feat(mult-credentials): progress

2026-02-11 23:14:58 -05:00 · 2026-02-11 15:18:31 -08:00
parent 2f492cacc1
commit 253161afba
44 changed files with 15541 additions and 469 deletions
--- a/apps/sim/app/api/auth/accounts/route.ts
+++ b/apps/sim/app/api/auth/accounts/route.ts
@@ -32,14 +32,11 @@ export async function GET(request: NextRequest) {
      .from(account)
      .where(and(...whereConditions))

-    // Use the user's email as the display name (consistent with credential selector)
-    const userEmail = session.user.email
-
    const accountsWithDisplayName = accounts.map((acc) => ({
      id: acc.id,
      accountId: acc.accountId,
      providerId: acc.providerId,
-      displayName: userEmail || acc.providerId,
+      displayName: acc.accountId || acc.providerId,
    }))

    return NextResponse.json({ accounts: accountsWithDisplayName })
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, user } from '@sim/db/schema'
+import { account, credential, credentialMember, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { jwtDecode } from 'jwt-decode'
@@ -7,8 +7,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
 import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'

 export const dynamic = 'force-dynamic'

@@ -18,6 +20,7 @@ const credentialsQuerySchema = z
  .object({
    provider: z.string().nullish(),
    workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
    credentialId: z
      .string()
      .min(1, 'Credential ID must not be empty')
@@ -35,6 +38,79 @@ interface GoogleIdToken {
  name?: string
 }

+function toCredentialResponse(
+  id: string,
+  displayName: string,
+  providerId: string,
+  updatedAt: Date,
+  scope: string | null
+) {
+  const storedScope = scope?.trim()
+  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
+  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
+  const [_, featureType = 'default'] = providerId.split('-')
+
+  return {
+    id,
+    name: displayName,
+    provider: providerId,
+    lastUsed: updatedAt.toISOString(),
+    isDefault: featureType === 'default',
+    scopes: scopeEvaluation.grantedScopes,
+    canonicalScopes: scopeEvaluation.canonicalScopes,
+    missingScopes: scopeEvaluation.missingScopes,
+    extraScopes: scopeEvaluation.extraScopes,
+    requiresReauthorization: scopeEvaluation.requiresReauthorization,
+  }
+}
+
+async function getFallbackDisplayName(
+  requestId: string,
+  providerParam: string | null | undefined,
+  accountRow: {
+    idToken: string | null
+    accountId: string
+    userId: string
+  }
+) {
+  const providerForParse = (providerParam || 'google') as OAuthProvider
+  const { baseProvider } = parseProvider(providerForParse)
+
+  if (accountRow.idToken) {
+    try {
+      const decoded = jwtDecode<GoogleIdToken>(accountRow.idToken)
+      if (decoded.email) return decoded.email
+      if (decoded.name) return decoded.name
+    } catch (_error) {
+      logger.warn(`[${requestId}] Error decoding ID token`, {
+        accountId: accountRow.accountId,
+      })
+    }
+  }
+
+  if (baseProvider === 'github') {
+    return `${accountRow.accountId} (GitHub)`
+  }
+
+  try {
+    const userRecord = await db
+      .select({ email: user.email })
+      .from(user)
+      .where(eq(user.id, accountRow.userId))
+      .limit(1)
+
+    if (userRecord.length > 0) {
+      return userRecord[0].email
+    }
+  } catch (_error) {
+    logger.warn(`[${requestId}] Error fetching user email`, {
+      userId: accountRow.userId,
+    })
+  }
+
+  return `${accountRow.accountId} (${baseProvider})`
+}
+
 /**
 * Get credentials for a specific provider
 */
@@ -46,6 +122,7 @@ export async function GET(request: NextRequest) {
    const rawQuery = {
      provider: searchParams.get('provider'),
      workflowId: searchParams.get('workflowId'),
+      workspaceId: searchParams.get('workspaceId'),
      credentialId: searchParams.get('credentialId'),
    }

@@ -78,7 +155,7 @@ export async function GET(request: NextRequest) {
      )
    }

-    const { provider: providerParam, workflowId, credentialId } = parseResult.data
+    const { provider: providerParam, workflowId, workspaceId, credentialId } = parseResult.data

    // Authenticate requester (supports session and internal JWT)
    const authResult = await checkSessionOrInternalAuth(request)
@@ -88,7 +165,7 @@ export async function GET(request: NextRequest) {
    }
    const requesterUserId = authResult.userId

-    const effectiveUserId = requesterUserId
+    let effectiveWorkspaceId = workspaceId ?? undefined
    if (workflowId) {
      const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
        workflowId,
@@ -106,101 +183,145 @@ export async function GET(request: NextRequest) {
          { status: workflowAuthorization.status }
        )
      }
+      effectiveWorkspaceId = workflowAuthorization.workflow?.workspaceId || undefined
    }

-    // Parse the provider to get base provider and feature type (if provider is present)
-    const { baseProvider } = parseProvider((providerParam || 'google') as OAuthProvider)
+    if (effectiveWorkspaceId) {
+      const workspaceAccess = await checkWorkspaceAccess(effectiveWorkspaceId, requesterUserId)
+      if (!workspaceAccess.hasAccess) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }

    let accountsData

+    if (credentialId) {
+      const [platformCredential] = await db
+        .select({
+          id: credential.id,
+          workspaceId: credential.workspaceId,
+          type: credential.type,
+          displayName: credential.displayName,
+          providerId: credential.providerId,
+          accountId: credential.accountId,
+          accountProviderId: account.providerId,
+          accountScope: account.scope,
+          accountUpdatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .leftJoin(account, eq(credential.accountId, account.id))
+        .where(eq(credential.id, credentialId))
+        .limit(1)
+
+      if (platformCredential) {
+        if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
+        }
+
+        if (workflowId) {
+          if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+          }
+        } else {
+          const [membership] = await db
+            .select({ id: credentialMember.id })
+            .from(credentialMember)
+            .where(
+              and(
+                eq(credentialMember.credentialId, platformCredential.id),
+                eq(credentialMember.userId, requesterUserId),
+                eq(credentialMember.status, 'active')
+              )
+            )
+            .limit(1)
+
+          if (!membership) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+          }
+        }
+
+        if (!platformCredential.accountProviderId || !platformCredential.accountUpdatedAt) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
+        }
+
+        return NextResponse.json(
+          {
+            credentials: [
+              toCredentialResponse(
+                platformCredential.id,
+                platformCredential.displayName,
+                platformCredential.accountProviderId,
+                platformCredential.accountUpdatedAt,
+                platformCredential.accountScope
+              ),
+            ],
+          },
+          { status: 200 }
+        )
+      }
+    }
+
+    if (effectiveWorkspaceId && providerParam) {
+      await syncWorkspaceOAuthCredentialsForUser({
+        workspaceId: effectiveWorkspaceId,
+        userId: requesterUserId,
+      })
+
+      const credentialsData = await db
+        .select({
+          id: credential.id,
+          displayName: credential.displayName,
+          providerId: account.providerId,
+          scope: account.scope,
+          updatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .innerJoin(account, eq(credential.accountId, account.id))
+        .innerJoin(
+          credentialMember,
+          and(
+            eq(credentialMember.credentialId, credential.id),
+            eq(credentialMember.userId, requesterUserId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .where(
+          and(
+            eq(credential.workspaceId, effectiveWorkspaceId),
+            eq(credential.type, 'oauth'),
+            eq(account.providerId, providerParam)
+          )
+        )
+
+      return NextResponse.json(
+        {
+          credentials: credentialsData.map((row) =>
+            toCredentialResponse(row.id, row.displayName, row.providerId, row.updatedAt, row.scope)
+          ),
+        },
+        { status: 200 }
+      )
+    }
+
    if (credentialId && workflowId) {
-      // When both workflowId and credentialId are provided, fetch by ID only.
-      // Workspace authorization above already proves access; the credential
-      // may belong to another workspace member (e.g. for display name resolution).
      accountsData = await db.select().from(account).where(eq(account.id, credentialId))
    } else if (credentialId) {
      accountsData = await db
        .select()
        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
+        .where(and(eq(account.userId, requesterUserId), eq(account.id, credentialId)))
    } else {
-      // Fetch all credentials for provider and effective user
      accountsData = await db
        .select()
        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.providerId, providerParam!)))
+        .where(and(eq(account.userId, requesterUserId), eq(account.providerId, providerParam!)))
    }

    // Transform accounts into credentials
    const credentials = await Promise.all(
      accountsData.map(async (acc) => {
-        // Extract the feature type from providerId (e.g., 'google-default' -> 'default')
-        const [_, featureType = 'default'] = acc.providerId.split('-')
-
-        // Try multiple methods to get a user-friendly display name
-        let displayName = ''
-
-        // Method 1: Try to extract email from ID token (works for Google, etc.)
-        if (acc.idToken) {
-          try {
-            const decoded = jwtDecode<GoogleIdToken>(acc.idToken)
-            if (decoded.email) {
-              displayName = decoded.email
-            } else if (decoded.name) {
-              displayName = decoded.name
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error decoding ID token`, {
-              accountId: acc.id,
-            })
-          }
-        }
-
-        // Method 2: For GitHub, the accountId might be the username
-        if (!displayName && baseProvider === 'github') {
-          displayName = `${acc.accountId} (GitHub)`
-        }
-
-        // Method 3: Try to get the user's email from our database
-        if (!displayName) {
-          try {
-            const userRecord = await db
-              .select({ email: user.email })
-              .from(user)
-              .where(eq(user.id, acc.userId))
-              .limit(1)
-
-            if (userRecord.length > 0) {
-              displayName = userRecord[0].email
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error fetching user email`, {
-              userId: acc.userId,
-            })
-          }
-        }
-
-        // Fallback: Use accountId with provider type as context
-        if (!displayName) {
-          displayName = `${acc.accountId} (${baseProvider})`
-        }
-
-        const storedScope = acc.scope?.trim()
-        const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
-        const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
-
-        return {
-          id: acc.id,
-          name: displayName,
-          provider: acc.providerId,
-          lastUsed: acc.updatedAt.toISOString(),
-          isDefault: featureType === 'default',
-          scopes: scopeEvaluation.grantedScopes,
-          canonicalScopes: scopeEvaluation.canonicalScopes,
-          missingScopes: scopeEvaluation.missingScopes,
-          extraScopes: scopeEvaluation.extraScopes,
-          requiresReauthorization: scopeEvaluation.requiresReauthorization,
-        }
+        const displayName = await getFallbackDisplayName(requestId, providerParam, acc)
+        return toCredentialResponse(acc.id, displayName, acc.providerId, acc.updatedAt, acc.scope)
      })
    )

--- a/apps/sim/app/api/auth/oauth/disconnect/route.ts
+++ b/apps/sim/app/api/auth/oauth/disconnect/route.ts
@@ -15,6 +15,7 @@ const logger = createLogger('OAuthDisconnectAPI')
 const disconnectSchema = z.object({
  provider: z.string({ required_error: 'Provider is required' }).min(1, 'Provider is required'),
  providerId: z.string().optional(),
+  accountId: z.string().optional(),
 })

 /**
@@ -50,15 +51,20 @@ export async function POST(request: NextRequest) {
      )
    }

-    const { provider, providerId } = parseResult.data
+    const { provider, providerId, accountId } = parseResult.data

    logger.info(`[${requestId}] Processing OAuth disconnect request`, {
      provider,
      hasProviderId: !!providerId,
    })

-    // If a specific providerId is provided, delete only that account
-    if (providerId) {
+    // If a specific account row ID is provided, delete that exact account
+    if (accountId) {
+      await db
+        .delete(account)
+        .where(and(eq(account.userId, session.user.id), eq(account.id, accountId)))
+    } else if (providerId) {
+      // If a specific providerId is provided, delete accounts for that provider ID
      await db
        .delete(account)
        .where(and(eq(account.userId, session.user.id), eq(account.providerId, providerId)))
--- a/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
@@ -38,13 +38,18 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }

-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

    const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
@@ -37,14 +37,19 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }

-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

    // Refresh access token if needed using the utility function
    const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/token/route.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -119,14 +119,23 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }

-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )

    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

    try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )

      let instanceUrl: string | undefined
      if (credential.providerId === 'salesforce' && credential.scope) {
@@ -186,13 +195,20 @@ export async function GET(request: NextRequest) {

    const { credentialId } = parseResult.data

-    // For GET requests, we only support session-based authentication
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
+    const authz = await authorizeCredentialUse(request, {
+      credentialId,
+      requireWorkflowIdForInternal: false,
+    })
+    if (!authz.ok || authz.authType !== 'session' || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }

-    const credential = await getCredential(requestId, credentialId, auth.userId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )

    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -204,7 +220,11 @@ export async function GET(request: NextRequest) {
    }

    try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )

      // For Salesforce, extract instanceUrl from the scope field
      let instanceUrl: string | undefined
--- a/apps/sim/app/api/auth/oauth/utils.test.ts
+++ b/apps/sim/app/api/auth/oauth/utils.test.ts
@@ -50,7 +50,7 @@ describe('OAuth Utils', () => {
  describe('getCredential', () => {
    it('should return credential when found', async () => {
      const mockCredential = { id: 'credential-id', userId: 'test-user-id' }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])

      const credential = await getCredential('request-id', 'credential-id', 'test-user-id')

@@ -59,7 +59,8 @@ describe('OAuth Utils', () => {
      expect(mockDbTyped.where).toHaveBeenCalled()
      expect(mockDbTyped.limit).toHaveBeenCalledWith(1)

-      expect(credential).toEqual(mockCredential)
+      expect(credential).toMatchObject(mockCredential)
+      expect(credential).toMatchObject({ resolvedCredentialId: 'credential-id' })
    })

    it('should return undefined when credential is not found', async () => {
@@ -152,7 +153,7 @@ describe('OAuth Utils', () => {
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])

      const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')

@@ -169,7 +170,7 @@ describe('OAuth Utils', () => {
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])

      mockRefreshOAuthToken.mockResolvedValueOnce({
        accessToken: 'new-token',
@@ -202,7 +203,7 @@ describe('OAuth Utils', () => {
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockDbTyped.limit.mockReturnValueOnce([mockCredential])
+      mockDbTyped.limit.mockReturnValueOnce([]).mockReturnValueOnce([mockCredential])

      mockRefreshOAuthToken.mockResolvedValueOnce(null)

--- a/apps/sim/app/api/auth/oauth/utils.ts
+++ b/apps/sim/app/api/auth/oauth/utils.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credentialSetMember } from '@sim/db/schema'
+import { account, credential, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { refreshOAuthToken } from '@/lib/oauth'
@@ -25,6 +25,28 @@ interface AccountInsertData {
  accessTokenExpiresAt?: Date
 }

+async function resolveOAuthAccountId(
+  credentialId: string
+): Promise<{ accountId: string; usedCredentialTable: boolean } | null> {
+  const [credentialRow] = await db
+    .select({
+      type: credential.type,
+      accountId: credential.accountId,
+    })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (credentialRow) {
+    if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
+      return null
+    }
+    return { accountId: credentialRow.accountId, usedCredentialTable: true }
+  }
+
+  return { accountId: credentialId, usedCredentialTable: false }
+}
+
 /**
 * Safely inserts an account record, handling duplicate constraint violations gracefully.
 * If a duplicate is detected (unique constraint violation), logs a warning and returns success.
@@ -52,10 +74,16 @@ export async function safeAccountInsert(
 * Get a credential by ID and verify it belongs to the user
 */
 export async function getCredential(requestId: string, credentialId: string, userId: string) {
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
+    return undefined
+  }
+
  const credentials = await db
    .select()
    .from(account)
-    .where(and(eq(account.id, credentialId), eq(account.userId, userId)))
+    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
    .limit(1)

  if (!credentials.length) {
@@ -63,7 +91,10 @@ export async function getCredential(requestId: string, credentialId: string, use
    return undefined
  }

-  return credentials[0]
+  return {
+    ...credentials[0],
+    resolvedCredentialId: resolved.accountId,
+  }
 }

 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
@@ -238,7 +269,9 @@ export async function refreshAccessTokenIfNeeded(
      }

      // Update the token in the database
-      await db.update(account).set(updateData).where(eq(account.id, credentialId))
+      const resolvedCredentialId =
+        (credential as { resolvedCredentialId?: string }).resolvedCredentialId ?? credentialId
+      await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))

      logger.info(`[${requestId}] Successfully refreshed access token for credential`)
      return refreshedToken.accessToken
@@ -274,6 +307,8 @@ export async function refreshTokenIfNeeded(
  credential: any,
  credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
+  const resolvedCredentialId = credential.resolvedCredentialId ?? credentialId
+
  // Decide if we should refresh: token missing OR expired
  const accessTokenExpiresAt = credential.accessTokenExpiresAt
  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
@@ -334,7 +369,7 @@ export async function refreshTokenIfNeeded(
      updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
    }

