fix(admin): validate userId and email are strings

styling
fix(admin): reject NaN and Infinity in amount validation
2026-01-24 14:27:56 -05:00 · 2026-01-23 11:07:41 -08:00 · 2026-01-23 11:06:36 -08:00 · 2026-01-23 10:46:29 -08:00 · 2026-01-23 10:44:03 -08:00 · 2026-01-23 09:59:10 -08:00
210 changed files with 2700 additions and 3810 deletions
--- a/apps/sim/app/(landing)/components/footer/components/status-indicator.tsx
+++ b/apps/sim/app/(landing)/components/footer/components/status-indicator.tsx
@@ -59,7 +59,7 @@ export default function StatusIndicator() {
      href={statusUrl}
      target='_blank'
      rel='noopener noreferrer'
-      className={`flex min-w-[165px] items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
+      className={`flex items-center gap-[6px] whitespace-nowrap text-[12px] transition-colors ${STATUS_COLORS[status]}`}
      aria-label={`System status: ${message}`}
    >
      <StatusDotIcon status={status} className='h-[6px] w-[6px]' aria-hidden='true' />
--- a/apps/sim/app/(landing)/studio/page.tsx
+++ b/apps/sim/app/(landing)/studio/page.tsx
@@ -22,7 +22,7 @@ export default async function StudioIndex({
      ? filtered.sort((a, b) => {
          if (a.featured && !b.featured) return -1
          if (!a.featured && b.featured) return 1
-          return new Date(b.date).getTime() - new Date(a.date).getTime()
+          return 0
        })
      : filtered

--- a/apps/sim/app/api/a2a/agents/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/agents/[agentId]/route.ts
@@ -8,7 +8,6 @@ import type { AgentCapabilities, AgentSkill } from '@/lib/a2a/types'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getRedisClient } from '@/lib/core/config/redis'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'

 const logger = createLogger('A2AAgentCardAPI')

@@ -96,11 +95,6 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<Ro
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }

-    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
    const body = await request.json()

    if (
@@ -166,11 +160,6 @@ export async function DELETE(request: NextRequest, { params }: { params: Promise
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }

-    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
    await db.delete(a2aAgent).where(eq(a2aAgent.id, agentId))

    logger.info(`Deleted A2A agent: ${agentId}`)
@@ -205,11 +194,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
      return NextResponse.json({ error: 'Agent not found' }, { status: 404 })
    }

-    const workspaceAccess = await checkWorkspaceAccess(existingAgent.workspaceId, auth.userId)
-    if (!workspaceAccess.canWrite) {
-      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-    }
-
    const body = await request.json()
    const action = body.action as 'publish' | 'unpublish' | 'refresh'

--- a/apps/sim/app/api/a2a/serve/[agentId]/route.ts
+++ b/apps/sim/app/api/a2a/serve/[agentId]/route.ts
@@ -16,7 +16,6 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1119,13 +1118,17 @@ async function handlePushNotificationSet(
    )
  }

-  const urlValidation = validateExternalUrl(
-    params.pushNotificationConfig.url,
-    'Push notification URL'
-  )
-  if (!urlValidation.isValid) {
+  try {
+    const url = new URL(params.pushNotificationConfig.url)
+    if (url.protocol !== 'https:') {
+      return NextResponse.json(
+        createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Push notification URL must use HTTPS'),
+        { status: 400 }
+      )
+    }
+  } catch {
    return NextResponse.json(
-      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, urlValidation.error || 'Invalid URL'),
+      createError(id, A2A_ERROR_CODES.INVALID_PARAMS, 'Invalid push notification URL'),
      { status: 400 }
    )
  }
--- a/apps/sim/app/api/copilot/execute-tool/route.ts
+++ b/apps/sim/app/api/copilot/execute-tool/route.ts
@@ -104,11 +104,17 @@ export async function POST(req: NextRequest) {
    })

    // Build execution params starting with LLM-provided arguments
-    // Resolve all {{ENV_VAR}} references in the arguments (deep for nested objects)
+    // Resolve all {{ENV_VAR}} references in the arguments
    const executionParams: Record<string, any> = resolveEnvVarReferences(
      toolArgs,
      decryptedEnvVars,
-      { deep: true }
+      {
+        resolveExactMatch: true,
+        allowEmbedded: true,
+        trimKeys: true,
+        onMissing: 'keep',
+        deep: true,
+      }
    ) as Record<string, any>

    logger.info(`[${tracker.requestId}] Resolved env var references in arguments`, {
--- a/apps/sim/app/api/function/execute/route.test.ts
+++ b/apps/sim/app/api/function/execute/route.test.ts
@@ -84,14 +84,6 @@ vi.mock('@/lib/execution/isolated-vm', () => ({

 vi.mock('@sim/logger', () => loggerMock)

