN);
+					expect(result.current.hasEditPermission).toBe(true);
+				},
+				{ timeout: 300 },
+			);
+		});
+
+		it('prefers EDITOR over VIEWER when editor and viewer permissions are granted', async () => {
+			server.use(
+				rest.post(AUTHZ_CHECK_URL, async (req, res, ctx) => {
+					const payload = await req.json();
+					return res(
+						ctx.status(200),
+						ctx.json(authzMockResponse(payload, [false, true, true])),
+					);
+				}),
+			);
+
+			const wrapper = createWrapper();
+			const { result } = renderHook(() => useAppContext(), { wrapper });
+
+			await waitForSinglePreflightToFinish();
+
+			await waitFor(
+				() => {
+					expect(result.current.user.role).toBe(USER_ROLES.EDITOR);
+					expect(result.current.hasEditPermission).toBe(true);
+				},
+				{ timeout: 2000 },
+			);
+		});
+	});
+});
+
+describe('AppProvider when authz/check fails', () => {
+	beforeEach(() => {
+		queryClient.clear();
+		setLocalStorageApi(LOCALSTORAGE.IS_LOGGED_IN, 'true');
+	});
+
+	it('sets userFetchError when authz/check returns 500 (same as user fetch error)', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_, res, ctx) =>
+				res(ctx.status(500), ctx.json({ error: 'Internal Server Error' })),
+			),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.userFetchError).toBeTruthy();
+			},
+			{ timeout: 2000 },
+		);
+	});
+
+	it('sets userFetchError when authz/check fails with network error (same as user fetch error)', async () => {
+		server.use(
+			rest.post(AUTHZ_CHECK_URL, (_, res) => res.networkError('Network error')),
+		);
+
+		const wrapper = createWrapper();
+		const { result } = renderHook(() => useAppContext(), { wrapper });
+
+		await waitForSinglePreflightToFinish();
+
+		await waitFor(
+			() => {
+				expect(result.current.userFetchError).toBeTruthy();
+			},
+			{ timeout: 2000 },
+		);
+	});
+});
--- a/frontend/src/types/api/dashboard/getAll.ts
+++ b/frontend/src/types/api/dashboard/getAll.ts
@@ -141,6 +141,7 @@ export interface IBaseWidget {
 	showPoints?: boolean;
 	lineStyle?: LineStyle;
 	fillMode?: FillMode;
+	spanGaps?: boolean | number;
 }
 export interface Widgets extends IBaseWidget {
 	query: Query;
--- a/frontend/src/types/api/user/accept.ts
+++ b/frontend/src/types/api/user/accept.ts
@@ -0,0 +1,20 @@
+import { UserResponse } from './getUser';
+
+export interface Props {
+	token: string;
+	password: string;
+	displayName?: string;
+	sourceUrl?: string;
+}
+
+export interface LoginPrecheckResponse {
+	sso: boolean;
+	ssoUrl?: string;
+	canSelfRegister?: boolean;
+	isUser: boolean;
+}
+
+export interface PayloadProps {
+	data: UserResponse;
+	status: string;
+}
--- a/frontend/src/types/api/user/deleteInvite.ts
+++ b/frontend/src/types/api/user/deleteInvite.ts
@@ -0,0 +1,7 @@
+export interface Props {
+	id: string;
+}
+
+export interface PayloadProps {
+	data: string;
+}
--- a/frontend/src/types/api/user/getInviteDetails.ts
+++ b/frontend/src/types/api/user/getInviteDetails.ts
@@ -0,0 +1,22 @@
+import { User } from 'types/reducer/app';
+import { ROLES } from 'types/roles';
+
+import { Organization } from './getOrganization';
+
+export interface Props {
+	inviteId: string;
+}
+
+export interface PayloadProps {
+	data: InviteDetails;
+	status: string;
+}
+
+export interface InviteDetails {
+	createdAt: number;
+	email: User['email'];
+	name: User['displayName'];
+	role: ROLES;
+	token: string;
+	organization: Organization['displayName'];
+}
--- a/frontend/src/types/api/user/getPendingInvites.ts
+++ b/frontend/src/types/api/user/getPendingInvites.ts
@@ -0,0 +1,16 @@
+import { User } from 'types/reducer/app';
+import { ROLES } from 'types/roles';
+
+export interface PendingInvite {
+	createdAt: number;
+	email: User['email'];
+	name: User['displayName'];
+	role: ROLES;
+	id: string;
+	token: string;
+}
+
+export type PayloadProps = {
+	data: PendingInvite[];
+	status: string;
+};
--- a/frontend/src/types/api/user/getUser.ts
+++ b/frontend/src/types/api/user/getUser.ts
@@ -7,16 +7,17 @@ export interface Props {
 }

 export interface UserResponse {
-	createdAt: number | string;
+	createdAt: number;
 	email: string;
 	id: string;
 	displayName: string;
 	orgId: string;
 	organization: string;
+	/**
+	 * @deprecated This will be removed in the future releases in favor of new AuthZ framework
+	 */
 	role: ROLES;
-	updatedAt?: number | string;
-	isRoot?: boolean;
-	status?: 'active' | 'pending_invite' | 'deleted';
+	updatedAt?: number;
 }
 export interface PayloadProps {
 	data: UserResponse;
--- a/frontend/src/types/roles.ts
+++ b/frontend/src/types/roles.ts
@@ -2,14 +2,16 @@ export type ADMIN = 'ADMIN';
 export type VIEWER = 'VIEWER';
 export type EDITOR = 'EDITOR';
 export type AUTHOR = 'AUTHOR';
+export type ANONYMOUS = 'ANONYMOUS';

-export type ROLES = ADMIN | VIEWER | EDITOR | AUTHOR;
+export type ROLES = ADMIN | VIEWER | EDITOR | AUTHOR | ANONYMOUS;

 export const USER_ROLES = {
 	ADMIN: 'ADMIN',
 	VIEWER: 'VIEWER',
 	EDITOR: 'EDITOR',
 	AUTHOR: 'AUTHOR',
+	ANONYMOUS: 'ANONYMOUS',
 };

 export enum RoleType {
--- a/frontend/src/utils/permission/index.ts
+++ b/frontend/src/utils/permission/index.ts
@@ -69,7 +69,7 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	ALERT_OVERVIEW: ['ADMIN', 'EDITOR', 'VIEWER'],
 	LOGIN: ['ADMIN', 'EDITOR', 'VIEWER'],
 	FORGOT_PASSWORD: ['ADMIN', 'EDITOR', 'VIEWER'],
-	NOT_FOUND: ['ADMIN', 'VIEWER', 'EDITOR'],
+	NOT_FOUND: ['ADMIN', 'VIEWER', 'EDITOR', 'ANONYMOUS'],
 	PASSWORD_RESET: ['ADMIN', 'EDITOR', 'VIEWER'],
 	SERVICE_METRICS: ['ADMIN', 'EDITOR', 'VIEWER'],
 	SETTINGS: ['ADMIN', 'EDITOR', 'VIEWER'],
@@ -77,7 +77,7 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	TRACES_EXPLORER: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACE: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACE_DETAIL: ['ADMIN', 'EDITOR', 'VIEWER'],
-	UN_AUTHORIZED: ['ADMIN', 'EDITOR', 'VIEWER'],
+	UN_AUTHORIZED: ['ADMIN', 'EDITOR', 'VIEWER', 'ANONYMOUS'],
 	USAGE_EXPLORER: ['ADMIN', 'EDITOR', 'VIEWER'],
 	VERSION: ['ADMIN', 'EDITOR', 'VIEWER'],
 	LOGS: ['ADMIN', 'EDITOR', 'VIEWER'],
@@ -101,7 +101,7 @@ export const routePermission: Record<keyof typeof ROUTES, ROLES[]> = {
 	ROLE_DETAILS: ['ADMIN'],
 	MEMBERS_SETTINGS: ['ADMIN'],
 	BILLING: ['ADMIN'],
-	SUPPORT: ['ADMIN', 'EDITOR', 'VIEWER'],
+	SUPPORT: ['ADMIN', 'EDITOR', 'VIEWER', 'ANONYMOUS'],
 	SOMETHING_WENT_WRONG: ['ADMIN', 'EDITOR', 'VIEWER'],
 	LOGS_SAVE_VIEWS: ['ADMIN', 'EDITOR', 'VIEWER'],
 	TRACES_SAVE_VIEWS: ['ADMIN', 'EDITOR', 'VIEWER'],
--- a/pkg/apiserver/signozapiserver/gateway.go
+++ b/pkg/apiserver/signozapiserver/gateway.go
@@ -10,7 +10,7 @@ import (
 )

 func (provider *provider) addGatewayRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v2/gateway/ingestion_keys", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.GetIngestionKeys), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.GetIngestionKeys), handler.OpenAPIDef{
 		ID:                  "GetIngestionKeys",
 		Tags:                []string{"gateway"},
 		Summary:             "Get ingestion keys for workspace",
@@ -23,12 +23,12 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}

-	if err := router.Handle("/api/v2/gateway/ingestion_keys/search", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.SearchIngestionKeys), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys/search", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.SearchIngestionKeys), handler.OpenAPIDef{
 		ID:                  "SearchIngestionKeys",
 		Tags:                []string{"gateway"},
 		Summary:             "Search ingestion keys for workspace",
@@ -41,12 +41,12 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}

-	if err := router.Handle("/api/v2/gateway/ingestion_keys", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.CreateIngestionKey), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.CreateIngestionKey), handler.OpenAPIDef{
 		ID:                  "CreateIngestionKey",
 		Tags:                []string{"gateway"},
 		Summary:             "Create ingestion key for workspace",
@@ -58,12 +58,12 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusCreated,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}

-	if err := router.Handle("/api/v2/gateway/ingestion_keys/{keyId}", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.UpdateIngestionKey), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys/{keyId}", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.UpdateIngestionKey), handler.OpenAPIDef{
 		ID:                  "UpdateIngestionKey",
 		Tags:                []string{"gateway"},
 		Summary:             "Update ingestion key for workspace",
@@ -75,12 +75,12 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodPatch).GetError(); err != nil {
 		return err
 	}

-	if err := router.Handle("/api/v2/gateway/ingestion_keys/{keyId}", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.DeleteIngestionKey), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys/{keyId}", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.DeleteIngestionKey), handler.OpenAPIDef{
 		ID:                  "DeleteIngestionKey",
 		Tags:                []string{"gateway"},
 		Summary:             "Delete ingestion key for workspace",
@@ -92,12 +92,12 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}

-	if err := router.Handle("/api/v2/gateway/ingestion_keys/{keyId}/limits", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.CreateIngestionKeyLimit), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys/{keyId}/limits", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.CreateIngestionKeyLimit), handler.OpenAPIDef{
 		ID:                  "CreateIngestionKeyLimit",
 		Tags:                []string{"gateway"},
 		Summary:             "Create limit for the ingestion key",
@@ -109,12 +109,12 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusCreated,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodPost).GetError(); err != nil {
 		return err
 	}

-	if err := router.Handle("/api/v2/gateway/ingestion_keys/limits/{limitId}", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.UpdateIngestionKeyLimit), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys/limits/{limitId}", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.UpdateIngestionKeyLimit), handler.OpenAPIDef{
 		ID:                  "UpdateIngestionKeyLimit",
 		Tags:                []string{"gateway"},
 		Summary:             "Update limit for the ingestion key",
@@ -126,12 +126,12 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodPatch).GetError(); err != nil {
 		return err
 	}

-	if err := router.Handle("/api/v2/gateway/ingestion_keys/limits/{limitId}", handler.New(provider.authZ.AdminAccess(provider.gatewayHandler.DeleteIngestionKeyLimit), handler.OpenAPIDef{
+	if err := router.Handle("/api/v2/gateway/ingestion_keys/limits/{limitId}", handler.New(provider.authZ.EditAccess(provider.gatewayHandler.DeleteIngestionKeyLimit), handler.OpenAPIDef{
 		ID:                  "DeleteIngestionKeyLimit",
 		Tags:                []string{"gateway"},
 		Summary:             "Delete limit for the ingestion key",
@@ -143,7 +143,7 @@ func (provider *provider) addGatewayRoutes(router *mux.Router) error {
 		SuccessStatusCode:   http.StatusNoContent,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
 	})).Methods(http.MethodDelete).GetError(); err != nil {
 		return err
 	}
--- a/pkg/apiserver/signozapiserver/global.go
+++ b/pkg/apiserver/signozapiserver/global.go
@@ -4,24 +4,24 @@ import (
 	"net/http"