-    await db.update(account).set(updateData).where(eq(account.id, credentialId))
+    await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))

    logger.info(`[${requestId}] Successfully refreshed access token`)
    return { accessToken: refreshedToken, refreshed: true }
@@ -343,7 +378,7 @@ export async function refreshTokenIfNeeded(
      `[${requestId}] Refresh attempt failed, checking if another concurrent request succeeded`
    )

-    const freshCredential = await getCredential(requestId, credentialId, credential.userId)
+    const freshCredential = await getCredential(requestId, resolvedCredentialId, credential.userId)
    if (freshCredential?.accessToken) {
      const freshExpiresAt = freshCredential.accessTokenExpiresAt
      const stillValid = !freshExpiresAt || freshExpiresAt > new Date()
--- a/apps/sim/app/api/credentials/[id]/members/route.ts
+++ b/apps/sim/app/api/credentials/[id]/members/route.ts
@@ -0,0 +1,220 @@
+import { db } from '@sim/db'
+import { credentialMember, user } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getCredentialActorContext } from '@/lib/credentials/access'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialMembersAPI')
+
+const upsertMemberSchema = z.object({
+  userId: z.string().min(1),
+  role: z.enum(['admin', 'member']),
+})
+
+const deleteMemberSchema = z.object({
+  userId: z.string().min(1),
+})
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    const members = await db
+      .select({
+        id: credentialMember.id,
+        userId: credentialMember.userId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+        invitedBy: credentialMember.invitedBy,
+        createdAt: credentialMember.createdAt,
+        updatedAt: credentialMember.updatedAt,
+        userName: user.name,
+        userEmail: user.email,
+        userImage: user.image,
+      })
+      .from(credentialMember)
+      .leftJoin(user, eq(credentialMember.userId, user.id))
+      .where(eq(credentialMember.credentialId, id))
+
+    return NextResponse.json({ members }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to list credential members', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const parseResult = upsertMemberSchema.safeParse(await request.json())
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    const targetWorkspaceAccess = await checkWorkspaceAccess(
+      access.credential.workspaceId,
+      parseResult.data.userId
+    )
+    if (!targetWorkspaceAccess.hasAccess) {
+      return NextResponse.json(
+        { error: 'User must have workspace access before being added to a credential' },
+        { status: 400 }
+      )
+    }
+
+    const now = new Date()
+    const [existingMember] = await db
+      .select()
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, id),
+          eq(credentialMember.userId, parseResult.data.userId)
+        )
+      )
+      .limit(1)
+
+    if (existingMember) {
+      await db
+        .update(credentialMember)
+        .set({
+          role: parseResult.data.role,
+          status: 'active',
+          joinedAt: existingMember.joinedAt ?? now,
+          invitedBy: session.user.id,
+          updatedAt: now,
+        })
+        .where(eq(credentialMember.id, existingMember.id))
+    } else {
+      await db.insert(credentialMember).values({
+        id: crypto.randomUUID(),
+        credentialId: id,
+        userId: parseResult.data.userId,
+        role: parseResult.data.role,
+        status: 'active',
+        joinedAt: now,
+        invitedBy: session.user.id,
+        createdAt: now,
+        updatedAt: now,
+      })
+    }
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to upsert credential member', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const parseResult = deleteMemberSchema.safeParse({
+      userId: new URL(request.url).searchParams.get('userId'),
+    })
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    const [memberToRevoke] = await db
+      .select()
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, id),
+          eq(credentialMember.userId, parseResult.data.userId)
+        )
+      )
+      .limit(1)
+
+    if (!memberToRevoke) {
+      return NextResponse.json({ error: 'Member not found' }, { status: 404 })
+    }
+
+    if (memberToRevoke.status !== 'active') {
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    if (memberToRevoke.role === 'admin') {
+      const activeAdmins = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, id),
+            eq(credentialMember.role, 'admin'),
+            eq(credentialMember.status, 'active')
+          )
+        )
+
+      if (activeAdmins.length <= 1) {
+        return NextResponse.json(
+          { error: 'Cannot revoke the last active admin from a credential' },
+          { status: 400 }
+        )
+      }
+    }
+
+    await db
+      .update(credentialMember)
+      .set({
+        status: 'revoked',
+        updatedAt: new Date(),
+      })
+      .where(eq(credentialMember.id, memberToRevoke.id))
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to revoke credential member', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/[id]/route.ts
+++ b/apps/sim/app/api/credentials/[id]/route.ts
@@ -0,0 +1,147 @@
+import { db } from '@sim/db'
+import { credential, credentialMember } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getCredentialActorContext } from '@/lib/credentials/access'
+
+const logger = createLogger('CredentialByIdAPI')
+
+const updateCredentialSchema = z
+  .object({
+    displayName: z.string().trim().min(1).max(255).optional(),
+    accountId: z.string().trim().min(1).optional(),
+  })
+  .strict()
+  .refine((data) => Boolean(data.displayName || data.accountId), {
+    message: 'At least one field must be provided',
+    path: ['displayName'],
+  })
+
+async function getCredentialResponse(credentialId: string, userId: string) {
+  const [row] = await db
+    .select({
+      id: credential.id,
+      workspaceId: credential.workspaceId,
+      type: credential.type,
+      displayName: credential.displayName,
+      providerId: credential.providerId,
+      accountId: credential.accountId,
+      envKey: credential.envKey,
+      envOwnerUserId: credential.envOwnerUserId,
+      createdBy: credential.createdBy,
+      createdAt: credential.createdAt,
+      updatedAt: credential.updatedAt,
+      role: credentialMember.role,
+      status: credentialMember.status,
+    })
+    .from(credential)
+    .innerJoin(
+      credentialMember,
+      and(eq(credentialMember.credentialId, credential.id), eq(credentialMember.userId, userId))
+    )
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  return row ?? null
+}
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.member) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const row = await getCredentialResponse(id, session.user.id)
+    return NextResponse.json({ credential: row }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to fetch credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const parseResult = updateCredentialSchema.safeParse(await request.json())
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    if (access.credential.type === 'oauth') {
+      return NextResponse.json(
+        {
+          error:
+            'OAuth credential editing is disabled. Connect an account and create or use its linked credential.',
+        },
+        { status: 400 }
+      )
+    }
+
+    return NextResponse.json(
+      {
+        error:
+          'Environment credentials cannot be updated via this endpoint. Use the environment value editor in credentials settings.',
+      },
+      { status: 400 }
+    )
+  } catch (error) {
+    logger.error('Failed to update credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    await db.delete(credential).where(eq(credential.id, id))
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to delete credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/bootstrap/route.ts
+++ b/apps/sim/app/api/credentials/bootstrap/route.ts
@@ -0,0 +1,81 @@
+import { db } from '@sim/db'
+import { environment, workspaceEnvironment } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import {
+  syncPersonalEnvCredentialsForUser,
+  syncWorkspaceEnvCredentials,
+} from '@/lib/credentials/environment'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialsBootstrapAPI')
+
+const bootstrapSchema = z.object({
+  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+})
+
+/**
+ * Ensures the current user's connected accounts and env vars are reflected as workspace credentials.
+ */
+export async function POST(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const parseResult = bootstrapSchema.safeParse(await request.json())
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { workspaceId } = parseResult.data
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+    if (!workspaceAccess.hasAccess) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const [personalRow, workspaceRow] = await Promise.all([
+      db
+        .select({ variables: environment.variables })
+        .from(environment)
+        .where(eq(environment.userId, session.user.id))
+        .limit(1),
+      db
+        .select({ variables: workspaceEnvironment.variables })
+        .from(workspaceEnvironment)
+        .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+        .limit(1),
+    ])
+
+    const personalKeys = Object.keys((personalRow[0]?.variables as Record<string, string>) || {})
+    const workspaceKeys = Object.keys((workspaceRow[0]?.variables as Record<string, string>) || {})
+
+    const [oauthSyncResult] = await Promise.all([
+      syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id }),
+      syncPersonalEnvCredentialsForUser({ userId: session.user.id, envKeys: personalKeys }),
+      syncWorkspaceEnvCredentials({
+        workspaceId,
+        envKeys: workspaceKeys,
+        actingUserId: session.user.id,
+      }),
+    ])
+
+    return NextResponse.json({
+      success: true,
+      synced: {
+        oauthCreated: oauthSyncResult.createdCredentials,
+        oauthMembershipsUpdated: oauthSyncResult.updatedMemberships,
+        personalEnvKeys: personalKeys.length,
+        workspaceEnvKeys: workspaceKeys.length,
+      },
+    })
+  } catch (error) {
+    logger.error('Failed to bootstrap workspace credentials', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/memberships/route.ts
+++ b/apps/sim/app/api/credentials/memberships/route.ts
@@ -0,0 +1,112 @@
+import { db } from '@sim/db'
+import { credential, credentialMember } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+
+const logger = createLogger('CredentialMembershipsAPI')
+
+const leaveCredentialSchema = z.object({
+  credentialId: z.string().min(1),
+})
+
+export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const memberships = await db
+      .select({
+        membershipId: credentialMember.id,
+        credentialId: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        providerId: credential.providerId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+      })
+      .from(credentialMember)
+      .innerJoin(credential, eq(credentialMember.credentialId, credential.id))
+      .where(eq(credentialMember.userId, session.user.id))
+
+    return NextResponse.json({ memberships }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to list credential memberships', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const parseResult = leaveCredentialSchema.safeParse({
+      credentialId: new URL(request.url).searchParams.get('credentialId'),
+    })
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { credentialId } = parseResult.data
+    const [membership] = await db
+      .select()
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, credentialId),
+          eq(credentialMember.userId, session.user.id)
+        )
+      )
+      .limit(1)
+
+    if (!membership) {
+      return NextResponse.json({ error: 'Membership not found' }, { status: 404 })
+    }
+
+    if (membership.status !== 'active') {
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    if (membership.role === 'admin') {
+      const activeAdmins = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, credentialId),
+            eq(credentialMember.role, 'admin'),
+            eq(credentialMember.status, 'active')
+          )
+        )
+
+      if (activeAdmins.length <= 1) {
+        return NextResponse.json(
+          { error: 'Cannot leave credential as the last active admin' },
+          { status: 400 }
+        )
+      }
+    }
+
+    await db
+      .update(credentialMember)
+      .set({
+        status: 'revoked',
+        updatedAt: new Date(),
+      })
+      .where(eq(credentialMember.id, membership.id))
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to leave credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/route.ts
+++ b/apps/sim/app/api/credentials/route.ts
@@ -0,0 +1,468 @@
+import { db } from '@sim/db'
+import { account, credential, credentialMember, workspace } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
+import { getServiceConfigByProviderId } from '@/lib/oauth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+import { isValidEnvVarName } from '@/executor/constants'
+
+const logger = createLogger('CredentialsAPI')
+
+const credentialTypeSchema = z.enum(['oauth', 'env_workspace', 'env_personal'])
+
+function normalizeEnvKeyInput(raw: string): string {
+  const trimmed = raw.trim()
+  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
+  return wrappedMatch ? wrappedMatch[1] : trimmed
+}
+
+const listCredentialsSchema = z.object({
+  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+  type: credentialTypeSchema.optional(),
+  providerId: z.string().optional(),
+})
+
+const createCredentialSchema = z
+  .object({
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+    type: credentialTypeSchema,
+    displayName: z.string().trim().min(1).max(255).optional(),
+    providerId: z.string().trim().min(1).optional(),
+    accountId: z.string().trim().min(1).optional(),
+    envKey: z.string().trim().min(1).optional(),
+    envOwnerUserId: z.string().trim().min(1).optional(),
+  })
+  .superRefine((data, ctx) => {
+    if (data.type === 'oauth') {
+      if (!data.accountId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'accountId is required for oauth credentials',
+          path: ['accountId'],
+        })
+      }
+      if (!data.providerId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'providerId is required for oauth credentials',
+          path: ['providerId'],
+        })
+      }
+      if (!data.displayName) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'displayName is required for oauth credentials',
+          path: ['displayName'],
+        })
+      }
+      return
+    }
+
+    const normalizedEnvKey = data.envKey ? normalizeEnvKeyInput(data.envKey) : ''
+    if (!normalizedEnvKey) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey is required for env credentials',
+        path: ['envKey'],
+      })
+      return
+    }
+
+    if (!isValidEnvVarName(normalizedEnvKey)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey must contain only letters, numbers, and underscores',
+        path: ['envKey'],
+      })
+    }
+  })
+
+interface ExistingCredentialSourceParams {
+  workspaceId: string
+  type: 'oauth' | 'env_workspace' | 'env_personal'
+  accountId?: string | null
+  envKey?: string | null
+  envOwnerUserId?: string | null
+}
+
+async function findExistingCredentialBySource(params: ExistingCredentialSourceParams) {
+  const { workspaceId, type, accountId, envKey, envOwnerUserId } = params
+
+  if (type === 'oauth' && accountId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'oauth'),
+          eq(credential.accountId, accountId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_workspace' && envKey) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_workspace'),
+          eq(credential.envKey, envKey)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_personal' && envKey && envOwnerUserId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envKey, envKey),
+          eq(credential.envOwnerUserId, envOwnerUserId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  return null
+}
+
+export async function GET(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const { searchParams } = new URL(request.url)
+    const rawWorkspaceId = searchParams.get('workspaceId')
+    const rawType = searchParams.get('type')
+    const rawProviderId = searchParams.get('providerId')
+    const parseResult = listCredentialsSchema.safeParse({
+      workspaceId: rawWorkspaceId?.trim(),
+      type: rawType?.trim() || undefined,
+      providerId: rawProviderId?.trim() || undefined,
+    })
+
+    if (!parseResult.success) {
+      logger.warn(`[${requestId}] Invalid credential list request`, {
+        workspaceId: rawWorkspaceId,
+        type: rawType,
+        providerId: rawProviderId,
+        errors: parseResult.error.errors,
+      })
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { workspaceId, type, providerId } = parseResult.data
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+
+    if (!workspaceAccess.hasAccess) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    if (!type || type === 'oauth') {
+      await syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id })
+    }
+
+    const whereClauses = [
+      eq(credential.workspaceId, workspaceId),
+      eq(credentialMember.userId, session.user.id),
+      eq(credentialMember.status, 'active'),
+    ]
+
+    if (type) {
+      whereClauses.push(eq(credential.type, type))
+    }
+    if (providerId) {
+      whereClauses.push(eq(credential.providerId, providerId))
+    }
+
+    const credentials = await db
+      .select({
+        id: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        providerId: credential.providerId,
+        accountId: credential.accountId,
+        envKey: credential.envKey,
+        envOwnerUserId: credential.envOwnerUserId,
+        createdBy: credential.createdBy,
+        createdAt: credential.createdAt,
+        updatedAt: credential.updatedAt,
+        role: credentialMember.role,
+      })
+      .from(credential)
+      .innerJoin(
+        credentialMember,
+        and(
+          eq(credentialMember.credentialId, credential.id),
+          eq(credentialMember.userId, session.user.id),
+          eq(credentialMember.status, 'active')
+        )
+      )
+      .where(and(...whereClauses))
+
+    return NextResponse.json({ credentials })
+  } catch (error) {
+    logger.error(`[${requestId}] Failed to list credentials`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const body = await request.json()
+    const parseResult = createCredentialSchema.safeParse(body)
+
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { workspaceId, type, displayName, providerId, accountId, envKey, envOwnerUserId } =
+      parseResult.data
+
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    let resolvedDisplayName = displayName?.trim() ?? ''
+    let resolvedProviderId: string | null = providerId ?? null
+    let resolvedAccountId: string | null = accountId ?? null
+    const resolvedEnvKey: string | null = envKey ? normalizeEnvKeyInput(envKey) : null
+    let resolvedEnvOwnerUserId: string | null = null
+
+    if (type === 'oauth') {
+      const [accountRow] = await db
+        .select({
+          id: account.id,
+          userId: account.userId,
+          providerId: account.providerId,
+          accountId: account.accountId,
+        })
+        .from(account)
+        .where(eq(account.id, accountId!))
+        .limit(1)
+
+      if (!accountRow) {
+        return NextResponse.json({ error: 'OAuth account not found' }, { status: 404 })
+      }
+
+      if (accountRow.userId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only account owners can create oauth credentials for an account' },
+          { status: 403 }
+        )
+      }
+
+      if (providerId !== accountRow.providerId) {
+        return NextResponse.json(
+          { error: 'providerId does not match the selected OAuth account' },
+          { status: 400 }
+        )
+      }
+      if (!resolvedDisplayName) {
+        resolvedDisplayName =
+          getServiceConfigByProviderId(accountRow.providerId)?.name || accountRow.providerId
+      }
+    } else if (type === 'env_personal') {
+      resolvedEnvOwnerUserId = envOwnerUserId ?? session.user.id
+      if (resolvedEnvOwnerUserId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only the current user can create personal env credentials for themselves' },
+          { status: 403 }
+        )
+      }
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    } else {
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedEnvOwnerUserId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    }
+
+    if (!resolvedDisplayName) {
+      return NextResponse.json({ error: 'Display name is required' }, { status: 400 })
+    }
+
+    const existingCredential = await findExistingCredentialBySource({
+      workspaceId,
+      type,
+      accountId: resolvedAccountId,
+      envKey: resolvedEnvKey,
+      envOwnerUserId: resolvedEnvOwnerUserId,
+    })
+
+    if (existingCredential) {
+      const [membership] = await db
+        .select({
+          id: credentialMember.id,
+          status: credentialMember.status,
+          role: credentialMember.role,
+        })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, existingCredential.id),
+            eq(credentialMember.userId, session.user.id)
+          )
+        )
+        .limit(1)
+
+      if (!membership || membership.status !== 'active') {
+        return NextResponse.json(
+          { error: 'A credential with this source already exists in this workspace' },
+          { status: 409 }
+        )
+      }
+
+      if (
+        type === 'oauth' &&
+        membership.role === 'admin' &&
+        resolvedDisplayName &&
+        resolvedDisplayName !== existingCredential.displayName
+      ) {
+        await db
+          .update(credential)
+          .set({
+            displayName: resolvedDisplayName,
+            updatedAt: new Date(),
+          })
+          .where(eq(credential.id, existingCredential.id))
+
+        const [updatedCredential] = await db
+          .select()
+          .from(credential)
+          .where(eq(credential.id, existingCredential.id))
+          .limit(1)
+
+        return NextResponse.json(
+          { credential: updatedCredential ?? existingCredential },
+          { status: 200 }
+        )
+      }
+
+      return NextResponse.json({ credential: existingCredential }, { status: 200 })
+    }
+
+    const now = new Date()
+    const credentialId = crypto.randomUUID()
+    const [workspaceRow] = await db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1)
+
+    await db.transaction(async (tx) => {
+      await tx.insert(credential).values({
+        id: credentialId,
+        workspaceId,
+        type,
+        displayName: resolvedDisplayName,
+        providerId: resolvedProviderId,
+        accountId: resolvedAccountId,
+        envKey: resolvedEnvKey,
+        envOwnerUserId: resolvedEnvOwnerUserId,
+        createdBy: session.user.id,
+        createdAt: now,
+        updatedAt: now,
+      })
+
+      if (type === 'env_workspace' && workspaceRow?.ownerId) {
+        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
+        if (workspaceUserIds.length > 0) {
+          for (const memberUserId of workspaceUserIds) {
+            await tx.insert(credentialMember).values({
+              id: crypto.randomUUID(),
+              credentialId,
+              userId: memberUserId,
+              role: memberUserId === workspaceRow.ownerId ? 'admin' : 'member',
+              status: 'active',
+              joinedAt: now,
+              invitedBy: session.user.id,
+              createdAt: now,
+              updatedAt: now,
+            })
+          }
+        }
+      } else {
+        await tx.insert(credentialMember).values({
+          id: crypto.randomUUID(),
+          credentialId,
+          userId: session.user.id,
+          role: 'admin',
+          status: 'active',
+          joinedAt: now,
+          invitedBy: session.user.id,
+          createdAt: now,
+          updatedAt: now,
+        })
+      }
+    })
+
+    const [created] = await db
+      .select()
+      .from(credential)
+      .where(eq(credential.id, credentialId))
+      .limit(1)
+
+    return NextResponse.json({ credential: created }, { status: 201 })
+  } catch (error: any) {
+    if (error?.code === '23505') {
+      return NextResponse.json(
+        { error: 'A credential with this source already exists' },
+        { status: 409 }
+      )
+    }
+    if (error?.code === '23503') {
+      return NextResponse.json(
+        { error: 'Invalid credential reference or membership target' },
+        { status: 400 }
+      )
+    }
+    if (error?.code === '23514') {
+      return NextResponse.json(
+        { error: 'Credential source data failed validation checks' },
+        { status: 400 }
+      )
+    }
+    logger.error(`[${requestId}] Credential create failure details`, {
+      code: error?.code,
+      detail: error?.detail,
+      constraint: error?.constraint,
+      table: error?.table,
+      message: error?.message,
+    })
+    logger.error(`[${requestId}] Failed to create credential`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/environment/route.ts
+++ b/apps/sim/app/api/environment/route.ts
@@ -7,6 +7,7 @@ import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncPersonalEnvCredentialsForUser } from '@/lib/credentials/environment'
 import type { EnvironmentVariable } from '@/stores/settings/environment'