-vi.mock('@/lib/auth/hybrid', () => ({
-  checkInternalAuth: vi.fn().mockResolvedValue({
-    success: true,
-    userId: 'user-123',
-    authType: 'internal_jwt',
-  }),
-}))
-
 vi.mock('@/lib/execution/e2b', () => ({
  executeInE2B: vi.fn(),
 }))
@@ -118,24 +110,6 @@ describe('Function Execute API Route', () => {
  })

  describe('Security Tests', () => {
-    it('should reject unauthorized requests', async () => {
-      const { checkInternalAuth } = await import('@/lib/auth/hybrid')
-      vi.mocked(checkInternalAuth).mockResolvedValueOnce({
-        success: false,
-        error: 'Unauthorized',
-      })
-
-      const req = createMockRequest('POST', {
-        code: 'return "test"',
-      })
-
-      const response = await POST(req)
-      const data = await response.json()
-
-      expect(response.status).toBe(401)
-      expect(data).toHaveProperty('error', 'Unauthorized')
-    })
-
    it.concurrent('should use isolated-vm for secure sandboxed execution', async () => {
      const req = createMockRequest('POST', {
        code: 'return "test"',
--- a/apps/sim/app/api/function/execute/route.ts
+++ b/apps/sim/app/api/function/execute/route.ts
@@ -1,6 +1,5 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { isE2bEnabled } from '@/lib/core/config/feature-flags'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { executeInE2B } from '@/lib/execution/e2b'
@@ -582,12 +581,6 @@ export async function POST(req: NextRequest) {
  let resolvedCode = '' // Store resolved code for error reporting

  try {
-    const auth = await checkInternalAuth(req)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized function execution attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await req.json()

    const { DEFAULT_EXECUTION_TIMEOUT_MS } = await import('@/lib/execution/constants')
--- a/apps/sim/app/api/mcp/servers/test-connection/route.ts
+++ b/apps/sim/app/api/mcp/servers/test-connection/route.ts
@@ -1,10 +1,11 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
+import { getEffectiveDecryptedEnv } from '@/lib/environment/utils'
 import { McpClient } from '@/lib/mcp/client'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
-import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
-import type { McpTransport } from '@/lib/mcp/types'
+import type { McpServerConfig, McpTransport } from '@/lib/mcp/types'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
+import { resolveEnvVarReferences } from '@/executor/utils/reference-validation'

 const logger = createLogger('McpServerTestAPI')

@@ -18,6 +19,30 @@ function isUrlBasedTransport(transport: McpTransport): boolean {
  return transport === 'streamable-http'
 }

+/**
+ * Resolve environment variables in strings
+ */
+function resolveEnvVars(value: string, envVars: Record<string, string>): string {
+  const missingVars: string[] = []
+  const resolvedValue = resolveEnvVarReferences(value, envVars, {
+    allowEmbedded: true,
+    resolveExactMatch: true,
+    trimKeys: true,
+    onMissing: 'keep',
+    deep: false,
+    missingKeys: missingVars,
+  }) as string
+
+  if (missingVars.length > 0) {
+    const uniqueMissing = Array.from(new Set(missingVars))
+    uniqueMissing.forEach((envKey) => {
+      logger.warn(`Environment variable "${envKey}" not found in MCP server test`)
+    })
+  }
+
+  return resolvedValue
+}
+
 interface TestConnectionRequest {
  name: string
  transport: McpTransport
@@ -71,30 +96,39 @@ export const POST = withMcpAuth('write')(
        )
      }

-      // Build initial config for resolution
-      const initialConfig = {
+      let resolvedUrl = body.url
+      let resolvedHeaders = body.headers || {}
+
+      try {
+        const envVars = await getEffectiveDecryptedEnv(userId, workspaceId)
+
+        if (resolvedUrl) {
+          resolvedUrl = resolveEnvVars(resolvedUrl, envVars)
+        }
+
+        const resolvedHeadersObj: Record<string, string> = {}
+        for (const [key, value] of Object.entries(resolvedHeaders)) {
+          resolvedHeadersObj[key] = resolveEnvVars(value, envVars)
+        }
+        resolvedHeaders = resolvedHeadersObj
+      } catch (envError) {
+        logger.warn(
+          `[${requestId}] Failed to resolve environment variables, using raw values:`,
+          envError
+        )
+      }
+
+      const testConfig: McpServerConfig = {
        id: `test-${requestId}`,
        name: body.name,
        transport: body.transport,
-        url: body.url,
-        headers: body.headers || {},
+        url: resolvedUrl,
+        headers: resolvedHeaders,
        timeout: body.timeout || 10000,
        retries: 1, // Only one retry for tests
        enabled: true,
      }

-      // Resolve env vars using shared utility (non-strict mode for testing)
-      const { config: testConfig, missingVars } = await resolveMcpConfigEnvVars(
-        initialConfig,
-        userId,
-        workspaceId,
-        { strict: false }
-      )
-
-      if (missingVars.length > 0) {
-        logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
-      }
-
      const testSecurityPolicy = {
        requireConsent: false,
        auditLevel: 'none' as const,
--- a/apps/sim/app/api/providers/route.ts
+++ b/apps/sim/app/api/providers/route.ts
@@ -3,9 +3,7 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
@@ -22,11 +20,6 @@ export async function POST(request: NextRequest) {
  const startTime = Date.now()

  try {
-    const auth = await checkInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
-    }
-
    logger.info(`[${requestId}] Provider API request started`, {
      timestamp: new Date().toISOString(),
      userAgent: request.headers.get('User-Agent'),
@@ -92,13 +85,6 @@ export async function POST(request: NextRequest) {
      verbosity,
    })