 	"github.com/SigNoz/signoz/pkg/http/handler"
-	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/globaltypes"
 	"github.com/gorilla/mux"
 )

 func (provider *provider) addGlobalRoutes(router *mux.Router) error {
-	if err := router.Handle("/api/v1/global/config", handler.New(provider.authZ.EditAccess(provider.globalHandler.GetConfig), handler.OpenAPIDef{
+	if err := router.Handle("/api/v1/global/config", handler.New(provider.authZ.OpenAccess(provider.globalHandler.GetConfig), handler.OpenAPIDef{
 		ID:                  "GetGlobalConfig",
 		Tags:                []string{"global"},
 		Summary:             "Get global config",
 		Description:         "This endpoint returns global config",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableGlobalConfig),
+		Response:            new(globaltypes.Config),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
 		Deprecated:          false,
-		SecuritySchemes:     newSecuritySchemes(types.RoleEditor),
+		SecuritySchemes:     nil,
 	})).Methods(http.MethodGet).GetError(); err != nil {
 		return err
 	}
--- a/pkg/apiserver/signozapiserver/provider.go
+++ b/pkg/apiserver/signozapiserver/provider.go
@@ -238,7 +238,7 @@ func (provider *provider) AddToRouter(router *mux.Router) error {

 func newSecuritySchemes(role types.Role) []handler.OpenAPISecurityScheme {
 	return []handler.OpenAPISecurityScheme{
-		{Name: authtypes.IdentNProviderAPIkey.StringValue(), Scopes: []string{role.String()}},
+		{Name: authtypes.IdentNProviderAPIKey.StringValue(), Scopes: []string{role.String()}},
 		{Name: authtypes.IdentNProviderTokenizer.StringValue(), Scopes: []string{role.String()}},
 	}
 }
--- a/pkg/apiserver/signozapiserver/user.go
+++ b/pkg/apiserver/signozapiserver/user.go
@@ -43,6 +43,74 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		return err
 	}

+	if err := router.Handle("/api/v1/invite/{token}", handler.New(provider.authZ.OpenAccess(provider.userHandler.GetInvite), handler.OpenAPIDef{
+		ID:                  "GetInvite",
+		Tags:                []string{"users"},
+		Summary:             "Get invite",
+		Description:         "This endpoint gets an invite by token",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            new(types.Invite),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     []handler.OpenAPISecurityScheme{},
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/invite/{id}", handler.New(provider.authZ.AdminAccess(provider.userHandler.DeleteInvite), handler.OpenAPIDef{
+		ID:                  "DeleteInvite",
+		Tags:                []string{"users"},
+		Summary:             "Delete invite",
+		Description:         "This endpoint deletes an invite by id",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            nil,
+		ResponseContentType: "",
+		SuccessStatusCode:   http.StatusNoContent,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodDelete).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/invite", handler.New(provider.authZ.AdminAccess(provider.userHandler.ListInvite), handler.OpenAPIDef{
+		ID:                  "ListInvite",
+		Tags:                []string{"users"},
+		Summary:             "List invites",
+		Description:         "This endpoint lists all invites",
+		Request:             nil,
+		RequestContentType:  "",
+		Response:            make([]*types.Invite, 0),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusOK,
+		ErrorStatusCodes:    []int{},
+		Deprecated:          false,
+		SecuritySchemes:     newSecuritySchemes(types.RoleAdmin),
+	})).Methods(http.MethodGet).GetError(); err != nil {
+		return err
+	}
+
+	if err := router.Handle("/api/v1/invite/accept", handler.New(provider.authZ.OpenAccess(provider.userHandler.AcceptInvite), handler.OpenAPIDef{
+		ID:                  "AcceptInvite",
+		Tags:                []string{"users"},
+		Summary:             "Accept invite",
+		Description:         "This endpoint accepts an invite by token",
+		Request:             new(types.PostableAcceptInvite),
+		RequestContentType:  "application/json",
+		Response:            new(types.User),
+		ResponseContentType: "application/json",
+		SuccessStatusCode:   http.StatusCreated,
+		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
+		Deprecated:          false,
+		SecuritySchemes:     []handler.OpenAPISecurityScheme{},
+	})).Methods(http.MethodPost).GetError(); err != nil {
+		return err
+	}
+
 	if err := router.Handle("/api/v1/pats", handler.New(provider.authZ.AdminAccess(provider.userHandler.CreateAPIKey), handler.OpenAPIDef{
 		ID:                  "CreateAPIKey",
 		Tags:                []string{"users"},
@@ -118,7 +186,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint lists all users",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            make([]*types.GettableUser, 0),
+		Response:            make([]*types.User, 0),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -135,7 +203,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user I belong to",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{},
@@ -152,7 +220,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint returns the user by id",
 		Request:             nil,
 		RequestContentType:  "",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusNotFound},
@@ -169,7 +237,7 @@ func (provider *provider) addUserRoutes(router *mux.Router) error {
 		Description:         "This endpoint updates the user by id",
 		Request:             new(types.User),
 		RequestContentType:  "application/json",
-		Response:            new(types.GettableUser),
+		Response:            new(types.User),
 		ResponseContentType: "application/json",
 		SuccessStatusCode:   http.StatusOK,
 		ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},
--- a/pkg/authn/authnstore/sqlauthnstore/store.go
+++ b/pkg/authn/authnstore/sqlauthnstore/store.go
@@ -17,8 +17,8 @@ func NewStore(sqlstore sqlstore.SQLStore) authtypes.AuthNStore {
 	return &store{sqlstore: sqlstore}
 }

-func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.User, *types.FactorPassword, error) {
-	user := new(types.User)
+func (store *store) GetActiveUserAndFactorPasswordByEmailAndOrgID(ctx context.Context, email string, orgID valuer.UUID) (*types.StorableUser, *types.FactorPassword, error) {
+	user := new(types.StorableUser)
 	factorPassword := new(types.FactorPassword)

 	err := store.
--- a/pkg/global/global.go
+++ b/pkg/global/global.go
@@ -1,9 +1,14 @@
 package global

-import "net/http"
+import (
+	"context"
+	"net/http"
+
+	"github.com/SigNoz/signoz/pkg/types/globaltypes"
+)

 type Global interface {
-	GetConfig() Config
+	GetConfig(context.Context) *globaltypes.Config
 }

 type Handler interface {
--- a/pkg/global/signozglobal/handler.go
+++ b/pkg/global/signozglobal/handler.go
@@ -1,11 +1,12 @@
 package signozglobal

 import (
+	"context"
 	"net/http"
+	"time"

 	"github.com/SigNoz/signoz/pkg/global"
 	"github.com/SigNoz/signoz/pkg/http/render"
-	"github.com/SigNoz/signoz/pkg/types"
 )

 type handler struct {
@@ -17,7 +18,10 @@ func NewHandler(global global.Global) global.Handler {
 }

 func (handler *handler) GetConfig(rw http.ResponseWriter, r *http.Request) {
-	cfg := handler.global.GetConfig()
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()

-	render.Success(rw, http.StatusOK, types.NewGettableGlobalConfig(cfg.ExternalURL, cfg.IngestionURL))
+	cfg := handler.global.GetConfig(ctx)
+
+	render.Success(rw, http.StatusOK, cfg)
 }
--- a/pkg/global/signozglobal/provider.go
+++ b/pkg/global/signozglobal/provider.go
@@ -5,27 +5,38 @@ import (

 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/global"
+	"github.com/SigNoz/signoz/pkg/identn"
+	"github.com/SigNoz/signoz/pkg/types/globaltypes"
 )

 type provider struct {
-	config   global.Config
-	settings factory.ScopedProviderSettings
+	config       global.Config
+	identNConfig identn.Config
+	settings     factory.ScopedProviderSettings
 }

-func NewFactory() factory.ProviderFactory[global.Global, global.Config] {
+func NewFactory(identNConfig identn.Config) factory.ProviderFactory[global.Global, global.Config] {
 	return factory.NewProviderFactory(factory.MustNewName("signoz"), func(ctx context.Context, providerSettings factory.ProviderSettings, config global.Config) (global.Global, error) {
-		return newProvider(ctx, providerSettings, config)
+		return newProvider(ctx, providerSettings, config, identNConfig)
 	})
 }

-func newProvider(_ context.Context, providerSettings factory.ProviderSettings, config global.Config) (global.Global, error) {
+func newProvider(_ context.Context, providerSettings factory.ProviderSettings, config global.Config, identNConfig identn.Config) (global.Global, error) {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/global/signozglobal")
 	return &provider{
-		config:   config,
-		settings: settings,
+		config:       config,
+		identNConfig: identNConfig,
+		settings:     settings,
 	}, nil
 }

-func (provider *provider) GetConfig() global.Config {
-	return provider.config
+func (provider *provider) GetConfig(context.Context) *globaltypes.Config {
+	return globaltypes.NewConfig(
+		globaltypes.NewEndpoint(provider.config.ExternalURL.String(), provider.config.IngestionURL.String()),
+		globaltypes.NewIdentNConfig(
+			globaltypes.TokenizerConfig{Enabled: provider.identNConfig.Tokenizer.Enabled},
+			globaltypes.APIKeyConfig{Enabled: provider.identNConfig.APIKeyConfig.Enabled},
+			globaltypes.ImpersonationConfig{Enabled: provider.identNConfig.Impersonation.Enabled},
+		),
+	)
 }
--- a/pkg/http/middleware/authz.go
+++ b/pkg/http/middleware/authz.go
@@ -40,7 +40,7 @@ func (middleware *AuthZ) ViewAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		if claims.IdentNProvider == authtypes.IdentNProviderAPIkey.StringValue() {
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIKey.StringValue() {
 			if err := claims.IsViewer(); err != nil {
 				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
 				render.Error(rw, err)
@@ -90,7 +90,7 @@ func (middleware *AuthZ) EditAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		if claims.IdentNProvider == authtypes.IdentNProviderAPIkey.StringValue() {
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIKey.StringValue() {
 			if err := claims.IsEditor(); err != nil {
 				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
 				render.Error(rw, err)
@@ -139,7 +139,7 @@ func (middleware *AuthZ) AdminAccess(next http.HandlerFunc) http.HandlerFunc {
 			return
 		}

-		if claims.IdentNProvider == authtypes.IdentNProviderAPIkey.StringValue() {
+		if claims.IdentNProvider == authtypes.IdentNProviderAPIKey.StringValue() {
 			if err := claims.IsAdmin(); err != nil {
 				middleware.logger.WarnContext(ctx, authzDeniedMessage, "claims", claims)
 				render.Error(rw, err)
--- a/pkg/identn/apikeyidentn/provider.go
+++ b/pkg/identn/apikeyidentn/provider.go
@@ -25,7 +25,7 @@ type provider struct {
 }

 func NewFactory(store sqlstore.SQLStore) factory.ProviderFactory[identn.IdentN, identn.Config] {
-	return factory.NewProviderFactory(factory.MustNewName(authtypes.IdentNProviderAPIkey.StringValue()), func(ctx context.Context, providerSettings factory.ProviderSettings, config identn.Config) (identn.IdentN, error) {
+	return factory.NewProviderFactory(factory.MustNewName(authtypes.IdentNProviderAPIKey.StringValue()), func(ctx context.Context, providerSettings factory.ProviderSettings, config identn.Config) (identn.IdentN, error) {
 		return New(providerSettings, store, config)
 	})
 }
@@ -40,7 +40,7 @@ func New(providerSettings factory.ProviderSettings, store sqlstore.SQLStore, con
 }

 func (provider *provider) Name() authtypes.IdentNProvider {
-	return authtypes.IdentNProviderAPIkey
+	return authtypes.IdentNProviderAPIKey
 }

 func (provider *provider) Test(req *http.Request) bool {
@@ -52,10 +52,6 @@ func (provider *provider) Test(req *http.Request) bool {
 	return false
 }

-func (provider *provider) Enabled() bool {
-	return provider.config.APIKeyConfig.Enabled
-}
-
 func (provider *provider) Pre(req *http.Request) *http.Request {
 	token := provider.extractToken(req)
 	if token == "" {
@@ -89,7 +85,7 @@ func (provider *provider) GetIdentity(req *http.Request) (*authtypes.Identity, e
 		return nil, errors.New(errors.TypeUnauthenticated, errors.CodeUnauthenticated, "api key has expired")
 	}