 const logger = createLogger('EnvironmentAPI')
@@ -53,6 +54,11 @@ export async function POST(req: NextRequest) {
          },
        })

+      await syncPersonalEnvCredentialsForUser({
+        userId: session.user.id,
+        envKeys: Object.keys(variables),
+      })
+
      return NextResponse.json({ success: true })
    } catch (validationError) {
      if (validationError instanceof z.ZodError) {
--- a/apps/sim/app/api/workspaces/[id]/environment/route.ts
+++ b/apps/sim/app/api/workspaces/[id]/environment/route.ts
@@ -1,12 +1,14 @@
 import { db } from '@sim/db'
-import { environment, workspaceEnvironment } from '@sim/db/schema'
+import { workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
-import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
+import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
+import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
 import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'

 const logger = createLogger('WorkspaceEnvironmentAPI')
@@ -44,44 +46,10 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

-    // Workspace env (encrypted)
-    const wsEnvRow = await db
-      .select()
-      .from(workspaceEnvironment)
-      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
-      .limit(1)
-
-    const wsEncrypted: Record<string, string> = (wsEnvRow[0]?.variables as any) || {}
-
-    // Personal env (encrypted)
-    const personalRow = await db
-      .select()
-      .from(environment)
-      .where(eq(environment.userId, userId))
-      .limit(1)
-
-    const personalEncrypted: Record<string, string> = (personalRow[0]?.variables as any) || {}
-
-    // Decrypt both for UI
-    const decryptAll = async (src: Record<string, string>) => {
-      const out: Record<string, string> = {}
-      for (const [k, v] of Object.entries(src)) {
-        try {
-          const { decrypted } = await decryptSecret(v)
-          out[k] = decrypted
-        } catch {
-          out[k] = ''
-        }
-      }
-      return out
-    }
-
-    const [workspaceDecrypted, personalDecrypted] = await Promise.all([
-      decryptAll(wsEncrypted),
-      decryptAll(personalEncrypted),
-    ])
-
-    const conflicts = Object.keys(personalDecrypted).filter((k) => k in workspaceDecrypted)
+    const { workspaceDecrypted, personalDecrypted, conflicts } = await getPersonalAndWorkspaceEnv(
+      userId,
+      workspaceId
+    )

    return NextResponse.json(
      {
@@ -156,6 +124,12 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
        set: { variables: merged, updatedAt: new Date() },
      })

+    await syncWorkspaceEnvCredentials({
+      workspaceId,
+      envKeys: Object.keys(merged),
+      actingUserId: userId,
+    })
+
    return NextResponse.json({ success: true })
  } catch (error: any) {
    logger.error(`[${requestId}] Workspace env PUT error`, error)
@@ -222,6 +196,12 @@ export async function DELETE(
        set: { variables: current, updatedAt: new Date() },
      })

+    await syncWorkspaceEnvCredentials({
+      workspaceId,
+      envKeys: Object.keys(current),
+      actingUserId: userId,
+    })
+
    return NextResponse.json({ success: true })
  } catch (error: any) {
    logger.error(`[${requestId}] Workspace env DELETE error`, error)
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal.tsx
@@ -30,6 +30,7 @@ export interface OAuthRequiredModalProps {
  requiredScopes?: string[]
  serviceId: string
  newScopes?: string[]
+  onConnect?: () => Promise<void> | void
 }

 const SCOPE_DESCRIPTIONS: Record<string, string> = {
@@ -314,6 +315,7 @@ export function OAuthRequiredModal({
  requiredScopes = [],
  serviceId,
  newScopes = [],
+  onConnect,
 }: OAuthRequiredModalProps) {
  const [error, setError] = useState<string | null>(null)
  const { baseProvider } = parseProvider(provider)
@@ -359,6 +361,12 @@ export function OAuthRequiredModal({
    setError(null)

    try {
+      if (onConnect) {
+        await onConnect()
+        onClose()
+        return
+      }
+
      const providerId = getProviderIdFromServiceId(serviceId)

      logger.info('Linking OAuth2:', {
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx
@@ -3,10 +3,12 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { ExternalLink, Users } from 'lucide-react'
+import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
 import { getSubscriptionStatus } from '@/lib/billing/client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { getPollingProviderFromOAuth } from '@/lib/credential-sets/providers'
+import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  getCanonicalScopesForProvider,
  getProviderIdFromServiceId,
@@ -18,9 +20,9 @@ import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import type { SubBlockConfig } from '@/blocks/types'
-import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSets } from '@/hooks/queries/credential-sets'
-import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
@@ -46,6 +48,8 @@ export function CredentialSelector({
  previewValue,
  previewContextValues,
 }: CredentialSelectorProps) {
+  const params = useParams()
+  const workspaceId = (params?.workspaceId as string) || ''
  const [showOAuthModal, setShowOAuthModal] = useState(false)
  const [editingValue, setEditingValue] = useState('')
  const [isEditing, setIsEditing] = useState(false)
@@ -96,53 +100,32 @@ export function CredentialSelector({
    data: credentials = [],
    isFetching: credentialsLoading,
    refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
+  } = useOAuthCredentials(effectiveProviderId, {
+    enabled: Boolean(effectiveProviderId),
+    workspaceId,
+    workflowId: activeWorkflowId || undefined,
+  })

  const selectedCredential = useMemo(
    () => credentials.find((cred) => cred.id === selectedId),
    [credentials, selectedId]
  )

-  const shouldFetchForeignMeta =
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    Boolean(activeWorkflowId) &&
-    Boolean(effectiveProviderId)
-
-  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
-    useOAuthCredentialDetail(
-      shouldFetchForeignMeta ? selectedId : undefined,
-      activeWorkflowId || undefined,
-      shouldFetchForeignMeta
-    )
-
-  const hasForeignMeta = foreignCredentials.length > 0
-  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
-
  const selectedCredentialSet = useMemo(
    () => credentialSets.find((cs) => cs.id === selectedCredentialSetId),
    [credentialSets, selectedCredentialSetId]
  )

-  const isForeignCredentialSet = Boolean(isCredentialSetSelected && !selectedCredentialSet)
-
  const resolvedLabel = useMemo(() => {
    if (selectedCredentialSet) return selectedCredentialSet.name
-    if (isForeignCredentialSet) return CREDENTIAL.FOREIGN_LABEL
    if (selectedCredential) return selectedCredential.name
-    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
    return ''
-  }, [selectedCredentialSet, isForeignCredentialSet, selectedCredential, isForeign])
+  }, [selectedCredentialSet, selectedCredential])

  const displayValue = isEditing ? editingValue : resolvedLabel

  const invalidSelection =
-    !isPreview &&
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    !hasForeignMeta &&
-    !credentialsLoading &&
-    !foreignMetaLoading
+    !isPreview && Boolean(selectedId) && !selectedCredential && !credentialsLoading

  useEffect(() => {
    if (!invalidSelection) return
@@ -153,7 +136,7 @@ export function CredentialSelector({
    setStoreValue('')
  }, [invalidSelection, selectedId, effectiveProviderId, setStoreValue])

-  useCredentialRefreshTriggers(refetchCredentials)
+  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)

  const handleOpenChange = useCallback(
    (isOpen: boolean) => {
@@ -195,8 +178,18 @@ export function CredentialSelector({
  )

  const handleAddCredential = useCallback(() => {
-    setShowOAuthModal(true)
-  }, [])
+    writePendingCredentialCreateRequest({
+      workspaceId,
+      type: 'oauth',
+      providerId: effectiveProviderId,
+      displayName: '',
+      serviceId,
+      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
+      requestedAt: Date.now(),
+    })
+
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
+  }, [workspaceId, effectiveProviderId, serviceId])

  const getProviderIcon = useCallback((providerName: OAuthProvider) => {
    const { baseProvider } = parseProvider(providerName)
@@ -251,23 +244,18 @@ export function CredentialSelector({
        label: cred.name,
        value: cred.id,
      }))
+      credentialItems.push({
+        label:
+          credentials.length > 0
+            ? `Connect another ${getProviderName(provider)} account`
+            : `Connect ${getProviderName(provider)} account`,
+        value: '__connect_account__',
+      })

-      if (credentialItems.length > 0) {
-        groups.push({
-          section: 'Personal Credential',
-          items: credentialItems,
-        })
-      } else {
-        groups.push({
-          section: 'Personal Credential',
-          items: [
-            {
-              label: `Connect ${getProviderName(provider)} account`,
-              value: '__connect_account__',
-            },
-          ],
-        })
-      }
+      groups.push({
+        section: 'Personal Credential',
+        items: credentialItems,
+      })

      return { comboboxOptions: [], comboboxGroups: groups }
    }
@@ -277,12 +265,13 @@ export function CredentialSelector({
      value: cred.id,
    }))

-    if (credentials.length === 0) {
-      options.push({
-        label: `Connect ${getProviderName(provider)} account`,
-        value: '__connect_account__',
-      })
-    }
+    options.push({
+      label:
+        credentials.length > 0
+          ? `Connect another ${getProviderName(provider)} account`
+          : `Connect ${getProviderName(provider)} account`,
+      value: '__connect_account__',
+    })

    return { comboboxOptions: options, comboboxGroups: undefined }
  }, [
@@ -368,7 +357,7 @@ export function CredentialSelector({
        }
        disabled={effectiveDisabled}
        editable={true}
-        filterOptions={!isForeign && !isForeignCredentialSet}
+        filterOptions={true}
        isLoading={credentialsLoading}
        overlayContent={overlayContent}
        className={selectedId || isCredentialSetSelected ? 'pl-[28px]' : ''}
@@ -380,15 +369,13 @@ export function CredentialSelector({
            <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
            Additional permissions required
          </div>
-          {!isForeign && (
-            <Button
-              variant='active'
-              onClick={() => setShowOAuthModal(true)}
-              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-            >
-              Update access
-            </Button>
-          )}
+          <Button
+            variant='active'
+            onClick={() => setShowOAuthModal(true)}
+            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+          >
+            Update access
+          </Button>
        </div>
      )}

@@ -407,7 +394,11 @@ export function CredentialSelector({
  )
 }

-function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
+function useCredentialRefreshTriggers(
+  refetchCredentials: () => Promise<unknown>,
+  providerId: string,
+  workspaceId: string
+) {
  useEffect(() => {
    const refresh = () => {
      void refetchCredentials()
@@ -425,12 +416,29 @@ function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>
      }
    }

+    const handleCredentialsUpdated = (
+      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
+    ) => {
+      if (event.detail?.providerId && event.detail.providerId !== providerId) {
+        return
+      }
+      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
+        return
+      }
+      refresh()
+    }
+
    document.addEventListener('visibilitychange', handleVisibilityChange)
    window.addEventListener('pageshow', handlePageShow)
+    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)

    return () => {
      document.removeEventListener('visibilitychange', handleVisibilityChange)
      window.removeEventListener('pageshow', handlePageShow)
+      window.removeEventListener(
+        'oauth-credentials-updated',
+        handleCredentialsUpdated as EventListener
+      )
    }
-  }, [refetchCredentials])
+  }, [providerId, workspaceId, refetchCredentials])
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/env-var-dropdown.tsx
@@ -168,7 +168,7 @@ export const EnvVarDropdown: React.FC<EnvVarDropdownProps> = ({
  }, [searchTerm])

  const openEnvironmentSettings = () => {
-    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'environment' } }))
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
    onClose?.()
  }

--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-selector/file-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -125,8 +124,6 @@ export function FileSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])