-    if (workspaceId) {
-      const workspaceAccess = await checkWorkspaceAccess(workspaceId, auth.userId)
-      if (!workspaceAccess.hasAccess) {
-        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
-      }
-    }
-
    let finalApiKey: string | undefined = apiKey
    try {
      if (provider === 'vertex' && vertexCredential) {
--- a/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
+++ b/apps/sim/app/api/tools/a2a/set-push-notification/route.ts
@@ -3,7 +3,6 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -40,18 +39,6 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const validatedData = A2ASetPushNotificationSchema.parse(body)

-    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
-    if (!urlValidation.isValid) {
-      logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
-      return NextResponse.json(
-        {
-          success: false,
-          error: urlValidation.error,
-        },
-        { status: 400 }
-      )
-    }
-
    logger.info(`[${requestId}] A2A set push notification request`, {
      agentUrl: validatedData.agentUrl,
      taskId: validatedData.taskId,
--- a/apps/sim/app/api/tools/custom/route.test.ts
+++ b/apps/sim/app/api/tools/custom/route.test.ts
@@ -181,7 +181,7 @@ describe('Custom Tools API Routes', () => {
    }))

    vi.doMock('@/lib/auth/hybrid', () => ({
-      checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+      checkHybridAuth: vi.fn().mockResolvedValue({
        success: true,
        userId: 'user-123',
        authType: 'session',
@@ -254,7 +254,7 @@ describe('Custom Tools API Routes', () => {
      )

      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -304,7 +304,7 @@ describe('Custom Tools API Routes', () => {
  describe('POST /api/tools/custom', () => {
    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
@@ -390,7 +390,7 @@ describe('Custom Tools API Routes', () => {

    it('should prevent unauthorized deletion of user-scoped tool', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
          success: true,
          userId: 'user-456',
          authType: 'session',
@@ -413,7 +413,7 @@ describe('Custom Tools API Routes', () => {

    it('should reject unauthorized requests', async () => {
      vi.doMock('@/lib/auth/hybrid', () => ({
-        checkSessionOrInternalAuth: vi.fn().mockResolvedValue({
+        checkHybridAuth: vi.fn().mockResolvedValue({
          success: false,
          error: 'Unauthorized',
        }),
--- a/apps/sim/app/api/tools/custom/route.ts
+++ b/apps/sim/app/api/tools/custom/route.ts
@@ -4,7 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, desc, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { upsertCustomTools } from '@/lib/workflows/custom-tools/operations'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -42,8 +42,8 @@ export async function GET(request: NextRequest) {
  const workflowId = searchParams.get('workflowId')

  try {
-    // Use session/internal auth to support session and internal JWT (no API key access)
-    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    // Use hybrid auth to support session, API key, and internal JWT
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools access attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -69,8 +69,8 @@ export async function GET(request: NextRequest) {
    }

    // Check workspace permissions
-    // For internal JWT with workflowId: checkSessionOrInternalAuth already resolved userId from workflow owner
-    // For session: verify user has access to the workspace
+    // For internal JWT with workflowId: checkHybridAuth already resolved userId from workflow owner
+    // For session/API key: verify user has access to the workspace
    // For legacy (no workspaceId): skip workspace check, rely on userId match
    if (resolvedWorkspaceId && !(authResult.authType === 'internal_jwt' && workflowId)) {
      const userPermission = await getUserEntityPermissions(
@@ -116,8 +116,8 @@ export async function POST(req: NextRequest) {
  const requestId = generateRequestId()

  try {
-    // Use session/internal auth (no API key access)
-    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
+    // Use hybrid auth (though this endpoint is only called from UI)
+    const authResult = await checkHybridAuth(req, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tools update attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -193,8 +193,8 @@ export async function DELETE(request: NextRequest) {
  }

  try {
-    // Use session/internal auth (no API key access)
-    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    // Use hybrid auth (though this endpoint is only called from UI)
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized custom tool deletion attempt`)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/discord/send-message/route.ts
+++ b/apps/sim/app/api/tools/discord/send-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Discord send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/add-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/add-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail add label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/archive/route.ts
+++ b/apps/sim/app/api/tools/gmail/archive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail archive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/delete/route.ts
+++ b/apps/sim/app/api/tools/gmail/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/draft/route.ts
+++ b/apps/sim/app/api/tools/gmail/draft/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail draft attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-read/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-read/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark read attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/mark-unread/route.ts
+++ b/apps/sim/app/api/tools/gmail/mark-unread/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail mark unread attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/move/route.ts
+++ b/apps/sim/app/api/tools/gmail/move/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail move attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/remove-label/route.ts
+++ b/apps/sim/app/api/tools/gmail/remove-label/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail remove label attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/send/route.ts
+++ b/apps/sim/app/api/tools/gmail/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/gmail/unarchive/route.ts
+++ b/apps/sim/app/api/tools/gmail/unarchive/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Gmail unarchive attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/google_drive/upload/route.ts
+++ b/apps/sim/app/api/tools/google_drive/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -56,7 +56,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Google Drive upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/image/route.ts
+++ b/apps/sim/app/api/tools/image/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateImageUrl } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'