-	var user types.User
+	var user types.StorableUser
 	err = provider.
 		store.
 		BunDB().
--- a/pkg/identn/config.go
+++ b/pkg/identn/config.go
@@ -1,6 +1,7 @@
 package identn

 import (
+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 )

@@ -10,11 +11,20 @@ type Config struct {

 	// Config for apikey identN resolver
 	APIKeyConfig APIKeyConfig `mapstructure:"apikey"`
+
+	// Config for impersonation identN resolver
+	Impersonation ImpersonationConfig `mapstructure:"impersonation"`
+}
+
+type ImpersonationConfig struct {
+	// Toggles the identN resolver
+	Enabled bool `mapstructure:"enabled"`
 }

 type TokenizerConfig struct {
 	// Toggles the identN resolver
 	Enabled bool `mapstructure:"enabled"`
+
 	// Headers to extract from incoming requests
 	Headers []string `mapstructure:"headers"`
 }
@@ -22,6 +32,7 @@ type TokenizerConfig struct {
 type APIKeyConfig struct {
 	// Toggles the identN resolver
 	Enabled bool `mapstructure:"enabled"`
+
 	// Headers to extract from incoming requests
 	Headers []string `mapstructure:"headers"`
 }
@@ -40,9 +51,22 @@ func newConfig() factory.Config {
 			Enabled: true,
 			Headers: []string{"SIGNOZ-API-KEY"},
 		},
+		Impersonation: ImpersonationConfig{
+			Enabled: false,
+		},
 	}
 }

 func (c Config) Validate() error {
+	if c.Impersonation.Enabled {
+		if c.Tokenizer.Enabled {
+			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "identn::impersonation cannot be enabled if identn::tokenizer is enabled")
+		}
+
+		if c.APIKeyConfig.Enabled {
+			return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "identn::impersonation cannot be enabled if identn::apikey is enabled")
+		}
+	}
+
 	return nil
 }
--- a/pkg/identn/identn.go
+++ b/pkg/identn/identn.go
@@ -23,8 +23,6 @@ type IdentN interface {
 	GetIdentity(r *http.Request) (*authtypes.Identity, error)

 	Name() authtypes.IdentNProvider
-
-	Enabled() bool
 }

 // IdentNWithPreHook is optionally implemented by resolvers that need to
--- a/pkg/identn/impersonationidentn/provider.go
+++ b/pkg/identn/impersonationidentn/provider.go
@@ -0,0 +1,96 @@
+package impersonationidentn
+
+import (
+	"context"
+	"net/http"
+	"sync"
+
+	"github.com/SigNoz/signoz/pkg/errors"
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/identn"
+	"github.com/SigNoz/signoz/pkg/modules/organization"
+	"github.com/SigNoz/signoz/pkg/modules/user"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+)
+
+type provider struct {
+	config     identn.Config
+	settings   factory.ScopedProviderSettings
+	orgGetter  organization.Getter
+	userGetter user.Getter
+	userConfig user.Config
+
+	mu       sync.RWMutex
+	identity *authtypes.Identity
+}
+
+func NewFactory(orgGetter organization.Getter, userGetter user.Getter, userConfig user.Config) factory.ProviderFactory[identn.IdentN, identn.Config] {
+	return factory.NewProviderFactory(factory.MustNewName(authtypes.IdentNProviderImpersonation.StringValue()), func(ctx context.Context, providerSettings factory.ProviderSettings, config identn.Config) (identn.IdentN, error) {
+		return New(ctx, providerSettings, config, orgGetter, userGetter, userConfig)
+	})
+}
+
+func New(ctx context.Context, providerSettings factory.ProviderSettings, config identn.Config, orgGetter organization.Getter, userGetter user.Getter, userConfig user.Config) (identn.IdentN, error) {
+	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/identn/impersonationidentn")
+
+	settings.Logger().WarnContext(ctx, "impersonation identity provider is enabled, all requests will impersonate the root user")
+
+	if !userConfig.Root.Enabled {
+		return nil, errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "root user is not enabled, impersonation identity provider will not be able to resolve any identity")
+	}
+
+	return &provider{
+		config:     config,
+		settings:   settings,
+		orgGetter:  orgGetter,
+		userGetter: userGetter,
+		userConfig: userConfig,
+	}, nil
+}
+
+func (provider *provider) Name() authtypes.IdentNProvider {
+	return authtypes.IdentNProviderImpersonation
+}
+
+func (provider *provider) Test(_ *http.Request) bool {
+	return true
+}
+
+func (provider *provider) GetIdentity(req *http.Request) (*authtypes.Identity, error) {
+	ctx := req.Context()
+
+	provider.mu.RLock()
+	if provider.identity != nil {
+		provider.mu.RUnlock()
+		return provider.identity, nil
+	}
+	provider.mu.RUnlock()
+
+	provider.mu.Lock()
+	defer provider.mu.Unlock()
+
+	// Re-check after acquiring write lock; another goroutine may have resolved it.
+	if provider.identity != nil {
+		return provider.identity, nil
+	}
+
+	org, _, err := provider.orgGetter.GetByIDOrName(ctx, provider.userConfig.Root.Org.ID, provider.userConfig.Root.Org.Name)
+	if err != nil {
+		return nil, err
+	}
+
+	rootUser, err := provider.userGetter.GetRootUserByOrgID(ctx, org.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	provider.identity = authtypes.NewIdentity(
+		rootUser.ID,
+		rootUser.OrgID,
+		rootUser.Email,
+		rootUser.Role,
+		authtypes.IdentNProviderImpersonation,
+	)
+
+	return provider.identity, nil
+}
--- a/pkg/identn/resolver.go
+++ b/pkg/identn/resolver.go
@@ -1,9 +1,11 @@
 package identn

 import (
+	"context"
 	"net/http"

 	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 )

 type identNResolver struct {
@@ -11,19 +13,55 @@ type identNResolver struct {
 	settings factory.ScopedProviderSettings
 }

-func NewIdentNResolver(providerSettings factory.ProviderSettings, identNs ...IdentN) IdentNResolver {
-	enabledIdentNs := []IdentN{}
+func NewIdentNResolver(ctx context.Context, providerSettings factory.ProviderSettings, identNConfig Config, identNFactories factory.NamedMap[factory.ProviderFactory[IdentN, Config]]) (IdentNResolver, error) {
+	identNs := []IdentN{}

-	for _, identN := range identNs {
-		if identN.Enabled() {
-			enabledIdentNs = append(enabledIdentNs, identN)
+	if identNConfig.Impersonation.Enabled {
+		identNFactory, err := identNFactories.Get(authtypes.IdentNProviderImpersonation.StringValue())
+		if err != nil {
+			return nil, err
 		}
+
+		identN, err := identNFactory.New(ctx, providerSettings, identNConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		identNs = append(identNs, identN)
+	}
+
+	if identNConfig.Tokenizer.Enabled {
+		identNFactory, err := identNFactories.Get(authtypes.IdentNProviderTokenizer.StringValue())
+		if err != nil {
+			return nil, err
+		}
+
+		identN, err := identNFactory.New(ctx, providerSettings, identNConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		identNs = append(identNs, identN)
+	}
+
+	if identNConfig.APIKeyConfig.Enabled {
+		identNFactory, err := identNFactories.Get(authtypes.IdentNProviderAPIKey.StringValue())
+		if err != nil {
+			return nil, err
+		}
+
+		identN, err := identNFactory.New(ctx, providerSettings, identNConfig)
+		if err != nil {
+			return nil, err
+		}
+
+		identNs = append(identNs, identN)
 	}

 	return &identNResolver{
-		identNs:  enabledIdentNs,
+		identNs:  identNs,
 		settings: factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/identn"),
-	}
+	}, nil
 }

 // GetIdentN returns the first IdentN whose Test() returns true.
--- a/pkg/identn/tokenizeridentn/provider.go
+++ b/pkg/identn/tokenizeridentn/provider.go
@@ -48,10 +48,6 @@ func (provider *provider) Test(req *http.Request) bool {
 	return false
 }

-func (provider *provider) Enabled() bool {
-	return provider.config.Tokenizer.Enabled
-}
-
 func (provider *provider) Pre(req *http.Request) *http.Request {
 	accessToken := provider.extractToken(req)
 	if accessToken == "" {
--- a/pkg/modules/organization/implorganization/getter.go
+++ b/pkg/modules/organization/implorganization/getter.go
@@ -3,6 +3,7 @@ package implorganization
 import (
 	"context"

+	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
 	"github.com/SigNoz/signoz/pkg/sharder"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -22,6 +23,33 @@ func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.Organizat
 	return module.store.Get(ctx, id)
 }

+func (module *getter) GetByIDOrName(ctx context.Context, id valuer.UUID, name string) (*types.Organization, bool, error) {
+	if id.IsZero() {
+		org, err := module.store.GetByName(ctx, name)
+		if err != nil {
+			return nil, false, err
+		}
+
+		return org, true, nil
+	}
+
+	org, err := module.store.Get(ctx, id)
+	if err == nil {
+		return org, false, nil
+	}
+
+	if !errors.Ast(err, errors.TypeNotFound) {
+		return nil, false, err
+	}
+
+	org, err = module.store.GetByName(ctx, name)
+	if err != nil {
+		return nil, false, err
+	}
+
+	return org, true, nil
+}
+
 func (module *getter) ListByOwnedKeyRange(ctx context.Context) ([]*types.Organization, error) {
 	start, end, err := module.sharder.GetMyOwnedKeyRange(ctx)
 	if err != nil {
--- a/pkg/modules/organization/organization.go
+++ b/pkg/modules/organization/organization.go
@@ -12,6 +12,10 @@ type Getter interface {
 	// Get gets the organization based on the given id
 	Get(context.Context, valuer.UUID) (*types.Organization, error)

+	// GetByIDOrName gets the organization by id, falling back to name on not found.
+	// The boolean is true when the name fallback path was used.
+	GetByIDOrName(context.Context, valuer.UUID, string) (*types.Organization, bool, error)
+
 	// ListByOwnedKeyRange gets all the organizations owned by the instance
 	ListByOwnedKeyRange(context.Context) ([]*types.Organization, error)

--- a/pkg/modules/session/implsession/module.go
+++ b/pkg/modules/session/implsession/module.go
@@ -8,6 +8,7 @@ import (
 	"time"

 	"github.com/SigNoz/signoz/pkg/authn"
+	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/authdomain"
@@ -28,9 +29,10 @@ type module struct {
 	authDomain authdomain.Module
 	tokenizer  tokenizer.Tokenizer
 	orgGetter  organization.Getter
+	authz      authz.AuthZ
 }

-func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter) session.Module {
+func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.AuthNProvider]authn.AuthN, user user.Module, userGetter user.Getter, authDomain authdomain.Module, tokenizer tokenizer.Tokenizer, orgGetter organization.Getter, authz authz.AuthZ) session.Module {
 	return &module{
 		settings:   factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/session/implsession"),
 		authNs:     authNs,
@@ -39,6 +41,7 @@ func NewModule(providerSettings factory.ProviderSettings, authNs map[authtypes.A
 		authDomain: authDomain,
 		tokenizer:  tokenizer,
 		orgGetter:  orgGetter,
+		authz:      authz,
 	}
 }

@@ -142,9 +145,16 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi
 	}

 	roleMapping := authDomain.AuthDomainConfig().RoleMapping
-	role := roleMapping.NewRoleFromCallbackIdentity(callbackIdentity)
+	managedRoles := roleMapping.ManagedRolesFromCallbackIdentity(callbackIdentity)