-  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
-
  const selectorResolution = useMemo<SelectorResolution | null>(() => {
    return resolveSelectorForSubBlock(subBlock, {
      workflowId: workflowIdFromUrl,
@@ -168,7 +165,6 @@ export function FileSelectorInput({

  const disabledReason =
    finalDisabled ||
-    isForeignCredential ||
    missingCredential ||
    missingDomain ||
    missingProject ||
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/folder-selector/components/folder-selector-input.tsx
@@ -4,7 +4,6 @@ import { useCallback, useEffect, useMemo, useState } from 'react'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -47,10 +46,6 @@ export function FolderSelectorInput({
    subBlock.canonicalParamId === 'copyDestinationId' ||
    subBlock.id === 'copyDestinationFolder' ||
    subBlock.id === 'manualCopyDestinationFolder'
-  const { isForeignCredential } = useForeignCredential(
-    effectiveProviderId,
-    (connectedCredential as string) || ''
-  )

  // Central dependsOn gating
  const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
@@ -119,9 +114,7 @@ export function FolderSelectorInput({
      selectorContext={
        selectorResolution?.context ?? { credentialId, workflowId: activeWorkflowId || '' }
      }
-      disabled={
-        finalDisabled || isForeignCredential || missingCredential || !selectorResolution?.key
-      }
+      disabled={finalDisabled || missingCredential || !selectorResolution?.key}
      isPreview={isPreview}
      previewValue={previewValue ?? null}
      placeholder={subBlock.placeholder || 'Select folder'}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/project-selector/project-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
@@ -73,11 +72,6 @@ export function ProjectSelectorInput({

  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])
-
-  const { isForeignCredential } = useForeignCredential(
-    effectiveProviderId,
-    (connectedCredential as string) || ''
-  )
  const workflowIdFromUrl = (params?.workflowId as string) || activeWorkflowId || ''
  const { finalDisabled } = useDependsOnGate(blockId, subBlock, {
    disabled,
@@ -123,7 +117,7 @@ export function ProjectSelectorInput({
              subBlock={subBlock}
              selectorKey={selectorResolution.key}
              selectorContext={selectorResolution.context}
-              disabled={finalDisabled || isForeignCredential || missingCredential}
+              disabled={finalDisabled || missingCredential}
              isPreview={isPreview}
              previewValue={previewValue ?? null}
              placeholder={subBlock.placeholder || 'Select project'}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/sheet-selector/sheet-selector-input.tsx
@@ -7,7 +7,6 @@ import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { buildCanonicalIndex, resolveDependencyValue } from '@/lib/workflows/subblocks/visibility'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import { getBlock } from '@/blocks/registry'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -87,8 +86,6 @@ export function SheetSelectorInput({
  const serviceId = subBlock.serviceId || ''
  const effectiveProviderId = useMemo(() => getProviderIdFromServiceId(serviceId), [serviceId])

-  const { isForeignCredential } = useForeignCredential(effectiveProviderId, normalizedCredentialId)
-
  const selectorResolution = useMemo<SelectorResolution | null>(() => {
    return resolveSelectorForSubBlock(subBlock, {
      workflowId: workflowIdFromUrl,
@@ -101,11 +98,7 @@ export function SheetSelectorInput({
  const missingSpreadsheet = !normalizedSpreadsheetId

  const disabledReason =
-    finalDisabled ||
-    isForeignCredential ||
-    missingCredential ||
-    missingSpreadsheet ||
-    !selectorResolution?.key
+    finalDisabled || missingCredential || missingSpreadsheet || !selectorResolution?.key

  if (!selectorResolution?.key) {
    return (
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/slack-selector/slack-selector-input.tsx
@@ -6,7 +6,6 @@ import { Tooltip } from '@/components/emcn'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
 import { SelectorCombobox } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/selector-combobox/selector-combobox'
 import { useDependsOnGate } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-depends-on-gate'
-import { useForeignCredential } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential'
 import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-sub-block-value'
 import { resolvePreviewContextValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/utils'
 import type { SubBlockConfig } from '@/blocks/types'
@@ -85,11 +84,6 @@ export function SlackSelectorInput({
      ? (effectiveBotToken as string) || ''
      : (effectiveCredential as string) || ''

-  const { isForeignCredential } = useForeignCredential(
-    effectiveProviderId,
-    (effectiveAuthMethod as string) === 'bot_token' ? '' : (effectiveCredential as string) || ''
-  )
-
  useEffect(() => {
    const val = isPreview && previewValue !== undefined ? previewValue : storeValue
    if (typeof val === 'string') {
@@ -99,7 +93,7 @@ export function SlackSelectorInput({

  const requiresCredential = dependsOn.includes('credential')
  const missingCredential = !credential || credential.trim().length === 0
-  const shouldForceDisable = requiresCredential && (missingCredential || isForeignCredential)
+  const shouldForceDisable = requiresCredential && missingCredential

  const context: SelectorContext = useMemo(
    () => ({
@@ -136,7 +130,7 @@ export function SlackSelectorInput({
            subBlock={subBlock}
            selectorKey={config.selectorKey}
            selectorContext={context}
-            disabled={finalDisabled || shouldForceDisable || isForeignCredential}
+            disabled={finalDisabled || shouldForceDisable}
            isPreview={isPreview}
            previewValue={previewValue ?? null}
            placeholder={subBlock.placeholder || config.placeholder}
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/tool-credential-selector.tsx
@@ -1,6 +1,8 @@
 import { createElement, useCallback, useEffect, useMemo, useState } from 'react'
 import { ExternalLink } from 'lucide-react'
+import { useParams } from 'next/navigation'
 import { Button, Combobox } from '@/components/emcn/components'
+import { writePendingCredentialCreateRequest } from '@/lib/credentials/client-state'
 import {
  getCanonicalScopesForProvider,
  getProviderIdFromServiceId,
@@ -10,8 +12,7 @@ import {
  parseProvider,
 } from '@/lib/oauth'
 import { OAuthRequiredModal } from '@/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/components/oauth-required-modal'
-import { CREDENTIAL } from '@/executor/constants'
-import { useOAuthCredentialDetail, useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
+import { useOAuthCredentials } from '@/hooks/queries/oauth-credentials'
 import { getMissingRequiredScopes } from '@/hooks/use-oauth-scope-status'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'

@@ -54,10 +55,12 @@ export function ToolCredentialSelector({
  onChange,
  provider,
  requiredScopes = [],
-  label = 'Select account',
+  label = 'Select credential',
  serviceId,
  disabled = false,
 }: ToolCredentialSelectorProps) {
+  const params = useParams()
+  const workspaceId = (params?.workspaceId as string) || ''
  const [showOAuthModal, setShowOAuthModal] = useState(false)
  const [editingInputValue, setEditingInputValue] = useState('')
  const [isEditing, setIsEditing] = useState(false)
@@ -71,50 +74,32 @@ export function ToolCredentialSelector({
    data: credentials = [],
    isFetching: credentialsLoading,
    refetch: refetchCredentials,
-  } = useOAuthCredentials(effectiveProviderId, Boolean(effectiveProviderId))
+  } = useOAuthCredentials(effectiveProviderId, {
+    enabled: Boolean(effectiveProviderId),
+    workspaceId,
+    workflowId: activeWorkflowId || undefined,
+  })

  const selectedCredential = useMemo(
    () => credentials.find((cred) => cred.id === selectedId),
    [credentials, selectedId]
  )

-  const shouldFetchForeignMeta =
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    Boolean(activeWorkflowId) &&
-    Boolean(effectiveProviderId)
-
-  const { data: foreignCredentials = [], isFetching: foreignMetaLoading } =
-    useOAuthCredentialDetail(
-      shouldFetchForeignMeta ? selectedId : undefined,
-      activeWorkflowId || undefined,
-      shouldFetchForeignMeta
-    )
-
-  const hasForeignMeta = foreignCredentials.length > 0
-  const isForeign = Boolean(selectedId && !selectedCredential && hasForeignMeta)
-
  const resolvedLabel = useMemo(() => {
    if (selectedCredential) return selectedCredential.name
-    if (isForeign) return CREDENTIAL.FOREIGN_LABEL
    return ''
-  }, [selectedCredential, isForeign])
+  }, [selectedCredential])

  const inputValue = isEditing ? editingInputValue : resolvedLabel

-  const invalidSelection =
-    Boolean(selectedId) &&
-    !selectedCredential &&
-    !hasForeignMeta &&
-    !credentialsLoading &&
-    !foreignMetaLoading
+  const invalidSelection = Boolean(selectedId) && !selectedCredential && !credentialsLoading

  useEffect(() => {
    if (!invalidSelection) return
    onChange('')
  }, [invalidSelection, onChange])

-  useCredentialRefreshTriggers(refetchCredentials)
+  useCredentialRefreshTriggers(refetchCredentials, effectiveProviderId, workspaceId)

  const handleOpenChange = useCallback(
    (isOpen: boolean) => {
@@ -142,8 +127,18 @@ export function ToolCredentialSelector({
  )

  const handleAddCredential = useCallback(() => {
-    setShowOAuthModal(true)
-  }, [])
+    writePendingCredentialCreateRequest({
+      workspaceId,
+      type: 'oauth',
+      providerId: effectiveProviderId,
+      displayName: '',
+      serviceId,
+      requiredScopes: getCanonicalScopesForProvider(effectiveProviderId),
+      requestedAt: Date.now(),
+    })
+
+    window.dispatchEvent(new CustomEvent('open-settings', { detail: { tab: 'credentials' } }))
+  }, [workspaceId, effectiveProviderId, serviceId])

  const comboboxOptions = useMemo(() => {
    const options = credentials.map((cred) => ({
@@ -151,12 +146,13 @@ export function ToolCredentialSelector({
      value: cred.id,
    }))

-    if (credentials.length === 0) {
-      options.push({
-        label: `Connect ${getProviderName(provider)} account`,
-        value: '__connect_account__',
-      })
-    }
+    options.push({
+      label:
+        credentials.length > 0
+          ? `Connect another ${getProviderName(provider)} account`
+          : `Connect ${getProviderName(provider)} account`,
+      value: '__connect_account__',
+    })

    return options
  }, [credentials, provider])
@@ -206,7 +202,7 @@ export function ToolCredentialSelector({
        placeholder={label}
        disabled={disabled}
        editable={true}
-        filterOptions={!isForeign}
+        filterOptions={true}
        isLoading={credentialsLoading}
        overlayContent={overlayContent}
        className={selectedId ? 'pl-[28px]' : ''}
@@ -218,15 +214,13 @@ export function ToolCredentialSelector({
            <span className='mr-[6px] inline-block h-[6px] w-[6px] rounded-[2px] bg-amber-500' />
            Additional permissions required
          </div>
-          {!isForeign && (
-            <Button
-              variant='active'
-              onClick={() => setShowOAuthModal(true)}
-              className='w-full px-[8px] py-[4px] font-medium text-[12px]'
-            >
-              Update access
-            </Button>
-          )}
+          <Button
+            variant='active'
+            onClick={() => setShowOAuthModal(true)}
+            className='w-full px-[8px] py-[4px] font-medium text-[12px]'
+          >
+            Update access
+          </Button>
        </div>
      )}

@@ -245,7 +239,11 @@ export function ToolCredentialSelector({
  )
 }

-function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>) {
+function useCredentialRefreshTriggers(
+  refetchCredentials: () => Promise<unknown>,
+  providerId: string,
+  workspaceId: string
+) {
  useEffect(() => {
    const refresh = () => {
      void refetchCredentials()
@@ -263,12 +261,29 @@ function useCredentialRefreshTriggers(refetchCredentials: () => Promise<unknown>
      }
    }

+    const handleCredentialsUpdated = (
+      event: CustomEvent<{ providerId?: string; workspaceId?: string }>
+    ) => {
+      if (event.detail?.providerId && event.detail.providerId !== providerId) {
+        return
+      }
+      if (event.detail?.workspaceId && workspaceId && event.detail.workspaceId !== workspaceId) {
+        return
+      }
+      refresh()
+    }
+
    document.addEventListener('visibilitychange', handleVisibilityChange)
    window.addEventListener('pageshow', handlePageShow)
+    window.addEventListener('oauth-credentials-updated', handleCredentialsUpdated as EventListener)

    return () => {
      document.removeEventListener('visibilitychange', handleVisibilityChange)
      window.removeEventListener('pageshow', handlePageShow)
+      window.removeEventListener(
+        'oauth-credentials-updated',
+        handleCredentialsUpdated as EventListener
+      )
    }
-  }, [refetchCredentials])
+  }, [providerId, workspaceId, refetchCredentials])
 }
--- a/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/hooks/use-foreign-credential.ts
@@ -1,50 +0,0 @@
-import { useEffect, useMemo, useState } from 'react'
-
-export function useForeignCredential(
-  provider: string | undefined,
-  credentialId: string | undefined
-) {
-  const [isForeign, setIsForeign] = useState<boolean>(false)
-  const [loading, setLoading] = useState<boolean>(false)
-  const [error, setError] = useState<string | null>(null)
-
-  const normalizedProvider = useMemo(() => (provider || '').toString(), [provider])
-  const normalizedCredentialId = useMemo(() => credentialId || '', [credentialId])
-
-  useEffect(() => {
-    let cancelled = false
-    async function check() {
-      setLoading(true)
-      setError(null)
-      try {
-        if (!normalizedProvider || !normalizedCredentialId) {
-          if (!cancelled) setIsForeign(false)
-          return
-        }
-        const res = await fetch(
-          `/api/auth/oauth/credentials?provider=${encodeURIComponent(normalizedProvider)}`
-        )
-        if (!res.ok) {
-          if (!cancelled) setIsForeign(true)
-          return
-        }
-        const data = await res.json()
-        const isOwn = (data.credentials || []).some((c: any) => c.id === normalizedCredentialId)
-        if (!cancelled) setIsForeign(!isOwn)
-      } catch (e) {
-        if (!cancelled) {
-          setIsForeign(true)
-          setError((e as Error).message)
-        }
-      } finally {
-        if (!cancelled) setLoading(false)
-      }
-    }
-    void check()
-    return () => {
-      cancelled = true
-    }
-  }, [normalizedProvider, normalizedCredentialId])
-
-  return { isForeignCredential: isForeign, loading, error }
-}
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager.tsx
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials.tsx
@@ -0,0 +1,17 @@
+'use client'
+
+import { CredentialsManager } from '@/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/credentials/credentials-manager'
+
+interface CredentialsProps {
+  onOpenChange?: (open: boolean) => void
+  registerCloseHandler?: (handler: (open: boolean) => void) => void
+  registerBeforeLeaveHandler?: (handler: (onProceed: () => void) => void) => void
+}
+
+export function Credentials(_props: CredentialsProps) {
+  return (
+    <div className='h-full min-h-0'>
+      <CredentialsManager />
+    </div>
+  )
+}
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/index.ts
@@ -2,6 +2,7 @@ export { ApiKeys } from './api-keys/api-keys'
 export { BYOK } from './byok/byok'
 export { Copilot } from './copilot/copilot'
 export { CredentialSets } from './credential-sets/credential-sets'
+export { Credentials } from './credentials/credentials'
 export { CustomTools } from './custom-tools/custom-tools'
 export { Debug } from './debug/debug'
 export { EnvironmentVariables } from './environment/environment'
--- a/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/settings-modal.tsx
@@ -20,7 +20,6 @@ import {
 import {
  Card,
  Connections,
-  FolderCode,
  HexSimple,
  Key,
  SModal,
@@ -45,12 +44,11 @@ import {
  BYOK,
  Copilot,
  CredentialSets,
+  Credentials,
  CustomTools,
  Debug,
-  EnvironmentVariables,
  FileUploads,
  General,
-  Integrations,
  MCP,
  Skills,
  Subscription,
@@ -80,6 +78,7 @@ interface SettingsModalProps {

 type SettingsSection =
  | 'general'
+  | 'credentials'
  | 'environment'
  | 'template-profile'
  | 'integrations'
@@ -156,11 +155,10 @@ const allNavigationItems: NavigationItem[] = [
    requiresHosted: true,
    requiresTeam: true,
  },
-  { id: 'integrations', label: 'Integrations', icon: Connections, section: 'tools' },
+  { id: 'credentials', label: 'Credentials', icon: Connections, section: 'tools' },
  { id: 'custom-tools', label: 'Custom Tools', icon: Wrench, section: 'tools' },
  { id: 'skills', label: 'Skills', icon: AgentSkillsIcon, section: 'tools' },
  { id: 'mcp', label: 'MCP Tools', icon: McpIcon, section: 'tools' },
-  { id: 'environment', label: 'Environment', icon: FolderCode, section: 'system' },
  { id: 'apikeys', label: 'API Keys', icon: Key, section: 'system' },
  { id: 'workflow-mcp-servers', label: 'MCP Servers', icon: Server, section: 'system' },
  {
@@ -256,9 +254,6 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
      if (item.id === 'apikeys' && permissionConfig.hideApiKeysTab) {
        return false
      }
-      if (item.id === 'environment' && permissionConfig.hideEnvironmentTab) {
-        return false
-      }
      if (item.id === 'files' && permissionConfig.hideFilesTab) {
        return false
      }
@@ -324,6 +319,9 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    if (!isBillingEnabled && (activeSection === 'subscription' || activeSection === 'team')) {
      return 'general'
    }
+    if (activeSection === 'environment' || activeSection === 'integrations') {
+      return 'credentials'
+    }
    return activeSection
  }, [activeSection])