@@ -15,7 +15,7 @@ export async function GET(request: NextRequest) {
  const imageUrl = url.searchParams.get('url')
  const requestId = generateRequestId()

-  const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+  const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
  if (!authResult.success) {
    logger.error(`[${requestId}] Authentication failed for image proxy:`, authResult.error)
    return new NextResponse('Unauthorized', { status: 401 })
--- a/apps/sim/app/api/tools/mail/send/route.ts
+++ b/apps/sim/app/api/tools/mail/send/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { Resend } from 'resend'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized mail send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/delete_chat_message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_channel/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams channel write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
+++ b/apps/sim/app/api/tools/microsoft_teams/write_chat/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Teams chat write attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/mistral/parse/route.ts
+++ b/apps/sim/app/api/tools/mistral/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -30,7 +30,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Mistral parse attempt`, {
--- a/apps/sim/app/api/tools/mysql/delete/route.ts
+++ b/apps/sim/app/api/tools/mysql/delete/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildDeleteQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLDeleteAPI')
@@ -22,12 +21,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL delete attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = DeleteSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/execute/route.ts
+++ b/apps/sim/app/api/tools/mysql/execute/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLExecuteAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL execute attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = ExecuteSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/insert/route.ts
+++ b/apps/sim/app/api/tools/mysql/insert/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildInsertQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLInsertAPI')
@@ -43,12 +42,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL insert attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = InsertSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/introspect/route.ts
+++ b/apps/sim/app/api/tools/mysql/introspect/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeIntrospect } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLIntrospectAPI')
@@ -20,12 +19,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL introspect attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = IntrospectSchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/query/route.ts
+++ b/apps/sim/app/api/tools/mysql/query/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createMySQLConnection, executeQuery, validateQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLQueryAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL query attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = QuerySchema.parse(body)

--- a/apps/sim/app/api/tools/mysql/update/route.ts
+++ b/apps/sim/app/api/tools/mysql/update/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { buildUpdateQuery, createMySQLConnection, executeQuery } from '@/app/api/tools/mysql/utils'

 const logger = createLogger('MySQLUpdateAPI')
@@ -41,12 +40,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized MySQL update attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = UpdateSchema.parse(body)

--- a/apps/sim/app/api/tools/onedrive/upload/route.ts
+++ b/apps/sim/app/api/tools/onedrive/upload/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import * as XLSX from 'xlsx'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
@@ -39,7 +39,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized OneDrive upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/copy/route.ts
+++ b/apps/sim/app/api/tools/outlook/copy/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook copy attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/delete/route.ts
+++ b/apps/sim/app/api/tools/outlook/delete/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/draft/route.ts
+++ b/apps/sim/app/api/tools/outlook/draft/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook draft attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/mark-read/route.ts
+++ b/apps/sim/app/api/tools/outlook/mark-read/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook mark read attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/mark-unread/route.ts
+++ b/apps/sim/app/api/tools/outlook/mark-unread/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -17,7 +17,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook mark unread attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/move/route.ts
+++ b/apps/sim/app/api/tools/outlook/move/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -18,7 +18,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook move attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/outlook/send/route.ts
+++ b/apps/sim/app/api/tools/outlook/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Outlook send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/postgresql/delete/route.ts
+++ b/apps/sim/app/api/tools/postgresql/delete/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeDelete } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLDeleteAPI')
@@ -22,12 +21,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL delete attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = DeleteSchema.parse(body)

--- a/apps/sim/app/api/tools/postgresql/execute/route.ts
+++ b/apps/sim/app/api/tools/postgresql/execute/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createPostgresConnection,
  executeQuery,
@@ -25,12 +24,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL execute attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = ExecuteSchema.parse(body)

--- a/apps/sim/app/api/tools/postgresql/insert/route.ts
+++ b/apps/sim/app/api/tools/postgresql/insert/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLInsertAPI')
@@ -43,12 +42,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()

    const params = InsertSchema.parse(body)
--- a/apps/sim/app/api/tools/postgresql/introspect/route.ts
+++ b/apps/sim/app/api/tools/postgresql/introspect/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeIntrospect } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLIntrospectAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL introspect attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = IntrospectSchema.parse(body)

--- a/apps/sim/app/api/tools/postgresql/query/route.ts
+++ b/apps/sim/app/api/tools/postgresql/query/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeQuery } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLQueryAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL query attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = QuerySchema.parse(body)