-	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, role, callbackIdentity.OrgID, types.UserStatusActive)
+	// pass only valid or fallback to viewer
+	validRoles, err := module.resolveValidRoles(ctx, callbackIdentity.OrgID, managedRoles, callbackIdentity.Email)
+	if err != nil {
+		return "", err
+	}
+
+	legacyRole := authtypes.HighestLegacyRoleFromManagedRoles(validRoles)
+	user, err := types.NewUser(callbackIdentity.Name, callbackIdentity.Email, legacyRole, validRoles, callbackIdentity.OrgID, types.UserStatusActive)
 	if err != nil {
 		return "", err
 	}
@@ -222,3 +232,34 @@ func getProvider[T authn.AuthN](authNProvider authtypes.AuthNProvider, authNs ma

 	return provider, nil
 }
+
+// resolveValidRoles validates role names against the database
+// returns only roles that exist. If none are valid, falls back to signoz-viewer role
+func (module *module) resolveValidRoles(ctx context.Context, orgID valuer.UUID, roles []string, email valuer.Email) ([]string, error) {
+	validRoles := make([]string, 0, len(roles))
+	var ignored []string
+
+	for _, roleName := range roles {
+		_, err := module.authz.GetByOrgIDAndName(ctx, orgID, roleName)
+		if err != nil {
+			if errors.Ast(err, errors.TypeNotFound) {
+				ignored = append(ignored, roleName)
+				continue
+			}
+			return nil, err
+		}
+		validRoles = append(validRoles, roleName)
+	}
+
+	if len(ignored) > 0 {
+		module.settings.Logger().WarnContext(ctx, "ignoring non-existent roles from SSO mapping", "ignored_roles", ignored, "email", email)
+	}
+
+	// fallback to viewer if no valid roles
+	if len(validRoles) == 0 {
+		module.settings.Logger().WarnContext(ctx, "no valid roles from SSO mapping, falling back to viewer", "email", email)
+		validRoles = []string{authtypes.SigNozViewerRoleName}
+	}
+
+	return validRoles, nil
+}
--- a/pkg/modules/tracefunnel/impltracefunnel/module.go
+++ b/pkg/modules/tracefunnel/impltracefunnel/module.go
@@ -30,7 +30,7 @@ func (module *module) Create(ctx context.Context, timestamp int64, name string,
 	funnel.CreatedBy = userID.String()

 	// Set up the user relationship
-	funnel.CreatedByUser = &types.User{
+	funnel.CreatedByUser = &types.StorableUser{
 		Identifiable: types.Identifiable{
 			ID: userID,
 		},
--- a/pkg/modules/user/impluser/getter.go
+++ b/pkg/modules/user/impluser/getter.go
@@ -4,76 +4,108 @@ import (
 	"context"
 	"slices"

+	"github.com/SigNoz/signoz/pkg/authz"
 	"github.com/SigNoz/signoz/pkg/flagger"
 	"github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/types"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
 	"github.com/SigNoz/signoz/pkg/types/featuretypes"
 	"github.com/SigNoz/signoz/pkg/valuer"
 )

 type getter struct {
-	store   types.UserStore
-	flagger flagger.Flagger
+	store         types.UserStore
+	authz         authz.AuthZ
+	userRoleStore authtypes.UserRoleStore
+	flagger       flagger.Flagger
 }

-func NewGetter(store types.UserStore, flagger flagger.Flagger) user.Getter {
-	return &getter{store: store, flagger: flagger}
+func NewGetter(store types.UserStore, authz authz.AuthZ, userRoleStore authtypes.UserRoleStore, flagger flagger.Flagger) user.Getter {
+	return &getter{store: store, authz: authz, userRoleStore: userRoleStore, flagger: flagger}
 }

 func (module *getter) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	return module.store.GetRootUserByOrgID(ctx, orgID)
-}
-
-func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByOrgID(ctx, orgID)
+	storableUser, err := module.store.GetRootUserByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}

-	// filter root users if feature flag `hide_root_users` is true
-	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
-	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
-
-	if hideRootUsers {
-		users = slices.DeleteFunc(users, func(user *types.User) bool { return user.IsRoot })
-	}
-
-	return users, nil
-}
-
-func (module *getter) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	users, err := module.store.GetUsersByEmail(ctx, email)
+	roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
 	if err != nil {
 		return nil, err
 	}

-	return users, nil
-}
-
-func (module *getter) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetByOrgIDAndID(ctx, orgID, id)
-	if err != nil {
-		return nil, err
-	}
+	user := types.NewUserFromStorable(storableUser, roleNames)

 	return user, nil
 }

-func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user, err := module.store.GetUser(ctx, id)
+func (module *getter) ListByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.User, error) {
+	storableUsers, err := module.store.ListUsersByOrgID(ctx, orgID)
 	if err != nil {
 		return nil, err
 	}

+	userIDs := make([]valuer.UUID, len(storableUsers))
+	for idx, storableUser := range storableUsers {
+		userIDs[idx] = storableUser.ID
+	}
+
+	storableUserRoles, err := module.userRoleStore.ListUserRolesByOrgIDAndUserIDs(ctx, orgID, userIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	userIDToRoleIDs, roleIDs := authtypes.GetUserIDToRoleIDsMappingAndUniqueRoles(storableUserRoles)
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	evalCtx := featuretypes.NewFlaggerEvaluationContext(orgID)
+	hideRootUsers := module.flagger.BooleanOrEmpty(ctx, flagger.FeatureHideRootUser, evalCtx)
+
+	if hideRootUsers {
+		storableUsers = slices.DeleteFunc(storableUsers, func(user *types.StorableUser) bool { return user.IsRoot })
+	}
+
+	users := module.usersFromStorableUsersAndRolesMaps(storableUsers, roles, userIDToRoleIDs)
+
+	return users, nil
+}
+
+func (module *getter) Get(ctx context.Context, id valuer.UUID) (*types.User, error) {
+	storableUser, err := module.store.GetUser(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
+	if err != nil {
+		return nil, err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
 	return user, nil
 }

 func (module *getter) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
+	storableUsers, err := module.store.ListUsersByEmailAndOrgIDs(ctx, email, orgIDs)
 	if err != nil {
 		return nil, err
 	}

+	users := make([]*types.User, len(storableUsers))
+
+	for idx, storableUser := range storableUsers {
+		roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
+		if err != nil {
+			return nil, err
+		}
+		users[idx] = types.NewUserFromStorable(storableUser, roleNames)
+	}
+
 	return users, nil
 }

@@ -103,3 +135,52 @@ func (module *getter) GetFactorPasswordByUserID(ctx context.Context, userID valu

 	return factorPassword, nil
 }
+
+func (module *getter) resolveRoleNamesForUser(ctx context.Context, userID valuer.UUID, orgID valuer.UUID) ([]string, error) {
+	storableUserRoles, err := module.userRoleStore.GetUserRolesByUserID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]valuer.UUID, len(storableUserRoles))
+	for idx, sur := range storableUserRoles {
+		roleIDs[idx] = sur.RoleID
+	}
+
+	roles, err := module.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames := make([]string, len(roles))
+	for idx, role := range roles {
+		roleNames[idx] = role.Name
+	}
+
+	return roleNames, nil
+}
+
+func (module *getter) usersFromStorableUsersAndRolesMaps(storableUsers []*types.StorableUser, roles []*authtypes.Role, userIDToRoleIDsMap map[valuer.UUID][]valuer.UUID) []*types.User {
+	users := make([]*types.User, 0, len(storableUsers))
+
+	roleIDToRole := make(map[string]*authtypes.Role, len(roles))
+	for _, role := range roles {
+		roleIDToRole[role.ID.String()] = role
+	}
+
+	for _, user := range storableUsers {
+		roleIDs := userIDToRoleIDsMap[user.ID]
+
+		roleNames := make([]string, 0, len(roleIDs))
+		for _, rid := range roleIDs {
+			if role, ok := roleIDToRole[rid.String()]; ok {
+				roleNames = append(roleNames, role.Name)
+			}
+		}
+
+		account := types.NewUserFromStorable(user, roleNames)
+		users = append(users, account)
+	}
+
+	return users
+}
--- a/pkg/modules/user/impluser/handler.go
+++ b/pkg/modules/user/impluser/handler.go
@@ -27,6 +27,25 @@ func NewHandler(module root.Module, getter root.Getter) root.Handler {
 	return &handler{module: module, getter: getter}
 }

+func (h *handler) AcceptInvite(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	req := new(types.PostableAcceptInvite)
+	if err := binding.JSON.BindBody(r.Body, req); err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	user, err := h.module.AcceptInvite(ctx, req.InviteToken, req.Password)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusCreated, user)
+}
+
 func (h *handler) CreateInvite(rw http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -85,6 +104,59 @@ func (h *handler) CreateBulkInvite(rw http.ResponseWriter, r *http.Request) {
 	render.Success(rw, http.StatusCreated, nil)
 }

+func (h *handler) GetInvite(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	token := mux.Vars(r)["token"]
+	invite, err := h.module.GetInviteByToken(ctx, token)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, invite)
+}
+
+func (h *handler) ListInvite(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	invites, err := h.module.ListInvite(ctx, claims.OrgID)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusOK, invites)
+}
+
+func (h *handler) DeleteInvite(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	id := mux.Vars(r)["id"]
+
+	claims, err := authtypes.ClaimsFromContext(ctx)
+	if err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	if err := h.module.DeleteUser(ctx, valuer.MustNewUUID(claims.OrgID), id, claims.UserID); err != nil {
+		render.Error(w, err)
+		return
+	}
+
+	render.Success(w, http.StatusNoContent, nil)
+}
+
 func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
@@ -97,7 +169,7 @@ func (h *handler) GetUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -116,7 +188,7 @@ func (h *handler) GetMyUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	user, err := h.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
+	user, err := h.module.GetByOrgIDAndUserID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(claims.UserID))
 	if err != nil {
 		render.Error(w, err)
 		return
@@ -141,6 +213,9 @@ func (h *handler) ListUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// temp code - show only active users
+	users = slices.DeleteFunc(users, func(user *types.User) bool { return user.Status != types.UserStatusActive })
+
 	render.Success(w, http.StatusOK, users)
 }

@@ -195,7 +270,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()

-	id := mux.Vars(r)["id"]
+	userID := mux.Vars(r)["id"]

 	claims, err := authtypes.ClaimsFromContext(ctx)
 	if err != nil {
@@ -203,13 +278,7 @@ func (handler *handler) GetResetPasswordToken(w http.ResponseWriter, r *http.Req
 		return
 	}

-	user, err := handler.getter.GetByOrgIDAndID(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(id))
-	if err != nil {
-		render.Error(w, err)
-		return
-	}
-
-	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := handler.module.GetOrCreateResetPasswordToken(ctx, valuer.MustNewUUID(claims.OrgID), valuer.MustNewUUID(userID))
 	if err != nil {
 		render.Error(w, err)
 		return
--- a/pkg/modules/user/impluser/module.go
+++ b/pkg/modules/user/impluser/module.go
@@ -12,7 +12,6 @@ import (
 	"github.com/SigNoz/signoz/pkg/errors"
 	"github.com/SigNoz/signoz/pkg/factory"
 	"github.com/SigNoz/signoz/pkg/modules/organization"
-	"github.com/SigNoz/signoz/pkg/modules/user"
 	root "github.com/SigNoz/signoz/pkg/modules/user"
 	"github.com/SigNoz/signoz/pkg/tokenizer"
 	"github.com/SigNoz/signoz/pkg/types"
@@ -24,31 +23,104 @@ import (
 )

 type Module struct {
-	store     types.UserStore
-	tokenizer tokenizer.Tokenizer
-	emailing  emailing.Emailing
-	settings  factory.ScopedProviderSettings
-	orgSetter organization.Setter
-	authz     authz.AuthZ
-	analytics analytics.Analytics
-	config    user.Config
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	tokenizer     tokenizer.Tokenizer
+	emailing      emailing.Emailing
+	settings      factory.ScopedProviderSettings
+	orgSetter     organization.Setter
+	authz         authz.AuthZ
+	analytics     analytics.Analytics
+	config        root.Config
 }

 // This module is a WIP, don't take inspiration from this.
-func NewModule(store types.UserStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config user.Config) root.Module {
+func NewModule(store types.UserStore, userRoleStore authtypes.UserRoleStore, tokenizer tokenizer.Tokenizer, emailing emailing.Emailing, providerSettings factory.ProviderSettings, orgSetter organization.Setter, authz authz.AuthZ, analytics analytics.Analytics, config root.Config) root.Module {
 	settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/modules/user/impluser")
 	return &Module{
-		store:     store,
-		tokenizer: tokenizer,
-		emailing:  emailing,
-		settings:  settings,
-		orgSetter: orgSetter,
-		analytics: analytics,
-		authz:     authz,
-		config:    config,
+		store:         store,
+		userRoleStore: userRoleStore,
+		tokenizer:     tokenizer,
+		emailing:      emailing,
+		settings:      settings,
+		orgSetter:     orgSetter,
+		analytics:     analytics,
+		authz:         authz,
+		config:        config,
 	}
 }