@@ -342,7 +340,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
    (sectionId: SettingsSection) => {
      if (sectionId === effectiveActiveSection) return

-      if (effectiveActiveSection === 'environment' && environmentBeforeLeaveHandler.current) {
+      if (effectiveActiveSection === 'credentials' && environmentBeforeLeaveHandler.current) {
        environmentBeforeLeaveHandler.current(() => setActiveSection(sectionId))
        return
      }
@@ -370,7 +368,11 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {

  useEffect(() => {
    const handleOpenSettings = (event: CustomEvent<{ tab: SettingsSection }>) => {
-      setActiveSection(event.detail.tab)
+      if (event.detail.tab === 'environment' || event.detail.tab === 'integrations') {
+        setActiveSection('credentials')
+      } else {
+        setActiveSection(event.detail.tab)
+      }
      onOpenChange(true)
    }

@@ -479,13 +481,19 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
  const handleDialogOpenChange = (newOpen: boolean) => {
    if (
      !newOpen &&
-      effectiveActiveSection === 'environment' &&
+      effectiveActiveSection === 'credentials' &&
      environmentBeforeLeaveHandler.current
    ) {
-      environmentBeforeLeaveHandler.current(() => onOpenChange(false))
+      environmentBeforeLeaveHandler.current(() => {
+        if (integrationsCloseHandler.current) {
+          integrationsCloseHandler.current(newOpen)
+        } else {
+          onOpenChange(false)
+        }
+      })
    } else if (
      !newOpen &&
-      effectiveActiveSection === 'integrations' &&
+      effectiveActiveSection === 'credentials' &&
      integrationsCloseHandler.current
    ) {
      integrationsCloseHandler.current(newOpen)
@@ -502,7 +510,7 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
        </VisuallyHidden.Root>
        <VisuallyHidden.Root>
          <DialogPrimitive.Description>
-            Configure your workspace settings, environment variables, integrations, and preferences
+            Configure your workspace settings, credentials, and preferences
          </DialogPrimitive.Description>
        </VisuallyHidden.Root>

@@ -539,18 +547,14 @@ export function SettingsModal({ open, onOpenChange }: SettingsModalProps) {
          </SModalMainHeader>
          <SModalMainBody>
            {effectiveActiveSection === 'general' && <General onOpenChange={onOpenChange} />}
-            {effectiveActiveSection === 'environment' && (
-              <EnvironmentVariables
+            {effectiveActiveSection === 'credentials' && (
+              <Credentials
+                onOpenChange={onOpenChange}
+                registerCloseHandler={registerIntegrationsCloseHandler}
                registerBeforeLeaveHandler={registerEnvironmentBeforeLeaveHandler}
              />
            )}
            {effectiveActiveSection === 'template-profile' && <TemplateProfile />}
-            {effectiveActiveSection === 'integrations' && (
-              <Integrations
-                onOpenChange={onOpenChange}
-                registerCloseHandler={registerIntegrationsCloseHandler}
-              />
-            )}
            {effectiveActiveSection === 'credential-sets' && <CredentialSets />}
            {effectiveActiveSection === 'access-control' && <AccessControl />}
            {effectiveActiveSection === 'apikeys' && <ApiKeys onOpenChange={onOpenChange} />}
--- a/apps/sim/executor/constants.ts
+++ b/apps/sim/executor/constants.ts
@@ -205,10 +205,6 @@ export const CREDENTIAL_SET = {
  PREFIX: 'credentialSet:',
 } as const

-export const CREDENTIAL = {
-  FOREIGN_LABEL: 'Saved by collaborator',
-} as const
-
 export function isCredentialSetValue(value: string | null | undefined): boolean {
  return typeof value === 'string' && value.startsWith(CREDENTIAL_SET.PREFIX)
 }
--- a/apps/sim/hooks/queries/credentials.ts
+++ b/apps/sim/hooks/queries/credentials.ts
@@ -0,0 +1,266 @@
+'use client'
+
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { fetchJson } from '@/hooks/selectors/helpers'
+
+export type WorkspaceCredentialType = 'oauth' | 'env_workspace' | 'env_personal'
+export type WorkspaceCredentialRole = 'admin' | 'member'
+export type WorkspaceCredentialMemberStatus = 'active' | 'pending' | 'revoked'
+
+export interface WorkspaceCredential {
+  id: string
+  workspaceId: string
+  type: WorkspaceCredentialType
+  displayName: string
+  providerId: string | null
+  accountId: string | null
+  envKey: string | null
+  envOwnerUserId: string | null
+  createdBy: string
+  createdAt: string
+  updatedAt: string
+  role?: WorkspaceCredentialRole
+  status?: WorkspaceCredentialMemberStatus
+}
+
+export interface WorkspaceCredentialMember {
+  id: string
+  userId: string
+  role: WorkspaceCredentialRole
+  status: WorkspaceCredentialMemberStatus
+  joinedAt: string | null
+  invitedBy: string | null
+  createdAt: string
+  updatedAt: string
+  userName: string | null
+  userEmail: string | null
+  userImage: string | null
+}
+
+interface CredentialListResponse {
+  credentials?: WorkspaceCredential[]
+}
+
+interface CredentialResponse {
+  credential?: WorkspaceCredential | null
+}
+
+interface MembersResponse {
+  members?: WorkspaceCredentialMember[]
+}
+
+export const workspaceCredentialKeys = {
+  all: ['workspaceCredentials'] as const,
+  list: (workspaceId?: string, type?: string, providerId?: string) =>
+    ['workspaceCredentials', workspaceId ?? 'none', type ?? 'all', providerId ?? 'all'] as const,
+  detail: (credentialId?: string) =>
+    ['workspaceCredentials', 'detail', credentialId ?? 'none'] as const,
+  members: (credentialId?: string) =>
+    ['workspaceCredentials', 'detail', credentialId ?? 'none', 'members'] as const,
+}
+
+export function useWorkspaceCredentials(params: {
+  workspaceId?: string
+  type?: WorkspaceCredentialType
+  providerId?: string
+  enabled?: boolean
+}) {
+  const { workspaceId, type, providerId, enabled = true } = params
+
+  return useQuery<WorkspaceCredential[]>({
+    queryKey: workspaceCredentialKeys.list(workspaceId, type, providerId),
+    queryFn: async () => {
+      if (!workspaceId) return []
+      const data = await fetchJson<CredentialListResponse>('/api/credentials', {
+        searchParams: {
+          workspaceId,
+          type,
+          providerId,
+        },
+      })
+      return data.credentials ?? []
+    },
+    enabled: Boolean(workspaceId) && enabled,
+    staleTime: 60 * 1000,
+  })
+}
+
+export function useWorkspaceCredential(credentialId?: string, enabled = true) {
+  return useQuery<WorkspaceCredential | null>({
+    queryKey: workspaceCredentialKeys.detail(credentialId),
+    queryFn: async () => {
+      if (!credentialId) return null
+      const data = await fetchJson<CredentialResponse>(`/api/credentials/${credentialId}`)
+      return data.credential ?? null
+    },
+    enabled: Boolean(credentialId) && enabled,
+    staleTime: 60 * 1000,
+  })
+}
+
+export function useCreateWorkspaceCredential() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: {
+      workspaceId: string
+      type: WorkspaceCredentialType
+      displayName?: string
+      providerId?: string
+      accountId?: string
+      envKey?: string
+      envOwnerUserId?: string
+    }) => {
+      const response = await fetch('/api/credentials', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(payload),
+      })
+
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to create credential')
+      }
+
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.list(variables.workspaceId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.all,
+      })
+    },
+  })
+}
+
+export function useUpdateWorkspaceCredential() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: {
+      credentialId: string
+      displayName?: string
+      accountId?: string
+    }) => {
+      const response = await fetch(`/api/credentials/${payload.credentialId}`, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          displayName: payload.displayName,
+          accountId: payload.accountId,
+        }),
+      })
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to update credential')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.all,
+      })
+    },
+  })
+}
+
+export function useDeleteWorkspaceCredential() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (credentialId: string) => {
+      const response = await fetch(`/api/credentials/${credentialId}`, {
+        method: 'DELETE',
+      })
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to delete credential')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, credentialId) => {
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.detail(credentialId) })
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
+    },
+  })
+}
+
+export function useWorkspaceCredentialMembers(credentialId?: string) {
+  return useQuery<WorkspaceCredentialMember[]>({
+    queryKey: workspaceCredentialKeys.members(credentialId),
+    queryFn: async () => {
+      if (!credentialId) return []
+      const data = await fetchJson<MembersResponse>(`/api/credentials/${credentialId}/members`)
+      return data.members ?? []
+    },
+    enabled: Boolean(credentialId),
+    staleTime: 30 * 1000,
+  })
+}
+
+export function useUpsertWorkspaceCredentialMember() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: {
+      credentialId: string
+      userId: string
+      role: WorkspaceCredentialRole
+    }) => {
+      const response = await fetch(`/api/credentials/${payload.credentialId}/members`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          userId: payload.userId,
+          role: payload.role,
+        }),
+      })
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to update credential member')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.members(variables.credentialId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
+      })
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
+    },
+  })
+}
+
+export function useRemoveWorkspaceCredentialMember() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: { credentialId: string; userId: string }) => {
+      const response = await fetch(
+        `/api/credentials/${payload.credentialId}/members?userId=${encodeURIComponent(payload.userId)}`,
+        { method: 'DELETE' }
+      )
+      if (!response.ok) {
+        const data = await response.json()
+        throw new Error(data.error || 'Failed to remove credential member')
+      }
+      return response.json()
+    },
+    onSuccess: (_data, variables) => {
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.members(variables.credentialId),
+      })
+      queryClient.invalidateQueries({
+        queryKey: workspaceCredentialKeys.detail(variables.credentialId),
+      })
+      queryClient.invalidateQueries({ queryKey: workspaceCredentialKeys.all })
+    },
+  })
+}
--- a/apps/sim/hooks/queries/oauth-connections.ts
+++ b/apps/sim/hooks/queries/oauth-connections.ts
@@ -169,9 +169,9 @@ export function useConnectOAuthService() {

 interface DisconnectServiceParams {
  provider: string
-  providerId: string
+  providerId?: string
  serviceId: string
-  accountId: string
+  accountId?: string
 }

 /**
@@ -182,7 +182,7 @@ export function useDisconnectOAuthService() {
  const queryClient = useQueryClient()

  return useMutation({
-    mutationFn: async ({ provider, providerId }: DisconnectServiceParams) => {
+    mutationFn: async ({ provider, providerId, accountId }: DisconnectServiceParams) => {
      const response = await fetch('/api/auth/oauth/disconnect', {
        method: 'POST',
        headers: {
@@ -191,6 +191,7 @@ export function useDisconnectOAuthService() {
        body: JSON.stringify({
          provider,
          providerId,
+          accountId,
        }),
      })

@@ -212,7 +213,8 @@ export function useDisconnectOAuthService() {
          oauthConnectionsKeys.connections(),
          previousServices.map((svc) => {
            if (svc.id === serviceId) {
-              const updatedAccounts = svc.accounts?.filter((acc) => acc.id !== accountId) || []
+              const updatedAccounts =
+                accountId && svc.accounts ? svc.accounts.filter((acc) => acc.id !== accountId) : []
              return {
                ...svc,
                accounts: updatedAccounts,
--- a/apps/sim/hooks/queries/oauth-credentials.ts
+++ b/apps/sim/hooks/queries/oauth-credentials.ts
@@ -1,6 +1,10 @@
 import { useQuery } from '@tanstack/react-query'
+import {
+  clearPendingOAuthCredentialDraft,
+  readPendingOAuthCredentialDraft,
+} from '@/lib/credentials/client-state'
 import type { Credential } from '@/lib/oauth'
-import { CREDENTIAL, CREDENTIAL_SET } from '@/executor/constants'
+import { CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSetDetail } from '@/hooks/queries/credential-sets'
 import { fetchJson } from '@/hooks/selectors/helpers'

@@ -12,16 +16,108 @@ interface CredentialDetailResponse {
  credentials?: Credential[]
 }

+interface AuthAccountsResponse {
+  accounts?: Array<{ id: string }>
+}
+
 export const oauthCredentialKeys = {
-  list: (providerId?: string) => ['oauthCredentials', providerId ?? 'none'] as const,
+  list: (providerId?: string, workspaceId?: string, workflowId?: string) =>
+    [
+      'oauthCredentials',
+      providerId ?? 'none',
+      workspaceId ?? 'none',
+      workflowId ?? 'none',
+    ] as const,
  detail: (credentialId?: string, workflowId?: string) =>
    ['oauthCredentialDetail', credentialId ?? 'none', workflowId ?? 'none'] as const,
 }

-export async function fetchOAuthCredentials(providerId: string): Promise<Credential[]> {
+interface FetchOAuthCredentialsParams {
+  providerId: string
+  workspaceId?: string
+  workflowId?: string
+}
+
+async function finalizePendingOAuthCredentialDraftIfNeeded(params: {
+  providerId: string
+  workspaceId?: string
+}) {
+  const { providerId, workspaceId } = params
+  if (!workspaceId || !providerId) return
+  if (typeof window === 'undefined') return
+
+  const draft = readPendingOAuthCredentialDraft()
+  if (!draft) return
+  if (draft.workspaceId !== workspaceId || draft.providerId !== providerId) return
+
+  const draftAgeMs = Date.now() - draft.requestedAt
+  if (draftAgeMs > 15 * 60 * 1000) {
+    clearPendingOAuthCredentialDraft()
+    return
+  }
+
+  const bootstrapResponse = await fetch('/api/credentials/bootstrap', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ workspaceId }),
+  })
+  if (!bootstrapResponse.ok) {
+    return
+  }
+
+  const accountsResponse = await fetch(
+    `/api/auth/accounts?provider=${encodeURIComponent(providerId)}`
+  )
+  if (!accountsResponse.ok) {
+    return
+  }
+  const accountsData = (await accountsResponse.json()) as AuthAccountsResponse
+  const accountIds = (accountsData.accounts ?? []).map((account) => account.id)
+  if (accountIds.length === 0) {
+    return
+  }
+
+  const targetAccountId =
+    accountIds.find((accountId) => !draft.existingAccountIds.includes(accountId)) ?? accountIds[0]
+  if (!targetAccountId) {
+    return
+  }
+
+  const createResponse = await fetch('/api/credentials', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      workspaceId,
+      type: 'oauth',
+      displayName: draft.displayName,
+      providerId,
+      accountId: targetAccountId,
+    }),
+  })
+  if (!createResponse.ok) {
+    return
+  }
+
+  clearPendingOAuthCredentialDraft()
+  window.dispatchEvent(
+    new CustomEvent('oauth-credentials-updated', {
+      detail: { providerId, workspaceId },
+    })
+  )
+}
+
+export async function fetchOAuthCredentials(
+  params: FetchOAuthCredentialsParams
+): Promise<Credential[]> {
+  const { providerId, workspaceId, workflowId } = params
  if (!providerId) return []
+  await finalizePendingOAuthCredentialDraftIfNeeded({ providerId, workspaceId })
  const data = await fetchJson<CredentialListResponse>('/api/auth/oauth/credentials', {
-    searchParams: { provider: providerId },
+    searchParams: {
+      provider: providerId,
+      workspaceId,
+      workflowId,
+    },
  })
  return data.credentials ?? []
 }
@@ -40,10 +136,44 @@ export async function fetchOAuthCredentialDetail(
  return data.credentials ?? []
 }