--- a/apps/sim/app/api/tools/postgresql/update/route.ts
+++ b/apps/sim/app/api/tools/postgresql/update/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createPostgresConnection, executeUpdate } from '@/app/api/tools/postgresql/utils'

 const logger = createLogger('PostgreSQLUpdateAPI')
@@ -41,12 +40,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized PostgreSQL update attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = UpdateSchema.parse(body)

--- a/apps/sim/app/api/tools/pulse/parse/route.ts
+++ b/apps/sim/app/api/tools/pulse/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Pulse parse attempt`, {
--- a/apps/sim/app/api/tools/reducto/parse/route.ts
+++ b/apps/sim/app/api/tools/reducto/parse/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Reducto parse attempt`, {
--- a/apps/sim/app/api/tools/s3/copy-object/route.ts
+++ b/apps/sim/app/api/tools/s3/copy-object/route.ts
@@ -2,7 +2,7 @@ import { CopyObjectCommand, type ObjectCannedACL, S3Client } from '@aws-sdk/clie
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 copy object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/delete-object/route.ts
+++ b/apps/sim/app/api/tools/s3/delete-object/route.ts
@@ -2,7 +2,7 @@ import { DeleteObjectCommand, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -21,7 +21,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 delete object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/list-objects/route.ts
+++ b/apps/sim/app/api/tools/s3/list-objects/route.ts
@@ -2,7 +2,7 @@ import { ListObjectsV2Command, S3Client } from '@aws-sdk/client-s3'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 list objects attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/s3/put-object/route.ts
+++ b/apps/sim/app/api/tools/s3/put-object/route.ts
@@ -2,7 +2,7 @@ import { type ObjectCannedACL, PutObjectCommand, S3Client } from '@aws-sdk/clien
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -27,7 +27,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized S3 put object attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/search/route.ts
+++ b/apps/sim/app/api/tools/search/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { SEARCH_TOOL_COST } from '@/lib/billing/constants'
 import { env } from '@/lib/core/config/env'
 import { executeTool } from '@/tools'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
    const { searchParams: urlParams } = new URL(request.url)
    const workflowId = urlParams.get('workflowId') || undefined

-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      const errorMessage = workflowId ? 'Workflow not found' : authResult.error || 'Unauthorized'
--- a/apps/sim/app/api/tools/sftp/delete/route.ts
+++ b/apps/sim/app/api/tools/sftp/delete/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -72,7 +72,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP delete attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/download/route.ts
+++ b/apps/sim/app/api/tools/sftp/download/route.ts
@@ -2,7 +2,7 @@ import path from 'path'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createSftpConnection, getSftp, isPathSafe, sanitizePath } from '@/app/api/tools/sftp/utils'

@@ -25,7 +25,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP download attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/list/route.ts
+++ b/apps/sim/app/api/tools/sftp/list/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP list attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/mkdir/route.ts
+++ b/apps/sim/app/api/tools/sftp/mkdir/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  createSftpConnection,
@@ -60,7 +60,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP mkdir attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sftp/upload/route.ts
+++ b/apps/sim/app/api/tools/sftp/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -44,7 +44,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SFTP upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sharepoint/upload/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -23,7 +23,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SharePoint upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/add-reaction/route.ts
+++ b/apps/sim/app/api/tools/slack/add-reaction/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'

 export const dynamic = 'force-dynamic'

@@ -13,7 +13,7 @@ const SlackAddReactionSchema = z.object({

 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      return NextResponse.json(
--- a/apps/sim/app/api/tools/slack/delete-message/route.ts
+++ b/apps/sim/app/api/tools/slack/delete-message/route.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'

 export const dynamic = 'force-dynamic'

@@ -12,7 +12,7 @@ const SlackDeleteMessageSchema = z.object({

 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      return NextResponse.json(
--- a/apps/sim/app/api/tools/slack/read-messages/route.ts
+++ b/apps/sim/app/api/tools/slack/read-messages/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { openDMChannel } from '../utils'

@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack read messages attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/send-message/route.ts
+++ b/apps/sim/app/api/tools/slack/send-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { sendSlackMessage } from '../utils'

@@ -26,7 +26,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/slack/update-message/route.ts
+++ b/apps/sim/app/api/tools/slack/update-message/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'

 export const dynamic = 'force-dynamic'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Slack update message attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/sms/send/route.ts
+++ b/apps/sim/app/api/tools/sms/send/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { type SMSOptions, sendSMS } from '@/lib/messaging/sms/service'
@@ -19,7 +19,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SMS send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/smtp/send/route.ts
+++ b/apps/sim/app/api/tools/smtp/send/route.ts
@@ -2,7 +2,7 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import nodemailer from 'nodemailer'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -35,7 +35,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized SMTP send attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/ssh/check-command-exists/route.ts
+++ b/apps/sim/app/api/tools/ssh/check-command-exists/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHCheckCommandExistsAPI')
@@ -21,12 +20,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH check command exists attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = CheckCommandExistsSchema.parse(body)