+// this function gets user with its proper roles populated
+func (m *Module) GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error) {
+	storableUser, err := m.store.GetByOrgIDAndID(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames, err := m.resolveRoleNamesForUser(ctx, userID, storableUser.OrgID)
+	if err != nil {
+		return nil, err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
+	return user, nil
+}
+
+func (m *Module) AcceptInvite(ctx context.Context, token string, password string) (*types.User, error) {
+	// get the user by reset password token
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+
+	// update the password and delete the token
+	err = m.UpdatePasswordByResetPasswordToken(ctx, token, password)
+	if err != nil {
+		return nil, err
+	}
+
+	// query the user again
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+func (m *Module) GetInviteByToken(ctx context.Context, token string) (*types.Invite, error) {
+	// get the user
+	storableUser, err := m.store.GetUserByResetPasswordToken(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+
+	user, err := m.GetByOrgIDAndUserID(ctx, storableUser.OrgID, storableUser.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	// create a dummy invite obj for backward compatibility
+	invite := &types.Invite{
+		Identifiable: types.Identifiable{
+			ID: user.ID,
+		},
+		Name:  user.DisplayName,
+		Email: user.Email,
+		Token: token,
+		Role:  user.Role,
+		Roles: user.Roles,
+		OrgID: user.OrgID,
+		TimeAuditable: types.TimeAuditable{
+			CreatedAt: user.CreatedAt,
+			UpdatedAt: user.UpdatedAt,
+		},
+	}
+
+	return invite, nil
+}
+
 // CreateBulk implements invite.Module.
 func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error) {
 	creator, err := m.store.GetUser(ctx, userID)
@@ -58,24 +130,52 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID

 	// validate all emails to be invited
 	emails := make([]string, len(bulkInvites.Invites))
-	for idx, invite := range bulkInvites.Invites {
+	var allRolesFromRequest []string
+	seenRolesFromRequest := make(map[string]struct{})
+	for idx := range bulkInvites.Invites {
+		invite := &bulkInvites.Invites[idx]
 		emails[idx] = invite.Email.StringValue()
+
+		// backward compat: derive Roles from legacy Role when Roles is not provided
+		if len(invite.Roles) == 0 && invite.Role != "" {
+			if managedRole, ok := authtypes.ExistingRoleToSigNozManagedRoleMap[invite.Role]; ok {
+				invite.Roles = []string{managedRole}
+			}
+		} else if invite.Role == "" && len(invite.Roles) > 0 {
+			// and vice versa
+			invite.Role = authtypes.HighestLegacyRoleFromManagedRoles(invite.Roles)
+		}
+
+		// for role name validation
+		for _, role := range invite.Roles {
+			if _, ok := seenRolesFromRequest[role]; !ok {
+				seenRolesFromRequest[role] = struct{}{}
+				allRolesFromRequest = append(allRolesFromRequest, role)
+			}
+		}
 	}
-	users, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
+
+	storableUsers, err := m.store.GetUsersByEmailsOrgIDAndStatuses(ctx, orgID, emails, []string{types.UserStatusActive.StringValue(), types.UserStatusPendingInvite.StringValue()})
 	if err != nil {
 		return nil, err
 	}

-	if len(users) > 0 {
-		if err := users[0].ErrIfRoot(); err != nil {
+	if len(storableUsers) > 0 {
+		if err := storableUsers[0].ErrIfRoot(); err != nil {
 			return nil, errors.WithAdditionalf(err, "Cannot send invite to root user")
 		}

-		if users[0].Status == types.UserStatusPendingInvite {
-			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", users[0].Email.StringValue())
+		if storableUsers[0].Status == types.UserStatusPendingInvite {
+			return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "An invite already exists for this email: %s", storableUsers[0].Email.StringValue())
 		}

-		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", users[0].Email.StringValue())
+		return nil, errors.Newf(errors.TypeAlreadyExists, errors.CodeAlreadyExists, "User already exists with this email: %s", storableUsers[0].Email.StringValue())
+	}
+
+	// this function returns error if some role is not found by name
+	_, err = m.authz.ListByOrgIDAndNames(ctx, orgID, allRolesFromRequest)
+	if err != nil {
+		return nil, err
 	}

 	type userWithResetToken struct {
@@ -87,25 +187,20 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID

 	if err := m.store.RunInTx(ctx, func(ctx context.Context) error {
 		for idx, invite := range bulkInvites.Invites {
-			role, err := types.NewRole(invite.Role.String())
-			if err != nil {
-				return err
-			}
-
 			// create a new user with pending invite status
-			newUser, err := types.NewUser(invite.Name, invite.Email, role, orgID, types.UserStatusPendingInvite)
+			newUser, err := types.NewUser(invite.Name, invite.Email, invite.Role, invite.Roles, orgID, types.UserStatusPendingInvite)
 			if err != nil {
 				return err
 			}

-			// store the user and password in db
+			// store the user and user_role entries in db
 			err = m.createUserWithoutGrant(ctx, newUser)
 			if err != nil {
 				return err
 			}

 			// generate reset password token
-			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.ID)
+			resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, newUser.OrgID, newUser.ID)
 			if err != nil {
 				m.settings.Logger().ErrorContext(ctx, "failed to create reset password token for invited user", "error", err)
 				return err
@@ -127,7 +222,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	for idx, userWithToken := range newUsersWithResetToken {
 		m.analytics.TrackUser(ctx, orgID.String(), creator.ID.String(), "Invite Sent", map[string]any{
 			"invitee_email": userWithToken.User.Email,
-			"invitee_role":  userWithToken.User.Role,
+			"invitee_roles": userWithToken.User.Roles,
 		})

 		invite := &types.Invite{
@@ -138,6 +233,7 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 			Email: userWithToken.User.Email,
 			Token: userWithToken.ResetPasswordToken.Token,
 			Role:  userWithToken.User.Role,
+			Roles: userWithToken.User.Roles,
 			OrgID: userWithToken.User.OrgID,
 			TimeAuditable: types.TimeAuditable{
 				CreatedAt: userWithToken.User.CreatedAt,
@@ -170,17 +266,68 @@ func (m *Module) CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID
 	return invites, nil
 }

-func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
-	createUserOpts := root.NewCreateUserOptions(opts...)
+func (m *Module) ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error) {
+	storableUsers, err := m.store.ListUsersByOrgID(ctx, valuer.MustNewUUID(orgID))
+	if err != nil {
+		return nil, err
+	}

-	// since assign is idempotant multiple calls to assign won't cause issues in case of retries.
-	err := module.authz.Grant(ctx, input.OrgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(input.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	storableUsers = slices.DeleteFunc(storableUsers, func(user *types.StorableUser) bool { return user.Status != types.UserStatusPendingInvite })
+
+	var invites []*types.Invite
+	for _, su := range storableUsers {
+		roleNames, err := m.resolveRoleNamesForUser(ctx, su.ID, su.OrgID)
+		if err != nil {
+			return nil, err
+		}
+		user := types.NewUserFromStorable(su, roleNames)
+
+		resetPasswordToken, err := m.GetOrCreateResetPasswordToken(ctx, user.OrgID, user.ID)
+		if err != nil {
+			return nil, err
+		}
+
+		invite := &types.Invite{
+			Identifiable: types.Identifiable{ID: user.ID},
+			Name:         user.DisplayName,
+			Email:        user.Email,
+			Token:        resetPasswordToken.Token,
+			Role:         user.Role,
+			Roles:        user.Roles,
+			OrgID:        user.OrgID,
+			TimeAuditable: types.TimeAuditable{
+				CreatedAt: user.CreatedAt,
+				UpdatedAt: user.UpdatedAt,
+			},
+		}
+		invites = append(invites, invite)
+	}
+
+	return invites, nil
+}
+
+func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
+	// validate the roles
+	_, err := module.authz.ListByOrgIDAndNames(ctx, input.OrgID, input.Roles)
 	if err != nil {
 		return err
 	}

+	// since assign is idempotant multiple calls to assign won't cause issues in case of retries, also we cannot run this in a transaction for now
+	err = module.authz.Grant(ctx, input.OrgID, input.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, input.ID.StringValue(), input.OrgID, nil))
+	if err != nil {
+		return err
+	}
+
+	createUserOpts := root.NewCreateUserOptions(opts...)
+
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}

@@ -203,7 +350,7 @@ func (module *Module) CreateUser(ctx context.Context, input *types.User, opts ..
 }

 func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, user *types.User, updatedBy string) (*types.User, error) {
-	existingUser, err := m.store.GetUser(ctx, valuer.MustNewUUID(id))
+	existingUser, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return nil, err
 	}
@@ -216,18 +363,34 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		return nil, errors.WithAdditionalf(err, "cannot update deleted user")
 	}

-	requestor, err := m.store.GetUser(ctx, valuer.MustNewUUID(updatedBy))
+	if err := existingUser.ErrIfPending(); err != nil {
+		return nil, errors.WithAdditionalf(err, "cannot update pending user")
+	}
+
+	requestor, err := m.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(updatedBy))
 	if err != nil {
 		return nil, err
 	}

-	if user.Role != "" && user.Role != existingUser.Role && requestor.Role != types.RoleAdmin {
+	// backward compatibility: convert legacy "role" field to "roles" when "roles" is not provided
+	if user.Roles == nil && user.Role != "" && user.Role != existingUser.Role {
+		user.Roles = []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}
+	}
+
+	var grants, revokes []string
+	var rolesChanged bool
+	if user.Roles != nil {
+		grants, revokes = existingUser.PatchRoles(user.Roles)
+		rolesChanged = (len(grants) > 0) || (len(revokes) > 0)
+	}
+
+	if rolesChanged && !slices.Contains(requestor.Roles, authtypes.SigNozAdminRoleName) {
 		return nil, errors.New(errors.TypeForbidden, errors.CodeForbidden, "only admins can change roles")
 	}

 	// Make sure that the request is not demoting the last admin user.
-	if user.Role != "" && user.Role != existingUser.Role && existingUser.Role == types.RoleAdmin {
-		adminUsers, err := m.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	if rolesChanged && slices.Contains(existingUser.Roles, authtypes.SigNozAdminRoleName) && !slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
+		adminUsers, err := m.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 		if err != nil {
 			return nil, err
 		}
@@ -237,28 +400,58 @@ func (m *Module) UpdateUser(ctx context.Context, orgID valuer.UUID, id string, u
 		}
 	}

-	if user.Role != "" && user.Role != existingUser.Role {
-		err = m.authz.ModifyGrant(ctx,
-			orgID,
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(existingUser.Role)},
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
-			authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil),
-		)
+	if rolesChanged {
+		// can't run in txn
+		err = m.authz.ModifyGrant(ctx, orgID, revokes, grants, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 		if err != nil {
 			return nil, err
 		}
 	}

-	existingUser.Update(user.DisplayName, user.Role)
-	if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
-		return nil, err
+	// preserve existing role and roles when not explicitly provided in the request
+	updateRole := user.Role
+	updateRoles := user.Roles
+	if user.Roles == nil {
+		updateRole = existingUser.Role
+		updateRoles = existingUser.Roles
+	} else if updateRole == "" {
+		updateRole = existingUser.Role
+	}
+	existingUser.Update(user.DisplayName, updateRole, updateRoles)
+	if rolesChanged {
+		err = m.store.RunInTx(ctx, func(ctx context.Context) error {
+			// update the user
+			if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+				return err
+			}
+
+			// delete old role entries and create new ones
+			if err := m.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
+				return err
+			}
+
+			// create new ones
+			if err := m.createUserRoleEntries(ctx, existingUser); err != nil {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		// persist display name change even when roles haven't changed
+		if err := m.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
+			return nil, err
+		}
 	}

 	return existingUser, nil
 }

 func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
-	if err := module.store.UpdateUser(ctx, orgID, user); err != nil {
+	storableUser := types.NewStorableUser(user)
+	if err := module.store.UpdateUser(ctx, orgID, storableUser); err != nil {
 		return err
 	}

@@ -274,7 +467,7 @@ func (module *Module) UpdateAnyUser(ctx context.Context, orgID valuer.UUID, user
 }

 func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id string, deletedBy string) error {
-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(id))
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, valuer.MustNewUUID(id))
 	if err != nil {
 		return err
 	}
@@ -292,17 +485,17 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	}