-export function useOAuthCredentials(providerId?: string, enabled = true) {
+interface UseOAuthCredentialsOptions {
+  enabled?: boolean
+  workspaceId?: string
+  workflowId?: string
+}
+
+function resolveOptions(
+  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
+): Required<UseOAuthCredentialsOptions> {
+  if (typeof enabledOrOptions === 'boolean') {
+    return {
+      enabled: enabledOrOptions,
+      workspaceId: '',
+      workflowId: '',
+    }
+  }
+
+  return {
+    enabled: enabledOrOptions?.enabled ?? true,
+    workspaceId: enabledOrOptions?.workspaceId ?? '',
+    workflowId: enabledOrOptions?.workflowId ?? '',
+  }
+}
+
+export function useOAuthCredentials(
+  providerId?: string,
+  enabledOrOptions?: boolean | UseOAuthCredentialsOptions
+) {
+  const { enabled, workspaceId, workflowId } = resolveOptions(enabledOrOptions)
+
  return useQuery<Credential[]>({
-    queryKey: oauthCredentialKeys.list(providerId),
-    queryFn: () => fetchOAuthCredentials(providerId ?? ''),
+    queryKey: oauthCredentialKeys.list(providerId, workspaceId, workflowId),
+    queryFn: () =>
+      fetchOAuthCredentials({
+        providerId: providerId ?? '',
+        workspaceId: workspaceId || undefined,
+        workflowId: workflowId || undefined,
+      }),
    enabled: Boolean(providerId) && enabled,
    staleTime: 60 * 1000,
  })
@@ -62,7 +192,12 @@ export function useOAuthCredentialDetail(
  })
 }

-export function useCredentialName(credentialId?: string, providerId?: string, workflowId?: string) {
+export function useCredentialName(
+  credentialId?: string,
+  providerId?: string,
+  workflowId?: string,
+  workspaceId?: string
+) {
  // Check if this is a credential set value
  const isCredentialSet = credentialId?.startsWith(CREDENTIAL_SET.PREFIX) ?? false
  const credentialSetId = isCredentialSet
@@ -77,7 +212,11 @@ export function useCredentialName(credentialId?: string, providerId?: string, wo

  const { data: credentials = [], isFetching: credentialsLoading } = useOAuthCredentials(
    providerId,
-    Boolean(providerId) && !isCredentialSet
+    {
+      enabled: Boolean(providerId) && !isCredentialSet,
+      workspaceId,
+      workflowId,
+    }
  )

  const selectedCredential = credentials.find((cred) => cred.id === credentialId)
@@ -92,18 +231,18 @@ export function useCredentialName(credentialId?: string, providerId?: string, wo
    shouldFetchDetail
  )

+  const detailCredential = foreignCredentials[0]
  const hasForeignMeta = foreignCredentials.length > 0
-  const isForeignCredentialSet = isCredentialSet && !credentialSetData && !credentialSetLoading

  const displayName =
-    credentialSetData?.name ??
-    selectedCredential?.name ??
-    (hasForeignMeta ? CREDENTIAL.FOREIGN_LABEL : null) ??
-    (isForeignCredentialSet ? CREDENTIAL.FOREIGN_LABEL : null)
+    credentialSetData?.name ?? selectedCredential?.name ?? detailCredential?.name ?? null

  return {
    displayName,
-    isLoading: credentialsLoading || foreignLoading || (isCredentialSet && credentialSetLoading),
+    isLoading:
+      credentialsLoading ||
+      foreignLoading ||
+      (isCredentialSet && credentialSetLoading && !credentialSetData),
    hasForeignMeta,
  }
 }
--- a/apps/sim/lib/auth/credential-access.ts
+++ b/apps/sim/lib/auth/credential-access.ts
@@ -1,6 +1,6 @@
 import { db } from '@sim/db'
-import { account, workflow as workflowTable } from '@sim/db/schema'
-import { eq } from 'drizzle-orm'
+import { account, credential, credentialMember, workflow as workflowTable } from '@sim/db/schema'
+import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -12,17 +12,14 @@ export interface CredentialAccessResult {
  requesterUserId?: string
  credentialOwnerUserId?: string
  workspaceId?: string
+  resolvedCredentialId?: string
 }

 /**
- * Centralizes auth + collaboration rules for credential use.
- * - Uses checkSessionOrInternalAuth to authenticate the caller
- * - Fetches credential owner
- * - Authorization rules:
- *   - session: allow if requester owns the credential; otherwise require workflowId and
- *     verify BOTH requester and owner have access to the workflow's workspace
- *   - internal_jwt: require workflowId (by default) and verify credential owner has access to the
- *     workflow's workspace (requester identity is the system/workflow)
+ * Centralizes auth + credential membership checks for OAuth usage.
+ * - Workspace-scoped credential IDs enforce active credential_member access.
+ * - Legacy account IDs are resolved to workspace-scoped credentials when workflowId is provided.
+ * - Direct legacy account-ID access without workflowId is restricted to account owners only.
 */
 export async function authorizeCredentialUse(
  request: NextRequest,
@@ -37,71 +34,173 @@ export async function authorizeCredentialUse(
    return { ok: false, error: auth.error || 'Authentication required' }
  }

-  // Lookup credential owner
-  const [credRow] = await db
+  const [workflowContext] = workflowId
+    ? await db
+        .select({ workspaceId: workflowTable.workspaceId })
+        .from(workflowTable)
+        .where(eq(workflowTable.id, workflowId))
+        .limit(1)
+    : [null]
+
+  if (workflowId && (!workflowContext || !workflowContext.workspaceId)) {
+    return { ok: false, error: 'Workflow not found' }
+  }
+
+  const [platformCredential] = await db
+    .select({
+      id: credential.id,
+      workspaceId: credential.workspaceId,
+      type: credential.type,
+      accountId: credential.accountId,
+    })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (platformCredential) {
+    if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
+      return { ok: false, error: 'Unsupported credential type for OAuth access' }
+    }
+
+    if (workflowContext && workflowContext.workspaceId !== platformCredential.workspaceId) {
+      return { ok: false, error: 'Credential is not accessible from this workflow workspace' }
+    }
+
+    const [accountRow] = await db
+      .select({ userId: account.userId })
+      .from(account)
+      .where(eq(account.id, platformCredential.accountId))
+      .limit(1)
+
+    if (!accountRow) {
+      return { ok: false, error: 'Credential account not found' }
+    }
+
+    const requesterPerm =
+      auth.authType === 'internal_jwt'
+        ? null
+        : await getUserEntityPermissions(auth.userId, 'workspace', platformCredential.workspaceId)
+
+    if (auth.authType !== 'internal_jwt') {
+      const [membership] = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, platformCredential.id),
+            eq(credentialMember.userId, auth.userId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .limit(1)
+
+      if (!membership || requesterPerm === null) {
+        return { ok: false, error: 'Unauthorized' }
+      }
+    }
+
+    const ownerPerm = await getUserEntityPermissions(
+      accountRow.userId,
+      'workspace',
+      platformCredential.workspaceId
+    )
+    if (ownerPerm === null) {
+      return { ok: false, error: 'Unauthorized' }
+    }
+
+    return {
+      ok: true,
+      authType: auth.authType as CredentialAccessResult['authType'],
+      requesterUserId: auth.userId,
+      credentialOwnerUserId: accountRow.userId,
+      workspaceId: platformCredential.workspaceId,
+      resolvedCredentialId: platformCredential.accountId,
+    }
+  }
+
+  if (workflowContext?.workspaceId) {
+    const [workspaceCredential] = await db
+      .select({
+        id: credential.id,
+        workspaceId: credential.workspaceId,
+        accountId: credential.accountId,
+      })
+      .from(credential)
+      .where(
+        and(
+          eq(credential.type, 'oauth'),
+          eq(credential.workspaceId, workflowContext.workspaceId),
+          eq(credential.accountId, credentialId)
+        )
+      )
+      .limit(1)
+
+    if (!workspaceCredential?.accountId) {
+      return { ok: false, error: 'Credential not found' }
+    }
+
+    const [accountRow] = await db
+      .select({ userId: account.userId })
+      .from(account)
+      .where(eq(account.id, workspaceCredential.accountId))
+      .limit(1)
+
+    if (!accountRow) {
+      return { ok: false, error: 'Credential account not found' }
+    }
+
+    if (auth.authType !== 'internal_jwt') {
+      const [membership] = await db
+        .select({ id: credentialMember.id })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, workspaceCredential.id),
+            eq(credentialMember.userId, auth.userId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .limit(1)
+
+      if (!membership) {
+        return { ok: false, error: 'Unauthorized' }
+      }
+    }
+
+    const ownerPerm = await getUserEntityPermissions(
+      accountRow.userId,
+      'workspace',
+      workflowContext.workspaceId
+    )
+    if (ownerPerm === null) {
+      return { ok: false, error: 'Unauthorized' }
+    }
+
+    return {
+      ok: true,
+      authType: auth.authType as CredentialAccessResult['authType'],
+      requesterUserId: auth.userId,
+      credentialOwnerUserId: accountRow.userId,
+      workspaceId: workflowContext.workspaceId,
+      resolvedCredentialId: workspaceCredential.accountId,
+    }
+  }
+
+  const [legacyAccount] = await db
    .select({ userId: account.userId })
    .from(account)
    .where(eq(account.id, credentialId))
    .limit(1)

-  if (!credRow) {
+  if (!legacyAccount) {
    return { ok: false, error: 'Credential not found' }
  }

-  const credentialOwnerUserId = credRow.userId
-
-  // If requester owns the credential, allow immediately
-  if (auth.authType !== 'internal_jwt' && auth.userId === credentialOwnerUserId) {
-    return {
-      ok: true,
-      authType: auth.authType as CredentialAccessResult['authType'],
-      requesterUserId: auth.userId,
-      credentialOwnerUserId,
-    }
-  }
-
-  // For collaboration paths, workflowId is required to scope to a workspace
-  if (!workflowId) {
+  if (auth.authType === 'internal_jwt') {
    return { ok: false, error: 'workflowId is required' }
  }

-  const [wf] = await db
-    .select({ workspaceId: workflowTable.workspaceId })
-    .from(workflowTable)
-    .where(eq(workflowTable.id, workflowId))
-    .limit(1)
-
-  if (!wf || !wf.workspaceId) {
-    return { ok: false, error: 'Workflow not found' }
-  }
-
-  if (auth.authType === 'internal_jwt') {
-    // Internal calls: verify credential owner belongs to the workflow's workspace
-    const ownerPerm = await getUserEntityPermissions(
-      credentialOwnerUserId,
-      'workspace',
-      wf.workspaceId
-    )
-    if (ownerPerm === null) {
-      return { ok: false, error: 'Unauthorized' }
-    }
-    return {
-      ok: true,
-      authType: auth.authType as CredentialAccessResult['authType'],
-      requesterUserId: auth.userId,
-      credentialOwnerUserId,
-      workspaceId: wf.workspaceId,
-    }
-  }
-
-  // Session: verify BOTH requester and owner belong to the workflow's workspace
-  const requesterPerm = await getUserEntityPermissions(auth.userId, 'workspace', wf.workspaceId)
-  const ownerPerm = await getUserEntityPermissions(
-    credentialOwnerUserId,
-    'workspace',
-    wf.workspaceId
-  )
-  if (requesterPerm === null || ownerPerm === null) {
+  if (auth.userId !== legacyAccount.userId) {
    return { ok: false, error: 'Unauthorized' }
  }