--- a/apps/sim/app/api/tools/ssh/check-file-exists/route.ts
+++ b/apps/sim/app/api/tools/ssh/check-file-exists/route.ts
@@ -3,7 +3,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper, Stats } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  getFileType,
@@ -40,15 +39,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH check file exists attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = CheckFileExistsSchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/create-directory/route.ts
+++ b/apps/sim/app/api/tools/ssh/create-directory/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -28,15 +27,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH create directory attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = CreateDirectorySchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -59,6 +53,7 @@ export async function POST(request: NextRequest) {
      const dirPath = sanitizePath(params.path)
      const escapedPath = escapeShellArg(dirPath)

+      // Check if directory already exists
      const checkResult = await executeSSHCommand(
        client,
        `test -d '${escapedPath}' && echo "exists"`
@@ -75,6 +70,7 @@ export async function POST(request: NextRequest) {
        })
      }

+      // Create directory
      const mkdirFlag = params.recursive ? '-p' : ''
      const command = `mkdir ${mkdirFlag} -m ${params.permissions} '${escapedPath}'`
      const result = await executeSSHCommand(client, command)
--- a/apps/sim/app/api/tools/ssh/delete-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/delete-file/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -28,15 +27,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH delete file attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = DeleteFileSchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -59,6 +53,7 @@ export async function POST(request: NextRequest) {
      const filePath = sanitizePath(params.path)
      const escapedPath = escapeShellArg(filePath)

+      // Check if path exists
      const checkResult = await executeSSHCommand(
        client,
        `test -e '${escapedPath}' && echo "exists"`
@@ -67,6 +62,7 @@ export async function POST(request: NextRequest) {
        return NextResponse.json({ error: `Path does not exist: ${filePath}` }, { status: 404 })
      }

+      // Build delete command
      let command: string
      if (params.recursive) {
        command = params.force ? `rm -rf '${escapedPath}'` : `rm -r '${escapedPath}'`
--- a/apps/sim/app/api/tools/ssh/download-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/download-file/route.ts
@@ -4,7 +4,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHDownloadFileAPI')
@@ -35,15 +34,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH download file attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = DownloadFileSchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/execute-command/route.ts
+++ b/apps/sim/app/api/tools/ssh/execute-command/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand, sanitizeCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHExecuteCommandAPI')
@@ -22,15 +21,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH execute command attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = ExecuteCommandSchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -50,6 +44,7 @@ export async function POST(request: NextRequest) {
    })

    try {
+      // Build command with optional working directory
      let command = sanitizeCommand(params.command)
      if (params.workingDirectory) {
        command = `cd "${params.workingDirectory}" && ${command}`
--- a/apps/sim/app/api/tools/ssh/execute-script/route.ts
+++ b/apps/sim/app/api/tools/ssh/execute-script/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, escapeShellArg, executeSSHCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHExecuteScriptAPI')
@@ -23,15 +22,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH execute script attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = ExecuteScriptSchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
@@ -51,10 +45,13 @@ export async function POST(request: NextRequest) {
    })

    try {
+      // Create a temporary script file, execute it, and clean up
      const scriptPath = `/tmp/sim_script_${requestId}.sh`
      const escapedScriptPath = escapeShellArg(scriptPath)
      const escapedInterpreter = escapeShellArg(params.interpreter)

+      // Build the command to create, execute, and clean up the script
+      // Note: heredoc with quoted delimiter ('SIMEOF') prevents variable expansion
      let command = `cat > '${escapedScriptPath}' << 'SIMEOF'
 ${params.script}
 SIMEOF
--- a/apps/sim/app/api/tools/ssh/get-system-info/route.ts
+++ b/apps/sim/app/api/tools/ssh/get-system-info/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, executeSSHCommand } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHGetSystemInfoAPI')
@@ -20,15 +19,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH get system info attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = GetSystemInfoSchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/list-directory/route.ts
+++ b/apps/sim/app/api/tools/ssh/list-directory/route.ts
@@ -3,7 +3,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, FileEntry, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  getFileType,
@@ -61,15 +60,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH list directory attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = ListDirectorySchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/move-rename/route.ts
+++ b/apps/sim/app/api/tools/ssh/move-rename/route.ts
@@ -2,7 +2,6 @@ import { randomUUID } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import {
  createSSHConnection,
  escapeShellArg,
@@ -28,16 +27,9 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH move/rename attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = MoveRenameSchema.parse(body)

-    // Validate SSH authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/ssh/read-file-content/route.ts
+++ b/apps/sim/app/api/tools/ssh/read-file-content/route.ts
@@ -3,7 +3,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHReadFileContentAPI')
@@ -36,12 +35,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH read file content attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = ReadFileContentSchema.parse(body)

--- a/apps/sim/app/api/tools/ssh/upload-file/route.ts
+++ b/apps/sim/app/api/tools/ssh/upload-file/route.ts
@@ -3,7 +3,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHUploadFileAPI')
@@ -38,12 +37,6 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH upload file attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = UploadFileSchema.parse(body)