 	// don't allow to delete the last admin user
-	adminUsers, err := module.store.GetActiveUsersByRoleAndOrgID(ctx, types.RoleAdmin, orgID)
+	adminUsers, err := module.store.GetActiveUsersByRoleNameAndOrgID(ctx, authtypes.SigNozAdminRoleName, orgID)
 	if err != nil {
 		return err
 	}

-	if len(adminUsers) == 1 && user.Role == types.RoleAdmin {
+	if len(adminUsers) == 1 && slices.Contains(user.Roles, authtypes.SigNozAdminRoleName) {
 		return errors.New(errors.TypeForbidden, errors.CodeForbidden, "cannot delete the last admin")
 	}

 	// since revoke is idempotant multiple calls to revoke won't cause issues in case of retries
-	err = module.authz.Revoke(ctx, orgID, []string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)}, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
+	err = module.authz.Revoke(ctx, orgID, user.Roles, authtypes.MustNewSubject(authtypes.TypeableUser, id, orgID, nil))
 	if err != nil {
 		return err
 	}
@@ -319,8 +512,8 @@ func (module *Module) DeleteUser(ctx context.Context, orgID valuer.UUID, id stri
 	return nil
 }

-func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error) {
-	user, err := module.store.GetUser(ctx, userID)
+func (module *Module) GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error) {
+	user, err := module.GetByOrgIDAndUserID(ctx, orgID, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -403,7 +596,7 @@ func (module *Module) ForgotPassword(ctx context.Context, orgID valuer.UUID, ema
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}

-	token, err := module.GetOrCreateResetPasswordToken(ctx, user.ID)
+	token, err := module.GetOrCreateResetPasswordToken(ctx, orgID, user.ID)
 	if err != nil {
 		module.settings.Logger().ErrorContext(ctx, "failed to create reset password token", "error", err)
 		return err
@@ -449,17 +642,17 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}

-	user, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
+	storableUser, err := module.store.GetUser(ctx, valuer.MustNewUUID(password.UserID))
 	if err != nil {
 		return err
 	}

 	// handle deleted user
-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "deleted users cannot reset their password")
 	}

-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot reset password for root user")
 	}

@@ -467,12 +660,19 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 		return err
 	}

+	roleNames, err := module.resolveRoleNamesForUser(ctx, storableUser.ID, storableUser.OrgID)
+	if err != nil {
+		return err
+	}
+
+	user := types.NewUserFromStorable(storableUser, roleNames)
+
 	// since grant is idempotent, multiple calls won't cause issues in case of retries
 	if user.Status == types.UserStatusPendingInvite {
 		if err = module.authz.Grant(
 			ctx,
 			user.OrgID,
-			[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+			user.Roles,
 			authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 		); err != nil {
 			return err
@@ -484,7 +684,7 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 			if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 				return err
 			}
-			if err := module.store.UpdateUser(ctx, user.OrgID, user); err != nil {
+			if err := module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user)); err != nil {
 				return err
 			}
 		}
@@ -502,16 +702,16 @@ func (module *Module) UpdatePasswordByResetPasswordToken(ctx context.Context, to
 }

 func (module *Module) UpdatePassword(ctx context.Context, userID valuer.UUID, oldpasswd string, passwd string) error {
-	user, err := module.store.GetUser(ctx, userID)
+	storableUser, err := module.store.GetUser(ctx, userID)
 	if err != nil {
 		return err
 	}

-	if err := user.ErrIfDeleted(); err != nil {
+	if err := storableUser.ErrIfDeleted(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for deleted user")
 	}

-	if err := user.ErrIfRoot(); err != nil {
+	if err := storableUser.ErrIfRoot(); err != nil {
 		return errors.WithAdditionalf(err, "cannot change password for root user")
 	}

@@ -556,10 +756,12 @@ func (module *Module) GetOrCreateUser(ctx context.Context, user *types.User, opt
 	if existingUser != nil {
 		// for users logging through SSO flow but are having status as pending_invite
 		if existingUser.Status == types.UserStatusPendingInvite {
+			// capture old roles before overwriting with SSO roles
+			oldRoles := existingUser.Roles
 			// respect the role coming from the SSO
-			existingUser.Update("", user.Role)
+			existingUser.Update("", user.Role, user.Roles)
 			// activate the user
-			if err = module.activatePendingUser(ctx, existingUser); err != nil {
+			if err = module.activatePendingUser(ctx, existingUser, oldRoles); err != nil {
 				return nil, err
 			}
 		}
@@ -596,7 +798,7 @@ func (m *Module) RevokeAPIKey(ctx context.Context, id, removedByUserID valuer.UU
 }

 func (module *Module) CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, passwd string) (*types.User, error) {
-	user, err := types.NewRootUser(name, email, organization.ID)
+	user, err := types.NewRootUser(name, email, organization.ID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return nil, err
 	}
@@ -658,20 +860,24 @@ func (module *Module) Collect(ctx context.Context, orgID valuer.UUID) (map[strin

 // this function restricts that only one non-deleted user email can exist for an org ID, if found more, it throws an error
 func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) (*types.User, error) {
-	existingUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
+	existingStorableUsers, err := module.store.GetUsersByEmailAndOrgID(ctx, email, orgID)
 	if err != nil {
 		return nil, err
 	}

 	// filter out the deleted users
-	existingUsers = slices.DeleteFunc(existingUsers, func(user *types.User) bool { return user.ErrIfDeleted() != nil })
+	existingStorableUsers = slices.DeleteFunc(existingStorableUsers, func(user *types.StorableUser) bool { return user.ErrIfDeleted() != nil })

-	if len(existingUsers) > 1 {
+	if len(existingStorableUsers) > 1 {
 		return nil, errors.Newf(errors.TypeInternal, errors.CodeInternal, "Multiple non-deleted users found for email %s in org_id: %s", email.StringValue(), orgID.StringValue())
 	}

-	if len(existingUsers) == 1 {
-		return existingUsers[0], nil
+	if len(existingStorableUsers) == 1 {
+		existingUser, err := module.GetByOrgIDAndUserID(ctx, existingStorableUsers[0].OrgID, existingStorableUsers[0].ID)
+		if err != nil {
+			return nil, err
+		}
+		return existingUser, nil
 	}

 	return nil, errors.Newf(errors.TypeNotFound, errors.CodeNotFound, "No non-deleted user found with email %s in org_id: %s", email.StringValue(), orgID.StringValue())
@@ -681,7 +887,12 @@ func (module *Module) GetNonDeletedUserByEmailAndOrgID(ctx context.Context, emai
 func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.User, opts ...root.CreateUserOption) error {
 	createUserOpts := root.NewCreateUserOptions(opts...)
 	if err := module.store.RunInTx(ctx, func(ctx context.Context) error {
-		if err := module.store.CreateUser(ctx, input); err != nil {
+		if err := module.store.CreateUser(ctx, types.NewStorableUser(input)); err != nil {
+			return err
+		}
+
+		// create user_role junction entries
+		if err := module.createUserRoleEntries(ctx, input); err != nil {
 			return err
 		}

@@ -703,11 +914,27 @@ func (module *Module) createUserWithoutGrant(ctx context.Context, input *types.U
 	return nil
 }

-func (module *Module) activatePendingUser(ctx context.Context, user *types.User) error {
-	err := module.authz.Grant(
+func (module *Module) createUserRoleEntries(ctx context.Context, user *types.User) error {
+	if len(user.Roles) == 0 {
+		return nil
+	}
+
+	storableRoles, err := module.authz.ListByOrgIDAndNames(ctx, user.OrgID, user.Roles)
+	if err != nil {
+		return err
+	}
+
+	userRoles := authtypes.NewStorableUserRoles(user.ID, storableRoles)
+	return module.userRoleStore.CreateUserRoles(ctx, userRoles)
+}
+
+func (module *Module) activatePendingUser(ctx context.Context, user *types.User, oldRoles []string) error {
+	// use ModifyGrant to revoke old invite roles and grant new SSO roles
+	err := module.authz.ModifyGrant(
 		ctx,
 		user.OrgID,
-		[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(user.Role)},
+		oldRoles,
+		user.Roles,
 		authtypes.MustNewSubject(authtypes.TypeableUser, user.ID.StringValue(), user.OrgID, nil),
 	)
 	if err != nil {
@@ -717,10 +944,66 @@ func (module *Module) activatePendingUser(ctx context.Context, user *types.User)
 	if err := user.UpdateStatus(types.UserStatusActive); err != nil {
 		return err
 	}
-	err = module.store.UpdateUser(ctx, user.OrgID, user)
-	if err != nil {
-		return err
+
+	return module.store.RunInTx(ctx, func(ctx context.Context) error {
+		if err := module.store.UpdateUser(ctx, user.OrgID, types.NewStorableUser(user)); err != nil {
+			return err
+		}
+
+		// delete old invite role entries and create new ones from SSO
+		if err := module.userRoleStore.DeleteUserRoles(ctx, user.ID); err != nil {
+			return err
+		}
+
+		return module.createUserRoleEntries(ctx, user)
+	})
+}
+
+func (module *Module) usersFromStorableUsersAndRolesMaps(storableUsers []*types.StorableUser, roles []*authtypes.Role, userIDToRoleIDsMap map[valuer.UUID][]valuer.UUID) []*types.User {
+	users := make([]*types.User, 0, len(storableUsers))
+
+	roleIDToRole := make(map[string]*authtypes.Role, len(roles))
+	for _, role := range roles {
+		roleIDToRole[role.ID.String()] = role
 	}

-	return nil
+	for _, user := range storableUsers {
+		roleIDs := userIDToRoleIDsMap[user.ID]
+
+		roleNames := make([]string, 0, len(roleIDs))
+		for _, rid := range roleIDs {
+			if role, ok := roleIDToRole[rid.String()]; ok {
+				roleNames = append(roleNames, role.Name)
+			}
+		}
+
+		account := types.NewUserFromStorable(user, roleNames)
+		users = append(users, account)
+	}
+
+	return users
+}
+
+func (m *Module) resolveRoleNamesForUser(ctx context.Context, userID valuer.UUID, orgID valuer.UUID) ([]string, error) {
+	storableUserRoles, err := m.userRoleStore.GetUserRolesByUserID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	roleIDs := make([]valuer.UUID, len(storableUserRoles))
+	for idx, sur := range storableUserRoles {
+		roleIDs[idx] = sur.RoleID
+	}
+
+	roles, err := m.authz.ListByOrgIDAndIDs(ctx, orgID, roleIDs)
+	if err != nil {
+		return nil, err
+	}
+
+	roleNames := make([]string, len(roles))
+	for idx, role := range roles {
+		roleNames[idx] = role.Name
+	}
+
+	return roleNames, nil
 }
--- a/pkg/modules/user/impluser/service.go
+++ b/pkg/modules/user/impluser/service.go
@@ -15,31 +15,34 @@ import (
 )

 type service struct {
-	settings  factory.ScopedProviderSettings
-	store     types.UserStore
-	module    user.Module
-	orgGetter organization.Getter
-	authz     authz.AuthZ
-	config    user.RootConfig
-	stopC     chan struct{}
+	settings      factory.ScopedProviderSettings
+	store         types.UserStore
+	userRoleStore authtypes.UserRoleStore
+	module        user.Module
+	orgGetter     organization.Getter
+	authz         authz.AuthZ
+	config        user.RootConfig
+	stopC         chan struct{}
 }

 func NewService(
 	providerSettings factory.ProviderSettings,
 	store types.UserStore,
+	userRoleStore authtypes.UserRoleStore,
 	module user.Module,
 	orgGetter organization.Getter,
 	authz authz.AuthZ,
 	config user.RootConfig,
 ) user.Service {
 	return &service{
-		settings:  factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
-		store:     store,
-		module:    module,
-		orgGetter: orgGetter,
-		authz:     authz,
-		config:    config,
-		stopC:     make(chan struct{}),
+		settings:      factory.NewScopedProviderSettings(providerSettings, "go.signoz.io/pkg/modules/user"),
+		store:         store,
+		userRoleStore: userRoleStore,
+		module:        module,
+		orgGetter:     orgGetter,
+		authz:         authz,
+		config:        config,
+		stopC:         make(chan struct{}),
 	}
 }