@@ -109,7 +208,7 @@ export async function authorizeCredentialUse(
    ok: true,
    authType: auth.authType as CredentialAccessResult['authType'],
    requesterUserId: auth.userId,
-    credentialOwnerUserId,
-    workspaceId: wf.workspaceId,
+    credentialOwnerUserId: legacyAccount.userId,
+    resolvedCredentialId: credentialId,
  }
 }
--- a/apps/sim/lib/credentials/access.ts
+++ b/apps/sim/lib/credentials/access.ts
@@ -0,0 +1,62 @@
+import { db } from '@sim/db'
+import { credential, credentialMember } from '@sim/db/schema'
+import { and, eq } from 'drizzle-orm'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+
+type ActiveCredentialMember = typeof credentialMember.$inferSelect
+type CredentialRecord = typeof credential.$inferSelect
+
+export interface CredentialActorContext {
+  credential: CredentialRecord | null
+  member: ActiveCredentialMember | null
+  hasWorkspaceAccess: boolean
+  canWriteWorkspace: boolean
+  isAdmin: boolean
+}
+
+/**
+ * Resolves user access context for a credential.
+ */
+export async function getCredentialActorContext(
+  credentialId: string,
+  userId: string
+): Promise<CredentialActorContext> {
+  const [credentialRow] = await db
+    .select()
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (!credentialRow) {
+    return {
+      credential: null,
+      member: null,
+      hasWorkspaceAccess: false,
+      canWriteWorkspace: false,
+      isAdmin: false,
+    }
+  }
+
+  const workspaceAccess = await checkWorkspaceAccess(credentialRow.workspaceId, userId)
+  const [memberRow] = await db
+    .select()
+    .from(credentialMember)
+    .where(
+      and(
+        eq(credentialMember.credentialId, credentialId),
+        eq(credentialMember.userId, userId),
+        eq(credentialMember.status, 'active')
+      )
+    )
+    .limit(1)
+
+  const isAdmin = memberRow?.role === 'admin'
+
+  return {
+    credential: credentialRow,
+    member: memberRow ?? null,
+    hasWorkspaceAccess: workspaceAccess.hasAccess,
+    canWriteWorkspace: workspaceAccess.canWrite,
+    isAdmin,
+  }
+}
--- a/apps/sim/lib/credentials/client-state.ts
+++ b/apps/sim/lib/credentials/client-state.ts
@@ -0,0 +1,66 @@
+'use client'
+
+export const PENDING_OAUTH_CREDENTIAL_DRAFT_KEY = 'sim.pending-oauth-credential-draft'
+export const PENDING_CREDENTIAL_CREATE_REQUEST_KEY = 'sim.pending-credential-create-request'
+
+export interface PendingOAuthCredentialDraft {
+  workspaceId: string
+  providerId: string
+  displayName: string
+  existingCredentialIds: string[]
+  existingAccountIds: string[]
+  requestedAt: number
+}
+
+export interface PendingCredentialCreateRequest {
+  workspaceId: string
+  type: 'oauth'
+  providerId: string
+  displayName: string
+  serviceId: string
+  requiredScopes: string[]
+  requestedAt: number
+}
+
+function parseJson<T>(raw: string | null): T | null {
+  if (!raw) return null
+  try {
+    return JSON.parse(raw) as T
+  } catch {
+    return null
+  }
+}
+
+export function readPendingOAuthCredentialDraft(): PendingOAuthCredentialDraft | null {
+  if (typeof window === 'undefined') return null
+  return parseJson<PendingOAuthCredentialDraft>(
+    window.sessionStorage.getItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
+  )
+}
+
+export function writePendingOAuthCredentialDraft(payload: PendingOAuthCredentialDraft) {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.setItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY, JSON.stringify(payload))
+}
+
+export function clearPendingOAuthCredentialDraft() {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.removeItem(PENDING_OAUTH_CREDENTIAL_DRAFT_KEY)
+}
+
+export function readPendingCredentialCreateRequest(): PendingCredentialCreateRequest | null {
+  if (typeof window === 'undefined') return null
+  return parseJson<PendingCredentialCreateRequest>(
+    window.sessionStorage.getItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
+  )
+}
+
+export function writePendingCredentialCreateRequest(payload: PendingCredentialCreateRequest) {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.setItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY, JSON.stringify(payload))
+}
+
+export function clearPendingCredentialCreateRequest() {
+  if (typeof window === 'undefined') return
+  window.sessionStorage.removeItem(PENDING_CREDENTIAL_CREATE_REQUEST_KEY)
+}
--- a/apps/sim/lib/credentials/environment.ts
+++ b/apps/sim/lib/credentials/environment.ts
@@ -0,0 +1,340 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, permissions, workspace } from '@sim/db/schema'
+import { and, eq, inArray, notInArray } from 'drizzle-orm'
+
+interface AccessibleEnvCredential {
+  type: 'env_workspace' | 'env_personal'
+  envKey: string
+  envOwnerUserId: string | null
+  updatedAt: Date
+}
+
+export async function getWorkspaceMemberUserIds(workspaceId: string): Promise<string[]> {
+  const [workspaceRows, permissionRows] = await Promise.all([
+    db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1),
+    db
+      .select({ userId: permissions.userId })
+      .from(permissions)
+      .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
+  ])
+  const workspaceRow = workspaceRows[0]
+
+  const memberIds = new Set<string>(permissionRows.map((row) => row.userId))
+  if (workspaceRow?.ownerId) {
+    memberIds.add(workspaceRow.ownerId)
+  }
+  return Array.from(memberIds)
+}
+
+export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
+  const [permissionRows, ownedWorkspaceRows] = await Promise.all([
+    db
+      .select({ workspaceId: workspace.id })
+      .from(permissions)
+      .innerJoin(
+        workspace,
+        and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspace.id))
+      )
+      .where(eq(permissions.userId, userId)),
+    db.select({ workspaceId: workspace.id }).from(workspace).where(eq(workspace.ownerId, userId)),
+  ])
+
+  const workspaceIds = new Set<string>(permissionRows.map((row) => row.workspaceId))
+  for (const row of ownedWorkspaceRows) {
+    workspaceIds.add(row.workspaceId)
+  }
+
+  return Array.from(workspaceIds)
+}
+
+async function upsertCredentialAdminMember(credentialId: string, adminUserId: string) {
+  const now = new Date()
+  const [existingMembership] = await db
+    .select({ id: credentialMember.id, joinedAt: credentialMember.joinedAt })
+    .from(credentialMember)
+    .where(
+      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, adminUserId))
+    )
+    .limit(1)
+
+  if (existingMembership) {
+    await db
+      .update(credentialMember)
+      .set({
+        role: 'admin',
+        status: 'active',
+        joinedAt: existingMembership.joinedAt ?? now,
+        invitedBy: adminUserId,
+        updatedAt: now,
+      })
+      .where(eq(credentialMember.id, existingMembership.id))
+    return
+  }
+
+  await db.insert(credentialMember).values({
+    id: crypto.randomUUID(),
+    credentialId,
+    userId: adminUserId,
+    role: 'admin',
+    status: 'active',
+    joinedAt: now,
+    invitedBy: adminUserId,
+    createdAt: now,
+    updatedAt: now,
+  })
+}
+
+async function ensureWorkspaceCredentialMemberships(
+  credentialId: string,
+  workspaceId: string,
+  ownerUserId: string
+) {
+  const workspaceMemberUserIds = await getWorkspaceMemberUserIds(workspaceId)
+  if (!workspaceMemberUserIds.length) return
+
+  const existingMemberships = await db
+    .select({
+      id: credentialMember.id,
+      userId: credentialMember.userId,
+      joinedAt: credentialMember.joinedAt,
+    })
+    .from(credentialMember)
+    .where(
+      and(
+        eq(credentialMember.credentialId, credentialId),
+        inArray(credentialMember.userId, workspaceMemberUserIds)
+      )
+    )
+
+  const byUserId = new Map(existingMemberships.map((row) => [row.userId, row]))
+  const now = new Date()
+
+  for (const memberUserId of workspaceMemberUserIds) {
+    const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
+    const existing = byUserId.get(memberUserId)
+    if (existing) {
+      await db
+        .update(credentialMember)
+        .set({
+          role: targetRole,
+          status: 'active',
+          joinedAt: existing.joinedAt ?? now,
+          invitedBy: ownerUserId,
+          updatedAt: now,
+        })
+        .where(eq(credentialMember.id, existing.id))
+      continue
+    }
+
+    await db.insert(credentialMember).values({
+      id: crypto.randomUUID(),
+      credentialId,
+      userId: memberUserId,
+      role: targetRole,
+      status: 'active',
+      joinedAt: now,
+      invitedBy: ownerUserId,
+      createdAt: now,
+      updatedAt: now,
+    })
+  }
+}
+
+export async function syncWorkspaceEnvCredentials(params: {
+  workspaceId: string
+  envKeys: string[]
+  actingUserId: string
+}) {
+  const { workspaceId, envKeys, actingUserId } = params
+  const [workspaceRow] = await db
+    .select({ ownerId: workspace.ownerId })
+    .from(workspace)
+    .where(eq(workspace.id, workspaceId))
+    .limit(1)
+
+  if (!workspaceRow) return
+
+  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
+  const existingCredentials = await db
+    .select({
+      id: credential.id,
+      envKey: credential.envKey,
+    })
+    .from(credential)
+    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
+
+  const existingByKey = new Map(
+    existingCredentials
+      .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
+      .map((row) => [row.envKey, row.id])
+  )
+
+  const credentialIdsToEnsureMembership = new Set<string>()
+  const now = new Date()
+
+  for (const envKey of normalizedKeys) {
+    const existingId = existingByKey.get(envKey)
+    if (existingId) {
+      credentialIdsToEnsureMembership.add(existingId)
+      continue
+    }
+
+    const createdId = crypto.randomUUID()
+    await db.insert(credential).values({
+      id: createdId,
+      workspaceId,
+      type: 'env_workspace',
+      displayName: envKey,
+      envKey,
+      createdBy: actingUserId,
+      createdAt: now,
+      updatedAt: now,
+    })
+    credentialIdsToEnsureMembership.add(createdId)
+  }
+
+  for (const credentialId of credentialIdsToEnsureMembership) {
+    await ensureWorkspaceCredentialMemberships(credentialId, workspaceId, workspaceRow.ownerId)
+  }
+
+  if (normalizedKeys.length > 0) {
+    await db
+      .delete(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_workspace'),
+          notInArray(credential.envKey, normalizedKeys)
+        )
+      )
+    return
+  }
+
+  await db
+    .delete(credential)
+    .where(and(eq(credential.workspaceId, workspaceId), eq(credential.type, 'env_workspace')))
+}
+
+export async function syncPersonalEnvCredentialsForUser(params: {
+  userId: string
+  envKeys: string[]
+}) {
+  const { userId, envKeys } = params
+  const workspaceIds = await getUserWorkspaceIds(userId)
+  if (!workspaceIds.length) return
+
+  const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
+  const now = new Date()
+
+  for (const workspaceId of workspaceIds) {
+    const existingCredentials = await db
+      .select({
+        id: credential.id,
+        envKey: credential.envKey,
+      })
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envOwnerUserId, userId)
+        )
+      )
+
+    const existingByKey = new Map(
+      existingCredentials
+        .filter((row): row is { id: string; envKey: string } => Boolean(row.envKey))
+        .map((row) => [row.envKey, row.id])
+    )
+
+    for (const envKey of normalizedKeys) {
+      const existingId = existingByKey.get(envKey)
+      if (existingId) {
+        await upsertCredentialAdminMember(existingId, userId)
+        continue
+      }
+
+      const createdId = crypto.randomUUID()
+      await db.insert(credential).values({
+        id: createdId,
+        workspaceId,
+        type: 'env_personal',
+        displayName: envKey,
+        envKey,
+        envOwnerUserId: userId,
+        createdBy: userId,
+        createdAt: now,
+        updatedAt: now,
+      })
+      await upsertCredentialAdminMember(createdId, userId)
+    }
+
+    if (normalizedKeys.length > 0) {
+      await db
+        .delete(credential)
+        .where(
+          and(
+            eq(credential.workspaceId, workspaceId),
+            eq(credential.type, 'env_personal'),
+            eq(credential.envOwnerUserId, userId),
+            notInArray(credential.envKey, normalizedKeys)
+          )
+        )
+      continue
+    }
+
+    await db
+      .delete(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envOwnerUserId, userId)
+        )
+      )
+  }
+}
+
+export async function getAccessibleEnvCredentials(
+  workspaceId: string,
+  userId: string
+): Promise<AccessibleEnvCredential[]> {
+  const rows = await db
+    .select({
+      type: credential.type,
+      envKey: credential.envKey,
+      envOwnerUserId: credential.envOwnerUserId,
+      updatedAt: credential.updatedAt,
+    })
+    .from(credential)
+    .innerJoin(
+      credentialMember,
+      and(
+        eq(credentialMember.credentialId, credential.id),
+        eq(credentialMember.userId, userId),
+        eq(credentialMember.status, 'active')
+      )
+    )
+    .where(
+      and(
+        eq(credential.workspaceId, workspaceId),
+        inArray(credential.type, ['env_workspace', 'env_personal'])
+      )
+    )
+
+  return rows
+    .filter(
+      (row): row is AccessibleEnvCredential =>
+        (row.type === 'env_workspace' || row.type === 'env_personal') && Boolean(row.envKey)
+    )
+    .map((row) => ({
+      type: row.type,
+      envKey: row.envKey!,
+      envOwnerUserId: row.envOwnerUserId,
+      updatedAt: row.updatedAt,
+    }))
+}
--- a/apps/sim/lib/credentials/oauth.ts
+++ b/apps/sim/lib/credentials/oauth.ts
@@ -0,0 +1,157 @@
+import { db } from '@sim/db'
+import { account, credential, credentialMember } from '@sim/db/schema'
+import { and, eq, inArray } from 'drizzle-orm'
+
+interface SyncWorkspaceOAuthCredentialsForUserParams {
+  workspaceId: string
+  userId: string
+}
+
+interface SyncWorkspaceOAuthCredentialsForUserResult {
+  createdCredentials: number
+  updatedMemberships: number
+}
+
+/**
+ * Ensures connected OAuth accounts for a user exist as workspace-scoped credentials.
+ */
+export async function syncWorkspaceOAuthCredentialsForUser(
+  params: SyncWorkspaceOAuthCredentialsForUserParams
+): Promise<SyncWorkspaceOAuthCredentialsForUserResult> {
+  const { workspaceId, userId } = params
+
+  const userAccounts = await db
+    .select({
+      id: account.id,
+      providerId: account.providerId,
+      accountId: account.accountId,
+    })
+    .from(account)
+    .where(eq(account.userId, userId))
+
+  if (userAccounts.length === 0) {
+    return { createdCredentials: 0, updatedMemberships: 0 }
+  }
+
+  const accountIds = userAccounts.map((row) => row.id)
+  const existingCredentials = await db
+    .select({
+      id: credential.id,
+      accountId: credential.accountId,
+    })
+    .from(credential)
+    .where(
+      and(
+        eq(credential.workspaceId, workspaceId),
+        eq(credential.type, 'oauth'),
+        inArray(credential.accountId, accountIds)
+      )
+    )
+
+  const existingByAccountId = new Map(
+    existingCredentials
+      .filter((row): row is { id: string; accountId: string } => Boolean(row.accountId))
+      .map((row) => [row.accountId, row.id])
+  )
+
+  let createdCredentials = 0
+  const now = new Date()
+
+  for (const acc of userAccounts) {
+    if (existingByAccountId.has(acc.id)) {
+      continue
+    }
+
+    try {
+      await db.insert(credential).values({
+        id: crypto.randomUUID(),
+        workspaceId,
+        type: 'oauth',
+        displayName: acc.accountId || acc.providerId,
+        providerId: acc.providerId,
+        accountId: acc.id,
+        createdBy: userId,
+        createdAt: now,
+        updatedAt: now,
+      })
+      createdCredentials += 1
+    } catch (error: any) {
+      if (error?.code !== '23505') {
+        throw error
+      }
+    }
+  }
+
+  const credentialRows = await db
+    .select({ id: credential.id, accountId: credential.accountId })
+    .from(credential)
+    .where(
+      and(
+        eq(credential.workspaceId, workspaceId),
+        eq(credential.type, 'oauth'),
+        inArray(credential.accountId, accountIds)
+      )
+    )
+
+  const credentialIdByAccountId = new Map(
+    credentialRows
+      .filter((row): row is { id: string; accountId: string } => Boolean(row.accountId))
+      .map((row) => [row.accountId, row.id])
+  )
+  const allCredentialIds = Array.from(credentialIdByAccountId.values())
+  if (allCredentialIds.length === 0) {
+    return { createdCredentials, updatedMemberships: 0 }
+  }
+
+  const existingMemberships = await db
+    .select({
+      id: credentialMember.id,
+      credentialId: credentialMember.credentialId,
+      joinedAt: credentialMember.joinedAt,
+    })
+    .from(credentialMember)
+    .where(
+      and(
+        inArray(credentialMember.credentialId, allCredentialIds),
+        eq(credentialMember.userId, userId)
+      )
+    )
+
+  const membershipByCredentialId = new Map(
+    existingMemberships.map((row) => [row.credentialId, row])
+  )
+  let updatedMemberships = 0
+
+  for (const credentialId of allCredentialIds) {
+    const existingMembership = membershipByCredentialId.get(credentialId)
+    if (existingMembership) {
+      await db
+        .update(credentialMember)
+        .set({
+          role: 'admin',
+          status: 'active',
+          joinedAt: existingMembership.joinedAt ?? now,
+          invitedBy: userId,
+          updatedAt: now,
+        })
+        .where(eq(credentialMember.id, existingMembership.id))
+      updatedMemberships += 1
+      continue
+    }
+
+    await db.insert(credentialMember).values({
+      id: crypto.randomUUID(),
+      credentialId,
+      userId,
+      role: 'admin',
+      status: 'active',
+      joinedAt: now,
+      invitedBy: userId,
+      createdAt: now,
+      updatedAt: now,
+    })
+    updatedMemberships += 1
+  }
+
+  return { createdCredentials, updatedMemberships }
+}
--- a/apps/sim/lib/environment/utils.ts
+++ b/apps/sim/lib/environment/utils.ts
@@ -1,8 +1,9 @@
 import { db } from '@sim/db'
 import { environment, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
+import { eq, inArray } from 'drizzle-orm'
 import { decryptSecret } from '@/lib/core/security/encryption'
+import { getAccessibleEnvCredentials } from '@/lib/credentials/environment'

 const logger = createLogger('EnvironmentUtils')

@@ -53,7 +54,7 @@ export async function getPersonalAndWorkspaceEnv(
  conflicts: string[]
  decryptionFailures: string[]
 }> {
-  const [personalRows, workspaceRows] = await Promise.all([
+  const [personalRows, workspaceRows, accessibleEnvCredentials] = await Promise.all([
    db.select().from(environment).where(eq(environment.userId, userId)).limit(1),
    workspaceId
      ? db
@@ -62,10 +63,69 @@ export async function getPersonalAndWorkspaceEnv(
          .where(eq(workspaceEnvironment.workspaceId, workspaceId))
          .limit(1)
      : Promise.resolve([] as any[]),
+    workspaceId ? getAccessibleEnvCredentials(workspaceId, userId) : Promise.resolve([]),
  ])

-  const personalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
-  const workspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
+  const ownPersonalEncrypted: Record<string, string> = (personalRows[0]?.variables as any) || {}
+  const allWorkspaceEncrypted: Record<string, string> = (workspaceRows[0]?.variables as any) || {}
+
+  const hasCredentialFiltering = Boolean(workspaceId) && accessibleEnvCredentials.length > 0
+  const workspaceCredentialKeys = new Set(
+    accessibleEnvCredentials.filter((row) => row.type === 'env_workspace').map((row) => row.envKey)
+  )
+
+  const personalCredentialRows = accessibleEnvCredentials
+    .filter((row) => row.type === 'env_personal' && row.envOwnerUserId)
+    .sort((a, b) => {
+      const aIsRequester = a.envOwnerUserId === userId
+      const bIsRequester = b.envOwnerUserId === userId
+      if (aIsRequester && !bIsRequester) return -1
+      if (!aIsRequester && bIsRequester) return 1
+      return b.updatedAt.getTime() - a.updatedAt.getTime()
+    })
+
+  const selectedPersonalOwners = new Map<string, string>()
+  for (const row of personalCredentialRows) {
+    if (!selectedPersonalOwners.has(row.envKey) && row.envOwnerUserId) {
+      selectedPersonalOwners.set(row.envKey, row.envOwnerUserId)
+    }
+  }
+
+  const ownerUserIds = Array.from(new Set(selectedPersonalOwners.values()))
+  const ownerEnvironmentRows =
+    ownerUserIds.length > 0
+      ? await db
+          .select({
+            userId: environment.userId,
+            variables: environment.variables,
+          })
+          .from(environment)
+          .where(inArray(environment.userId, ownerUserIds))
+      : []
+
+  const ownerVariablesByUserId = new Map<string, Record<string, string>>(
+    ownerEnvironmentRows.map((row) => [row.userId, (row.variables as Record<string, string>) || {}])
+  )
+
+  let personalEncrypted: Record<string, string> = ownPersonalEncrypted
+  let workspaceEncrypted: Record<string, string> = allWorkspaceEncrypted
+
+  if (hasCredentialFiltering) {
+    personalEncrypted = {}
+    for (const [envKey, ownerUserId] of selectedPersonalOwners.entries()) {
+      const ownerVariables = ownerVariablesByUserId.get(ownerUserId)
+      const encryptedValue = ownerVariables?.[envKey]
+      if (encryptedValue) {
+        personalEncrypted[envKey] = encryptedValue
+      }
+    }
+
+    workspaceEncrypted = Object.fromEntries(
+      Object.entries(allWorkspaceEncrypted).filter(([envKey]) =>
+        workspaceCredentialKeys.has(envKey)
+      )
+    )
+  }

  const decryptionFailures: string[] = []