--- a/apps/sim/app/api/tools/ssh/write-file-content/route.ts
+++ b/apps/sim/app/api/tools/ssh/write-file-content/route.ts
@@ -3,7 +3,6 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import type { Client, SFTPWrapper } from 'ssh2'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { createSSHConnection, sanitizePath } from '@/app/api/tools/ssh/utils'

 const logger = createLogger('SSHWriteFileContentAPI')
@@ -37,15 +36,10 @@ export async function POST(request: NextRequest) {
  const requestId = randomUUID().slice(0, 8)

  try {
-    const auth = await checkInternalAuth(request)
-    if (!auth.success || !auth.userId) {
-      logger.warn(`[${requestId}] Unauthorized SSH write file content attempt`)
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-    }
-
    const body = await request.json()
    const params = WriteFileContentSchema.parse(body)

+    // Validate authentication
    if (!params.password && !params.privateKey) {
      return NextResponse.json(
        { error: 'Either password or privateKey must be provided' },
--- a/apps/sim/app/api/tools/stt/route.ts
+++ b/apps/sim/app/api/tools/stt/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { extractAudioFromVideo, isVideoFile } from '@/lib/audio/extractor'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { TranscriptSegment } from '@/tools/stt/types'
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
  logger.info(`[${requestId}] STT transcription request started`)

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/telegram/send-document/route.ts
+++ b/apps/sim/app/api/tools/telegram/send-document/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, {
+    const authResult = await checkHybridAuth(request, {
      requireWorkflowId: false,
    })

--- a/apps/sim/app/api/tools/textract/parse/route.ts
+++ b/apps/sim/app/api/tools/textract/parse/route.ts
@@ -2,7 +2,7 @@ import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import {
  validateAwsRegion,
  validateExternalUrl,
@@ -292,7 +292,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success || !authResult.userId) {
      logger.warn(`[${requestId}] Unauthorized Textract parse attempt`, {
--- a/apps/sim/app/api/tools/tts/route.ts
+++ b/apps/sim/app/api/tools/tts/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -10,7 +10,7 @@ const logger = createLogger('ProxyTTSAPI')

 export async function POST(request: NextRequest) {
  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.error('Authentication failed for TTS proxy:', authResult.error)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/tts/unified/route.ts
+++ b/apps/sim/app/api/tools/tts/unified/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
@@ -87,7 +87,7 @@ export async function POST(request: NextRequest) {
  logger.info(`[${requestId}] TTS unified request started`)

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      logger.error('Authentication failed for TTS unified proxy:', authResult.error)
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/tools/video/route.ts
+++ b/apps/sim/app/api/tools/video/route.ts
@@ -1,6 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import type { UserFile } from '@/executor/types'
 import type { VideoRequestBody } from '@/tools/video/types'
@@ -15,7 +15,7 @@ export async function POST(request: NextRequest) {
  logger.info(`[${requestId}] Video generation request started`)

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })
    if (!authResult.success) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/vision/analyze/route.ts
+++ b/apps/sim/app/api/tools/vision/analyze/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { processSingleFileToUserFile } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
@@ -22,7 +22,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized Vision analyze attempt: ${authResult.error}`)
--- a/apps/sim/app/api/tools/wordpress/upload/route.ts
+++ b/apps/sim/app/api/tools/wordpress/upload/route.ts
@@ -1,7 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import {
  getFileExtension,
@@ -31,7 +31,7 @@ export async function POST(request: NextRequest) {
  const requestId = generateRequestId()

  try {
-    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+    const authResult = await checkHybridAuth(request, { requireWorkflowId: false })

    if (!authResult.success) {
      logger.warn(`[${requestId}] Unauthorized WordPress upload attempt: ${authResult.error}`)
--- a/apps/sim/app/api/v1/admin/types.ts
+++ b/apps/sim/app/api/v1/admin/types.ts
@@ -640,7 +640,6 @@ export interface AdminDeployResult {
  isDeployed: boolean
  version: number
  deployedAt: string
-  warnings?: string[]
 }

 export interface AdminUndeployResult {
--- a/apps/sim/app/api/v1/admin/workflows/[id]/deploy/route.ts
+++ b/apps/sim/app/api/v1/admin/workflows/[id]/deploy/route.ts
@@ -1,23 +1,14 @@
-import { db, workflow, workflowDeploymentVersion } from '@sim/db'
+import { db, workflow } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import {
-  cleanupWebhooksForWorkflow,
-  restorePreviousVersionWebhooks,
-  saveTriggerWebhooksForDeploy,
-} from '@/lib/webhooks/deploy'
+import { cleanupWebhooksForWorkflow } from '@/lib/webhooks/deploy'
 import {
  deployWorkflow,
  loadWorkflowFromNormalizedTables,
  undeployWorkflow,
 } from '@/lib/workflows/persistence/utils'
-import {
-  cleanupDeploymentVersion,
-  createSchedulesForDeploy,
-  validateWorkflowSchedules,
-} from '@/lib/workflows/schedules'
+import { createSchedulesForDeploy, validateWorkflowSchedules } from '@/lib/workflows/schedules'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
@@ -37,11 +28,10 @@ interface RouteParams {