@@ -77,59 +80,33 @@ func (s *service) Stop(ctx context.Context) error {
 }

 func (s *service) reconcile(ctx context.Context) error {
-	if !s.config.Org.ID.IsZero() {
-		return s.reconcileWithOrgID(ctx)
-	}
-
-	return s.reconcileByName(ctx)
-}
-
-func (s *service) reconcileWithOrgID(ctx context.Context) error {
-	org, err := s.orgGetter.Get(ctx, s.config.Org.ID)
+	org, resolvedByName, err := s.orgGetter.GetByIDOrName(ctx, s.config.Org.ID, s.config.Org.Name)
 	if err != nil {
 		if !errors.Ast(err, errors.TypeNotFound) {
 			return err // something really went wrong
 		}

-		// org was not found using id check if we can find an org using name
-
-		existingOrgByName, nameErr := s.orgGetter.GetByName(ctx, s.config.Org.Name)
-		if nameErr != nil && !errors.Ast(nameErr, errors.TypeNotFound) {
-			return nameErr // something really went wrong
-		}
-
-		// we found an org using name
-		if existingOrgByName != nil {
-			// the existing org has the same name as config but org id is different inform user with actionable message
-			return errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "organization with name %q already exists with a different ID %s (expected %s)", s.config.Org.Name, existingOrgByName.ID.StringValue(), s.config.Org.ID.StringValue())
-		}
-
-		// default - we did not found any org using id and name both - create a new org
-		newOrg := types.NewOrganizationWithID(s.config.Org.ID, s.config.Org.Name, s.config.Org.Name)
-		_, err = s.module.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
-		return err
-	}
-
-	return s.reconcileRootUser(ctx, org.ID)
-}
-
-func (s *service) reconcileByName(ctx context.Context) error {
-	org, err := s.orgGetter.GetByName(ctx, s.config.Org.Name)
-	if err != nil {
-		if errors.Ast(err, errors.TypeNotFound) {
+		if s.config.Org.ID.IsZero() {
 			newOrg := types.NewOrganization(s.config.Org.Name, s.config.Org.Name)
 			_, err := s.module.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
 			return err
 		}

+		newOrg := types.NewOrganizationWithID(s.config.Org.ID, s.config.Org.Name, s.config.Org.Name)
+		_, err = s.module.CreateFirstUser(ctx, newOrg, s.config.Email.String(), s.config.Email, s.config.Password)
 		return err
 	}

+	if !s.config.Org.ID.IsZero() && resolvedByName {
+		// the existing org has the same name as config but org id is different; inform user with actionable message
+		return errors.Newf(errors.TypeInvalidInput, errors.CodeInvalidInput, "organization with name %q already exists with a different ID %s (expected %s)", s.config.Org.Name, org.ID.StringValue(), s.config.Org.ID.StringValue())
+	}
+
 	return s.reconcileRootUser(ctx, org.ID)
 }

 func (s *service) reconcileRootUser(ctx context.Context, orgID valuer.UUID) error {
-	existingRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	existingRoot, err := s.getRootUserByOrgID(ctx, orgID)
 	if err != nil && !errors.Ast(err, errors.TypeNotFound) {
 		return err
 	}
@@ -148,29 +125,49 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 	}

 	if existingUser != nil {
-		oldRole := existingUser.Role
+		oldRoles := existingUser.Roles

-		existingUser.PromoteToRoot()
+		existingUser.PromoteToRoot() // this only sets the column is_root as true (permissions are managed by authz in next step)
+		existingUser.Roles = []string{authtypes.SigNozAdminRoleName}
+
+		// authz grant is idempotent and safe to retry, so do it before DB mutations
+		if err := s.authz.ModifyGrant(ctx,
+			orgID,
+			oldRoles,
+			[]string{authtypes.SigNozAdminRoleName},
+			authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
+		); err != nil {
+			return err
+		}
+
+		// this is idempotent
 		if err := s.module.UpdateAnyUser(ctx, orgID, existingUser); err != nil {
 			return err
 		}

-		if oldRole != types.RoleAdmin {
-			if err := s.authz.ModifyGrant(ctx,
-				orgID,
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(oldRole)},
-				[]string{authtypes.MustGetSigNozManagedRoleFromExistingRole(types.RoleAdmin)},
-				authtypes.MustNewSubject(authtypes.TypeableUser, existingUser.ID.StringValue(), orgID, nil),
-			); err != nil {
-				return err
-			}
+		// resolve the admin role ID for user_role entries
+		storableRoles, err := s.authz.ListByOrgIDAndNames(ctx, orgID, []string{authtypes.SigNozAdminRoleName})
+		if err != nil {
+			return err
 		}

-		return s.setPassword(ctx, existingUser.ID)
+		// wrap user_role updates and password in a transaction
+		return s.store.RunInTx(ctx, func(ctx context.Context) error {
+			if err := s.userRoleStore.DeleteUserRoles(ctx, existingUser.ID); err != nil {
+				return err
+			}
+
+			userRoles := authtypes.NewStorableUserRoles(existingUser.ID, storableRoles)
+			if err := s.userRoleStore.CreateUserRoles(ctx, userRoles); err != nil {
+				return err
+			}
+
+			return s.setPassword(ctx, existingUser.ID)
+		})
 	}

 	// Create new root user
-	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID)
+	newUser, err := types.NewRootUser(s.config.Email.String(), s.config.Email, orgID, []string{authtypes.SigNozAdminRoleName})
 	if err != nil {
 		return err
 	}
@@ -180,6 +177,7 @@ func (s *service) createOrPromoteRootUser(ctx context.Context, orgID valuer.UUID
 		return err
 	}

+	// authz grants are handled inside CreateUser
 	return s.module.CreateUser(ctx, newUser, user.WithFactorPassword(factorPassword))
 }

@@ -221,3 +219,12 @@ func (s *service) setPassword(ctx context.Context, userID valuer.UUID) error {

 	return nil
 }
+
+func (s *service) getRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
+	storableRoot, err := s.store.GetRootUserByOrgID(ctx, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	return s.module.GetByOrgIDAndUserID(ctx, orgID, storableRoot.ID)
+}
--- a/pkg/modules/user/impluser/store.go
+++ b/pkg/modules/user/impluser/store.go
@@ -39,7 +39,7 @@ func (store *store) CreatePassword(ctx context.Context, password *types.FactorPa
 	return nil
 }

-func (store *store) CreateUser(ctx context.Context, user *types.User) error {
+func (store *store) CreateUser(ctx context.Context, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -52,8 +52,8 @@ func (store *store) CreateUser(ctx context.Context, user *types.User) error {
 	return nil
 }

-func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser

 	err := store.
 		sqlstore.
@@ -69,8 +69,8 @@ func (store *store) GetUsersByEmail(ctx context.Context, email valuer.Email) ([]
 	return users, nil
 }

-func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)

 	err := store.
 		sqlstore.
@@ -86,8 +86,8 @@ func (store *store) GetUser(ctx context.Context, id valuer.UUID) (*types.User, e
 	return user, nil
 }

-func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)

 	err := store.
 		sqlstore.
@@ -104,8 +104,8 @@ func (store *store) GetByOrgIDAndID(ctx context.Context, orgID valuer.UUID, id v
 	return user, nil
 }

-func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
+func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Email, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser

 	err := store.
 		sqlstore.
@@ -122,26 +122,7 @@ func (store *store) GetUsersByEmailAndOrgID(ctx context.Context, email valuer.Em
 	return users, nil
 }

-func (store *store) GetActiveUsersByRoleAndOrgID(ctx context.Context, role types.Role, orgID valuer.UUID) ([]*types.User, error) {
-	var users []*types.User
-
-	err := store.
-		sqlstore.
-		BunDBCtx(ctx).
-		NewSelect().
-		Model(&users).
-		Where("org_id = ?", orgID).
-		Where("role = ?", role).
-		Where("status = ?", types.UserStatusActive.StringValue()).
-		Scan(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	return users, nil
-}
-
-func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.User) error {
+func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *types.StorableUser) error {
 	_, err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -162,8 +143,8 @@ func (store *store) UpdateUser(ctx context.Context, orgID valuer.UUID, user *typ
 	return nil
 }

-func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.GettableUser, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByOrgID(ctx context.Context, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}

 	err := store.
 		sqlstore.
@@ -247,7 +228,7 @@ func (store *store) DeleteUser(ctx context.Context, orgID string, id string) err

 	// delete user
 	_, err = tx.NewDelete().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Where("org_id = ?", orgID).
 		Where("id = ?", id).
 		Exec(ctx)
@@ -332,7 +313,7 @@ func (store *store) SoftDeleteUser(ctx context.Context, orgID string, id string)
 	// soft delete user
 	now := time.Now()
 	_, err = tx.NewUpdate().
-		Model(new(types.User)).
+		Model(new(types.StorableUser)).
 		Set("status = ?", types.UserStatusDeleted).
 		Set("deleted_at = ?", now).
 		Set("updated_at = ?", now).
@@ -563,7 +544,7 @@ func (store *store) GetAPIKey(ctx context.Context, orgID, id valuer.UUID) (*type
 }

 func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)

 	count, err := store.
 		sqlstore.
@@ -580,7 +561,7 @@ func (store *store) CountByOrgID(ctx context.Context, orgID valuer.UUID) (int64,
 }

 func (store *store) CountByOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, statuses []string) (map[valuer.String]int64, error) {
-	user := new(types.User)
+	user := new(types.StorableUser)
 	var results []struct {
 		Status valuer.String `bun:"status"`
 		Count  int64         `bun:"count"`
@@ -633,8 +614,8 @@ func (store *store) RunInTx(ctx context.Context, cb func(ctx context.Context) er
 	})
 }

-func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (*types.StorableUser, error) {
+	user := new(types.StorableUser)
 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
@@ -649,8 +630,8 @@ func (store *store) GetRootUserByOrgID(ctx context.Context, orgID valuer.UUID) (
 	return user, nil
 }

-func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.Email, orgIDs []valuer.UUID) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}
 	err := store.
 		sqlstore.
 		BunDB().
@@ -666,15 +647,15 @@ func (store *store) ListUsersByEmailAndOrgIDs(ctx context.Context, email valuer.
 	return users, nil
 }

-func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.User, error) {
-	user := new(types.User)
+func (store *store) GetUserByResetPasswordToken(ctx context.Context, token string) (*types.StorableUser, error) {
+	user := new(types.StorableUser)

 	err := store.
 		sqlstore.
 		BunDBCtx(ctx).
 		NewSelect().
 		Model(user).
-		Join(`JOIN factor_password ON factor_password.user_id = "user".id`).
+		Join(`JOIN factor_password ON factor_password.user_id = "users".id`).
 		Join("JOIN reset_password_token ON reset_password_token.password_id = factor_password.id").
 		Where("reset_password_token.token = ?", token).
 		Scan(ctx)
@@ -685,8 +666,8 @@ func (store *store) GetUserByResetPasswordToken(ctx context.Context, token strin
 	return user, nil
 }