--- a/apps/sim/stores/modals/settings/types.ts
+++ b/apps/sim/stores/modals/settings/types.ts
@@ -1,5 +1,6 @@
 export type SettingsSection =
  | 'general'
+  | 'credentials'
  | 'environment'
  | 'template-profile'
  | 'integrations'
--- a/packages/db/migrations/0154_luxuriant_maria_hill.sql
+++ b/packages/db/migrations/0154_luxuriant_maria_hill.sql
@@ -0,0 +1,260 @@
+CREATE TYPE "public"."credential_member_role" AS ENUM('admin', 'member');--> statement-breakpoint
+CREATE TYPE "public"."credential_member_status" AS ENUM('active', 'pending', 'revoked');--> statement-breakpoint
+CREATE TYPE "public"."credential_type" AS ENUM('oauth', 'env_workspace', 'env_personal');--> statement-breakpoint
+CREATE TABLE "credential" (
+	"id" text PRIMARY KEY NOT NULL,
+	"workspace_id" text NOT NULL,
+	"type" "credential_type" NOT NULL,
+	"display_name" text NOT NULL,
+	"provider_id" text,
+	"account_id" text,
+	"env_key" text,
+	"env_owner_user_id" text,
+	"created_by" text NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL,
+	CONSTRAINT "credential_oauth_source_check" CHECK ((type <> 'oauth') OR (account_id IS NOT NULL AND provider_id IS NOT NULL)),
+	CONSTRAINT "credential_workspace_env_source_check" CHECK ((type <> 'env_workspace') OR (env_key IS NOT NULL AND env_owner_user_id IS NULL)),
+	CONSTRAINT "credential_personal_env_source_check" CHECK ((type <> 'env_personal') OR (env_key IS NOT NULL AND env_owner_user_id IS NOT NULL))
+);
+--> statement-breakpoint
+CREATE TABLE "credential_member" (
+	"id" text PRIMARY KEY NOT NULL,
+	"credential_id" text NOT NULL,
+	"user_id" text NOT NULL,
+	"role" "credential_member_role" DEFAULT 'member' NOT NULL,
+	"status" "credential_member_status" DEFAULT 'active' NOT NULL,
+	"joined_at" timestamp,
+	"invited_by" text,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_account_id_account_id_fk" FOREIGN KEY ("account_id") REFERENCES "public"."account"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_env_owner_user_id_user_id_fk" FOREIGN KEY ("env_owner_user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential" ADD CONSTRAINT "credential_created_by_user_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_credential_id_credential_id_fk" FOREIGN KEY ("credential_id") REFERENCES "public"."credential"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_user_id_user_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."user"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "credential_member" ADD CONSTRAINT "credential_member_invited_by_user_id_fk" FOREIGN KEY ("invited_by") REFERENCES "public"."user"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "credential_workspace_id_idx" ON "credential" USING btree ("workspace_id");--> statement-breakpoint
+CREATE INDEX "credential_type_idx" ON "credential" USING btree ("type");--> statement-breakpoint
+CREATE INDEX "credential_provider_id_idx" ON "credential" USING btree ("provider_id");--> statement-breakpoint
+CREATE INDEX "credential_account_id_idx" ON "credential" USING btree ("account_id");--> statement-breakpoint
+CREATE INDEX "credential_env_owner_user_id_idx" ON "credential" USING btree ("env_owner_user_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_workspace_account_unique" ON "credential" USING btree ("workspace_id","account_id") WHERE account_id IS NOT NULL;--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_workspace_env_unique" ON "credential" USING btree ("workspace_id","type","env_key") WHERE type = 'env_workspace';--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_workspace_personal_env_unique" ON "credential" USING btree ("workspace_id","type","env_key","env_owner_user_id") WHERE type = 'env_personal';--> statement-breakpoint
+CREATE INDEX "credential_member_credential_id_idx" ON "credential_member" USING btree ("credential_id");--> statement-breakpoint
+CREATE INDEX "credential_member_user_id_idx" ON "credential_member" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "credential_member_role_idx" ON "credential_member" USING btree ("role");--> statement-breakpoint
+CREATE INDEX "credential_member_status_idx" ON "credential_member" USING btree ("status");--> statement-breakpoint
+CREATE UNIQUE INDEX "credential_member_unique" ON "credential_member" USING btree ("credential_id","user_id");
+--> statement-breakpoint
+DROP INDEX IF EXISTS "account_user_provider_unique";
+--> statement-breakpoint
+WITH workspace_user_access AS (
+	SELECT DISTINCT w.id AS workspace_id, p.user_id
+	FROM "permissions" p
+	INNER JOIN "workspace" w
+		ON w.id = p.entity_id
+	WHERE p.entity_type = 'workspace'
+	UNION
+	SELECT w.id AS workspace_id, w.owner_id AS user_id
+	FROM "workspace" w
+	UNION
+	SELECT DISTINCT wf.workspace_id AS workspace_id, wf.user_id
+	FROM "workflow" wf
+	INNER JOIN "workspace" w
+		ON w.id = wf.workspace_id
+	WHERE wf.workspace_id IS NOT NULL
+)
+INSERT INTO "credential" (
+	"id",
+	"workspace_id",
+	"type",
+	"display_name",
+	"provider_id",
+	"account_id",
+	"created_by",
+	"created_at",
+	"updated_at"
+)
+SELECT
+	'cred_' || md5('oauth:' || wua.workspace_id || ':' || a.id) AS id,
+	wua.workspace_id,
+	'oauth'::"credential_type",
+	COALESCE(NULLIF(a.account_id, ''), a.provider_id) AS display_name,
+	a.provider_id,
+	a.id,
+	a.user_id,
+	now(),
+	now()
+FROM "account" a
+INNER JOIN workspace_user_access wua
+	ON wua.user_id = a.user_id
+ON CONFLICT DO NOTHING;
+--> statement-breakpoint
+INSERT INTO "credential" (
+	"id",
+	"workspace_id",
+	"type",
+	"display_name",
+	"env_key",
+	"created_by",
+	"created_at",
+	"updated_at"
+)
+SELECT
+	'cred_' || md5('env_workspace:' || we.workspace_id || ':' || env.key) AS id,
+	we.workspace_id,
+	'env_workspace'::"credential_type",
+	env.key AS display_name,
+	env.key,
+	COALESCE(wf_owner.user_id, w.owner_id),
+	now(),
+	now()
+FROM "workspace_environment" we
+INNER JOIN "workspace" w
+	ON w.id = we.workspace_id
+LEFT JOIN LATERAL (
+	SELECT wf.user_id
+	FROM "workflow" wf
+	WHERE wf.workspace_id = we.workspace_id
+	ORDER BY wf.created_at ASC
+	LIMIT 1
+) wf_owner
+	ON TRUE
+CROSS JOIN LATERAL jsonb_each_text(COALESCE(we.variables::jsonb, '{}'::jsonb)) AS env(key, value)
+ON CONFLICT DO NOTHING;
+--> statement-breakpoint
+WITH workflow_workspace_owners AS (
+	SELECT DISTINCT wf.workspace_id, wf.user_id
+	FROM "workflow" wf
+	INNER JOIN "workspace" w
+		ON w.id = wf.workspace_id
+	WHERE wf.workspace_id IS NOT NULL
+)
+INSERT INTO "credential" (
+	"id",
+	"workspace_id",
+	"type",
+	"display_name",
+	"env_key",
+	"env_owner_user_id",
+	"created_by",
+	"created_at",
+	"updated_at"
+)
+SELECT
+	'cred_' || md5('env_personal:' || wwo.workspace_id || ':' || e.user_id || ':' || env.key) AS id,
+	wwo.workspace_id,
+	'env_personal'::"credential_type",
+	env.key AS display_name,
+	env.key,
+	e.user_id,
+	e.user_id,
+	now(),
+	now()
+FROM "environment" e
+INNER JOIN workflow_workspace_owners wwo
+	ON wwo.user_id = e.user_id
+CROSS JOIN LATERAL jsonb_each_text(COALESCE(e.variables::jsonb, '{}'::jsonb)) AS env(key, value)
+ON CONFLICT DO NOTHING;
+--> statement-breakpoint
+WITH workspace_user_access AS (
+	SELECT DISTINCT w.id AS workspace_id, p.user_id
+	FROM "permissions" p
+	INNER JOIN "workspace" w
+		ON w.id = p.entity_id
+	WHERE p.entity_type = 'workspace'
+	UNION
+	SELECT w.id AS workspace_id, w.owner_id AS user_id
+	FROM "workspace" w
+	UNION
+	SELECT DISTINCT wf.workspace_id AS workspace_id, wf.user_id
+	FROM "workflow" wf
+	INNER JOIN "workspace" w
+		ON w.id = wf.workspace_id
+	WHERE wf.workspace_id IS NOT NULL
+),
+workflow_workspace_owners AS (
+	SELECT DISTINCT wf.workspace_id, wf.user_id
+	FROM "workflow" wf
+	INNER JOIN "workspace" w
+		ON w.id = wf.workspace_id
+	WHERE wf.workspace_id IS NOT NULL
+)
+INSERT INTO "credential_member" (
+	"id",
+	"credential_id",
+	"user_id",
+	"role",
+	"status",
+	"joined_at",
+	"invited_by",
+	"created_at",
+	"updated_at"
+)
+SELECT
+	'credm_' || md5(c.id || ':' || wua.user_id) AS id,
+	c.id,
+	wua.user_id,
+	CASE
+		WHEN c.type = 'oauth'::"credential_type" AND c.created_by = wua.user_id THEN 'admin'::"credential_member_role"
+		WHEN c.type = 'env_workspace'::"credential_type" AND (
+			EXISTS (
+				SELECT 1
+				FROM workflow_workspace_owners wwo
+				WHERE wwo.workspace_id = c.workspace_id
+					AND wwo.user_id = wua.user_id
+			)
+			OR (
+				NOT EXISTS (
+					SELECT 1
+					FROM workflow_workspace_owners wwo
+					WHERE wwo.workspace_id = c.workspace_id
+				)
+				AND w.owner_id = wua.user_id
+			)
+		) THEN 'admin'::"credential_member_role"
+		ELSE 'member'::"credential_member_role"
+	END AS role,
+	'active'::"credential_member_status",
+	now(),
+	c.created_by,
+	now(),
+	now()
+FROM "credential" c
+INNER JOIN "workspace" w
+	ON w.id = c.workspace_id
+INNER JOIN workspace_user_access wua
+	ON wua.workspace_id = c.workspace_id
+WHERE c.type IN ('oauth'::"credential_type", 'env_workspace'::"credential_type")
+ON CONFLICT DO NOTHING;
+--> statement-breakpoint
+INSERT INTO "credential_member" (
+	"id",
+	"credential_id",
+	"user_id",
+	"role",
+	"status",
+	"joined_at",
+	"invited_by",
+	"created_at",
+	"updated_at"
+)
+SELECT
+	'credm_' || md5(c.id || ':' || c.env_owner_user_id) AS id,
+	c.id,
+	c.env_owner_user_id,
+	'admin'::"credential_member_role",
+	'active'::"credential_member_status",
+	now(),
+	c.created_by,
+	now(),
+	now()
+FROM "credential" c
+WHERE c.type = 'env_personal'::"credential_type"
+	AND c.env_owner_user_id IS NOT NULL
+ON CONFLICT DO NOTHING;
--- a/packages/db/migrations/meta/0154_snapshot.json
+++ b/packages/db/migrations/meta/0154_snapshot.json
--- a/packages/db/migrations/meta/_journal.json
+++ b/packages/db/migrations/meta/_journal.json
@@ -1072,6 +1072,13 @@
      "when": 1770410282842,
      "tag": "0153_complete_arclight",
      "breakpoints": true
+    },
+    {
+      "idx": 154,
+      "version": "7",
+      "when": 1770840006821,
+      "tag": "0154_luxuriant_maria_hill",
+      "breakpoints": true
    }
  ]
 }
--- a/packages/db/schema.ts
+++ b/packages/db/schema.ts
@@ -89,10 +89,6 @@ export const account = pgTable(
      table.accountId,
      table.providerId
    ),
-    uniqueUserProvider: uniqueIndex('account_user_provider_unique').on(
-      table.userId,
-      table.providerId
-    ),
  })
 )

@@ -2011,6 +2007,94 @@ export const usageLog = pgTable(
  })
 )

+export const credentialTypeEnum = pgEnum('credential_type', [
+  'oauth',
+  'env_workspace',
+  'env_personal',
+])
+
+export const credential = pgTable(
+  'credential',
+  {
+    id: text('id').primaryKey(),
+    workspaceId: text('workspace_id')
+      .notNull()
+      .references(() => workspace.id, { onDelete: 'cascade' }),
+    type: credentialTypeEnum('type').notNull(),
+    displayName: text('display_name').notNull(),
+    providerId: text('provider_id'),
+    accountId: text('account_id').references(() => account.id, { onDelete: 'cascade' }),
+    envKey: text('env_key'),
+    envOwnerUserId: text('env_owner_user_id').references(() => user.id, { onDelete: 'cascade' }),
+    createdBy: text('created_by')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    createdAt: timestamp('created_at').notNull().defaultNow(),
+    updatedAt: timestamp('updated_at').notNull().defaultNow(),
+  },
+  (table) => ({
+    workspaceIdIdx: index('credential_workspace_id_idx').on(table.workspaceId),
+    typeIdx: index('credential_type_idx').on(table.type),
+    providerIdIdx: index('credential_provider_id_idx').on(table.providerId),
+    accountIdIdx: index('credential_account_id_idx').on(table.accountId),
+    envOwnerUserIdIdx: index('credential_env_owner_user_id_idx').on(table.envOwnerUserId),
+    workspaceAccountUnique: uniqueIndex('credential_workspace_account_unique')
+      .on(table.workspaceId, table.accountId)
+      .where(sql`account_id IS NOT NULL`),
+    workspaceEnvUnique: uniqueIndex('credential_workspace_env_unique')
+      .on(table.workspaceId, table.type, table.envKey)
+      .where(sql`type = 'env_workspace'`),
+    workspacePersonalEnvUnique: uniqueIndex('credential_workspace_personal_env_unique')
+      .on(table.workspaceId, table.type, table.envKey, table.envOwnerUserId)
+      .where(sql`type = 'env_personal'`),
+    oauthSourceConstraint: check(
+      'credential_oauth_source_check',
+      sql`(type <> 'oauth') OR (account_id IS NOT NULL AND provider_id IS NOT NULL)`
+    ),
+    workspaceEnvSourceConstraint: check(
+      'credential_workspace_env_source_check',
+      sql`(type <> 'env_workspace') OR (env_key IS NOT NULL AND env_owner_user_id IS NULL)`
+    ),
+    personalEnvSourceConstraint: check(
+      'credential_personal_env_source_check',
+      sql`(type <> 'env_personal') OR (env_key IS NOT NULL AND env_owner_user_id IS NOT NULL)`
+    ),
+  })
+)
+
+export const credentialMemberRoleEnum = pgEnum('credential_member_role', ['admin', 'member'])
+export const credentialMemberStatusEnum = pgEnum('credential_member_status', [
+  'active',
+  'pending',
+  'revoked',
+])
+
+export const credentialMember = pgTable(
+  'credential_member',
+  {
+    id: text('id').primaryKey(),
+    credentialId: text('credential_id')
+      .notNull()
+      .references(() => credential.id, { onDelete: 'cascade' }),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    role: credentialMemberRoleEnum('role').notNull().default('member'),
+    status: credentialMemberStatusEnum('status').notNull().default('active'),
+    joinedAt: timestamp('joined_at'),
+    invitedBy: text('invited_by').references(() => user.id, { onDelete: 'set null' }),
+    createdAt: timestamp('created_at').notNull().defaultNow(),
+    updatedAt: timestamp('updated_at').notNull().defaultNow(),
+  },
+  (table) => ({
+    credentialIdIdx: index('credential_member_credential_id_idx').on(table.credentialId),
+    userIdIdx: index('credential_member_user_id_idx').on(table.userId),
+    roleIdx: index('credential_member_role_idx').on(table.role),
+    statusIdx: index('credential_member_status_idx').on(table.status),
+    uniqueMembership: uniqueIndex('credential_member_unique').on(table.credentialId, table.userId),
+  })
+)
+
 export const credentialSet = pgTable(
  'credential_set',
  {