-func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.User, error) {
-	users := []*types.User{}
+func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID valuer.UUID, emails []string, statuses []string) ([]*types.StorableUser, error) {
+	users := []*types.StorableUser{}

 	err := store.
 		sqlstore.
@@ -703,3 +684,20 @@ func (store *store) GetUsersByEmailsOrgIDAndStatuses(ctx context.Context, orgID

 	return users, nil
 }
+
+func (store *store) GetActiveUsersByRoleNameAndOrgID(ctx context.Context, roleName string, orgID valuer.UUID) ([]*types.StorableUser, error) {
+	var users []*types.StorableUser
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().
+		Model(&users).
+		Join("JOIN user_role ON user_role.user_id = users.id").
+		Join("JOIN role ON role.id = user_role.role_id").
+		Where("users.org_id = ?", orgID).
+		Where("role.name = ?", roleName).
+		Where("users.status = ?", types.UserStatusActive.StringValue()).
+		Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return users, nil
+}
--- a/pkg/modules/user/impluser/userrolestore.go
+++ b/pkg/modules/user/impluser/userrolestore.go
@@ -0,0 +1,62 @@
+package impluser
+
+import (
+	"context"
+
+	"github.com/SigNoz/signoz/pkg/factory"
+	"github.com/SigNoz/signoz/pkg/sqlstore"
+	"github.com/SigNoz/signoz/pkg/types/authtypes"
+	"github.com/SigNoz/signoz/pkg/valuer"
+	"github.com/uptrace/bun"
+)
+
+type userRoleStore struct {
+	sqlstore sqlstore.SQLStore
+	settings factory.ProviderSettings
+}
+
+func NewUserRoleStore(sqlstore sqlstore.SQLStore, settings factory.ProviderSettings) authtypes.UserRoleStore {
+	return &userRoleStore{sqlstore: sqlstore, settings: settings}
+}
+
+func (store *userRoleStore) ListUserRolesByOrgIDAndUserIDs(ctx context.Context, orgID valuer.UUID, userIDs []valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).
+		Join("JOIN users").
+		JoinOn("users.id = user_role.user_id").
+		Where("users.org_id = ?", orgID).Where("users.id IN (?)", bun.In(userIDs)).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}
+
+func (store *userRoleStore) CreateUserRoles(ctx context.Context, userRoles []*authtypes.StorableUserRole) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewInsert().Model(&userRoles).Exec(ctx)
+	if err != nil {
+		return store.sqlstore.WrapAlreadyExistsErrf(err, authtypes.ErrCodeUserRoleAlreadyExists, "duplicate role assignments for service account")
+	}
+	return nil
+}
+
+func (store *userRoleStore) DeleteUserRoles(ctx context.Context, userID valuer.UUID) error {
+	_, err := store.sqlstore.BunDBCtx(ctx).NewDelete().Model(new(authtypes.StorableUserRole)).Where("user_id = ?", userID).Exec(ctx)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *userRoleStore) GetUserRolesByUserID(ctx context.Context, userID valuer.UUID) ([]*authtypes.StorableUserRole, error) {
+	storableUserRoles := make([]*authtypes.StorableUserRole, 0)
+
+	err := store.sqlstore.BunDBCtx(ctx).NewSelect().Model(&storableUserRoles).Where("user_id = ?", userID).Scan(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return storableUserRoles, nil
+}
--- a/pkg/modules/user/user.go
+++ b/pkg/modules/user/user.go
@@ -10,6 +10,9 @@ import (
 )

 type Module interface {
+	// Gets user by org id and user id, this includes the roles resolution
+	GetByOrgIDAndUserID(ctx context.Context, orgID, userID valuer.UUID) (*types.User, error)
+
 	// Creates the organization and the first user of that organization.
 	CreateFirstUser(ctx context.Context, organization *types.Organization, name string, email valuer.Email, password string) (*types.User, error)

@@ -21,7 +24,7 @@ type Module interface {

 	// Get or Create a reset password token for a user. If the password does not exist, a new one is randomly generated and inserted. The function
 	// is idempotent and can be called multiple times.
-	GetOrCreateResetPasswordToken(ctx context.Context, userID valuer.UUID) (*types.ResetPasswordToken, error)
+	GetOrCreateResetPasswordToken(ctx context.Context, orgID, userID valuer.UUID) (*types.ResetPasswordToken, error)

 	// Updates password of a user using a reset password token. It also deletes all reset password tokens for the user.
 	// This is used to reset the password of a user when they forget their password.
@@ -41,6 +44,9 @@ type Module interface {

 	// invite
 	CreateBulkInvite(ctx context.Context, orgID valuer.UUID, userID valuer.UUID, bulkInvites *types.PostableBulkInviteRequest) ([]*types.Invite, error)
+	ListInvite(ctx context.Context, orgID string) ([]*types.Invite, error)
+	AcceptInvite(ctx context.Context, token string, password string) (*types.User, error)
+	GetInviteByToken(ctx context.Context, token string) (*types.Invite, error)

 	// API KEY
 	CreateAPIKey(ctx context.Context, apiKey *types.StorableAPIKey) error
@@ -61,12 +67,6 @@ type Getter interface {
 	// Get gets the users based on the given id
 	ListByOrgID(context.Context, valuer.UUID) ([]*types.User, error)

-	// Get users by email.
-	GetUsersByEmail(context.Context, valuer.Email) ([]*types.User, error)
-
-	// Get user by orgID and id.
-	GetByOrgIDAndID(context.Context, valuer.UUID, valuer.UUID) (*types.User, error)
-
 	// Get user by id.
 	Get(context.Context, valuer.UUID) (*types.User, error)

@@ -86,6 +86,10 @@ type Getter interface {
 type Handler interface {
 	// invite
 	CreateInvite(http.ResponseWriter, *http.Request)
+	AcceptInvite(http.ResponseWriter, *http.Request)
+	GetInvite(http.ResponseWriter, *http.Request) // public function
+	ListInvite(http.ResponseWriter, *http.Request)
+	DeleteInvite(http.ResponseWriter, *http.Request)
 	CreateBulkInvite(http.ResponseWriter, *http.Request)

 	ListUsers(http.ResponseWriter, *http.Request)
--- a/pkg/query-service/agentConf/db.go
+++ b/pkg/query-service/agentConf/db.go
@@ -115,7 +115,6 @@ func (r *Repo) GetLatestVersion(
 func (r *Repo) insertConfig(
 	ctx context.Context, orgId valuer.UUID, userId valuer.UUID, c *opamptypes.AgentConfigVersion, elements []string,
 ) error {
-
 	if c.ElementType.StringValue() == "" {
 		return errors.NewInvalidInputf(CodeElementTypeRequired, "element type is required for creating agent config version")
 	}
@@ -229,6 +228,25 @@ func (r *Repo) updateDeployStatus(ctx context.Context,
 	return nil
 }

+// GetDeployStatusByHash returns the DeployStatus for the given config hash
+// (stored with orgId prefix). Returns DeployStatusUnknown when no matching row exists.
+func (r *Repo) GetDeployStatusByHash(ctx context.Context, orgId valuer.UUID, configHash string) (opamptypes.DeployStatus, error) {
+	var version opamptypes.AgentConfigVersion
+	err := r.store.BunDB().NewSelect().
+		Model(&version).
+		ColumnExpr("deploy_status").
+		Where("hash = ?", configHash).
+		Where("org_id = ?", orgId).
+		Scan(ctx)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return opamptypes.DeployStatusUnknown, nil
+		}
+		return opamptypes.DeployStatusUnknown, errors.WrapInternalf(err, errors.CodeInternal, "failed to query deploy status by hash")
+	}
+	return version.DeployStatus, nil
+}
+
 func (r *Repo) updateDeployStatusByHash(
 	ctx context.Context, orgId valuer.UUID, confighash string, status string, result string,
 ) error {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Karan Balani	64706b30f2	fix: issues after rebasing from main	2026-03-19 17:12:38 +05:30
Karan Balani	3aad23ab1c	fix: sti	2026-03-19 16:20:23 +05:30
Karan Balani	0455037025	fix: openapi specs	2026-03-19 16:20:23 +05:30
Karan Balani	3102e76e80	chore: update filenames for migrations	2026-03-19 16:20:23 +05:30
Karan Balani	774e9e49dc	fix: more backward compat	2026-03-19 16:20:23 +05:30
Karan Balani	29c3d10769	fix: naming in root user service	2026-03-19 16:20:23 +05:30
Karan Balani	2a75e141dc	fix: backward compatibility issues	2026-03-19 16:20:23 +05:30
Karan Balani	ea5efbb68e	fix: validate role in sso mapping	2026-03-19 16:20:23 +05:30
Karan Balani	15451985e5	fix: found bugs	2026-03-19 16:20:23 +05:30
Karan Balani	ef5c36b2c3	fix: revert some role related changes	2026-03-19 16:20:23 +05:30
Karan Balani	ad83b0e09b	chore: keep support for role for backward compatibility	2026-03-19 16:20:23 +05:30
Karan Balani	4f3b75a914	fix: leftovers	2026-03-19 16:20:23 +05:30
Karan Balani	809c66e27e	feat: introduce user_role table	2026-03-19 16:20:23 +05:30
Karan Balani	57442ef4a4	fix: types for email and org id in storableuser struct	2026-03-19 16:20:23 +05:30
Karan Balani	267d2b1d42	chore: use deleted at also in conversions and remove user_role file, will be added in diff pr	2026-03-19 16:20:23 +05:30
Karan Balani	2add13d228	chore: revert openapi changes, keeping this clean	2026-03-19 16:20:23 +05:30
Karan Balani	c35990ead9	chore: update openapi spec	2026-03-19 16:20:23 +05:30
Karan Balani	f23a364fbe	refactor: separate db and domain models for user	2026-03-19 16:20:22 +05:30
Karan Balani	29ec71b98f	fix: allow gateway apis on editor access (#10646 ) Some checks failed build-staging / prepare (push) Has been cancelled Details build-staging / js-build (push) Has been cancelled Details build-staging / go-build (push) Has been cancelled Details build-staging / staging (push) Has been cancelled Details Release Drafter / update_release_draft (push) Has been cancelled Details * fix: allow gateway apis on editor access * fix: fmtlint and middleware * fix: fmtlint trailing new lines	2026-03-19 10:30:28 +00:00
Pandey	ca9cbd92e4	feat(identn): implement an impersonation identn (#10641 ) * feat(identn): implement an impersonation identn * fix: prevent nil pointer error * feat: dry org code by implementing getbyidorname * feat: add integration tests for root user and impersonation * fix: fix lint	2026-03-19 10:13:12 +00:00
Abhi kumar	0faef8705d	feat: added changes for spangaps thresholds (#10570 ) * feat: added section in panel settings * feat: added changes for spangaps thresholds * chore: minor changes * fix: fixed failing tests * fix: minor style fixes * chore: updated the categorisation * feat: added chart appearance settings in panel * feat: added fill mode in timeseries * chore: broke down rightcontainer component into sub-components * chore: minor cleanup * chore: fixed disconnect points logic * chore: added spanGaps selection component * chore: updated rightcontainer * fix: added fix for the UI * chore: fixed ui issues * chore: fixed styles * chore: default spangaps to true * chore: moved preparedata to utils * chore: hidden chart appearance * chore: pr review comments * chore: pr review comments * chore: updated variable names * chore: fixed minor changes * chore: updated test * chore: updated test	2026-03-19 09:40:02 +00:00
Ashwin Bhatkal	2ca9085b52	chore: add eslint rule for zustand getState (#10648 )	2026-03-19 09:13:09 +00:00
Piyush Singariya	b7d0c8b5a2	Revert "Revert "fix: "In Progress" stuck agent config (#10476 )" (#10633 )" (#10644 ) This reverts commit `c8fcc48022`.	2026-03-19 04:48:17 +00:00
Vinicius Lourenço	ce5499d5a7	feat(authz): migrate authorization to authz instead of user.role (#10486 ) Some checks failed build-staging / prepare (push) Has been cancelled Details build-staging / js-build (push) Has been cancelled Details build-staging / go-build (push) Has been cancelled Details build-staging / staging (push) Has been cancelled Details Release Drafter / update_release_draft (push) Has been cancelled Details * feat(authz): migrate authorization to authz instead of user.role * fixup! feat(authz): migrate authorization to authz instead of user.role address comments * fixup! fixup! feat(authz): migrate authorization to authz instead of user.role Allow anonymous to go to unauthorized, otherwise it will loop in errors * fixup! fixup! fixup! feat(authz): migrate authorization to authz instead of user.role Improve error message when anonymous * fixup! fixup! fixup! fixup! feat(authz): migrate authorization to authz instead of user.role Format breaking with new css	2026-03-18 18:24:11 +00:00
Pandey	4554a09a42	fix: handle foreign key constraint on rule and planned maintenance deletion (#10632 ) * fix: handle foreign key constraint on rule and planned maintenance deletion * fix: handle foreign key constraint on rule and planned maintenance deletion * fix: handle foreign key constraint on rule and planned maintenance deletion	2026-03-18 16:38:37 +00:00
swapnil-signoz	794a7f4ca6	fix: adding migration to fix wrong index on cloud integration table (#10607 ) * fix: adding migration for fixing wrong cloud integration unique index * refactor: removing std errors pkg * refactor: normalising account_id if empty * feat: adding integration test	2026-03-18 16:01:55 +00:00
aniketio-ctrl	fd3b1c5374	fix(checkout): pass downstream error meesage to UI (#10636 ) * fix(checkout): pass downstream error meesage to UI * fix(checkout): pass downstream error meesage to UI * fix(checkout): pass downstream error meesage to UI * fix(checkout): pass downstream error meesage to UI * fix(checkout): pass downstream error meesage to UI	2026-03-18 15:28:01 +00:00