 export const POST = withAdminAuthParams<RouteParams>(async (request, context) => {
  const { id: workflowId } = await context.params
-  const requestId = generateRequestId()

  try {
    const [workflowRecord] = await db
-      .select()
+      .select({ id: workflow.id, name: workflow.name })
      .from(workflow)
      .where(eq(workflow.id, workflowId))
      .limit(1)
@@ -60,18 +50,6 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
      return badRequestResponse(`Invalid schedule configuration: ${scheduleValidation.error}`)
    }

-    const [currentActiveVersion] = await db
-      .select({ id: workflowDeploymentVersion.id })
-      .from(workflowDeploymentVersion)
-      .where(
-        and(
-          eq(workflowDeploymentVersion.workflowId, workflowId),
-          eq(workflowDeploymentVersion.isActive, true)
-        )
-      )
-      .limit(1)
-    const previousVersionId = currentActiveVersion?.id
-
    const deployResult = await deployWorkflow({
      workflowId,
      deployedBy: ADMIN_ACTOR_ID,
@@ -87,32 +65,6 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
      return internalErrorResponse('Failed to resolve deployment version')
    }

-    const workflowData = workflowRecord as Record<string, unknown>
-
-    const triggerSaveResult = await saveTriggerWebhooksForDeploy({
-      request,
-      workflowId,
-      workflow: workflowData,
-      userId: workflowRecord.userId,
-      blocks: normalizedData.blocks,
-      requestId,
-      deploymentVersionId: deployResult.deploymentVersionId,
-      previousVersionId,
-    })
-
-    if (!triggerSaveResult.success) {
-      await cleanupDeploymentVersion({
-        workflowId,
-        workflow: workflowData,
-        requestId,
-        deploymentVersionId: deployResult.deploymentVersionId,
-      })
-      await undeployWorkflow({ workflowId })
-      return internalErrorResponse(
-        triggerSaveResult.error?.message || 'Failed to sync trigger configuration'
-      )
-    }
-
    const scheduleResult = await createSchedulesForDeploy(
      workflowId,
      normalizedData.blocks,
@@ -120,58 +72,15 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
      deployResult.deploymentVersionId
    )
    if (!scheduleResult.success) {
-      logger.error(
-        `[${requestId}] Admin API: Schedule creation failed for workflow ${workflowId}: ${scheduleResult.error}`
-      )
-      await cleanupDeploymentVersion({
-        workflowId,
-        workflow: workflowData,
-        requestId,
-        deploymentVersionId: deployResult.deploymentVersionId,
-      })
-      if (previousVersionId) {
-        await restorePreviousVersionWebhooks({
-          request,
-          workflow: workflowData,
-          userId: workflowRecord.userId,
-          previousVersionId,
-          requestId,
-        })
-      }
-      await undeployWorkflow({ workflowId })
-      return internalErrorResponse(scheduleResult.error || 'Failed to create schedule')
+      logger.warn(`Schedule creation failed for workflow ${workflowId}: ${scheduleResult.error}`)
    }

-    if (previousVersionId && previousVersionId !== deployResult.deploymentVersionId) {
-      try {
-        logger.info(`[${requestId}] Admin API: Cleaning up previous version ${previousVersionId}`)
-        await cleanupDeploymentVersion({
-          workflowId,
-          workflow: workflowData,
-          requestId,
-          deploymentVersionId: previousVersionId,
-          skipExternalCleanup: true,
-        })
-      } catch (cleanupError) {
-        logger.error(
-          `[${requestId}] Admin API: Failed to clean up previous version ${previousVersionId}`,
-          cleanupError
-        )
-      }
-    }
-
-    logger.info(
-      `[${requestId}] Admin API: Deployed workflow ${workflowId} as v${deployResult.version}`
-    )
-
-    // Sync MCP tools with the latest parameter schema
-    await syncMcpToolsForWorkflow({ workflowId, requestId, context: 'deploy' })
+    logger.info(`Admin API: Deployed workflow ${workflowId} as v${deployResult.version}`)

    const response: AdminDeployResult = {
      isDeployed: true,
      version: deployResult.version!,
      deployedAt: deployResult.deployedAt!.toISOString(),
-      warnings: triggerSaveResult.warnings,
    }

    return singleResponse(response)
@@ -196,6 +105,7 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (request, context)
      return notFoundResponse('Workflow')
    }

+    // Clean up external webhook subscriptions before undeploying
    await cleanupWebhooksForWorkflow(
      workflowId,
      workflowRecord as Record<string, unknown>,
@@ -207,8 +117,6 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (request, context)
      return internalErrorResponse(result.error || 'Failed to undeploy workflow')
    }

-    await removeMcpToolsForWorkflow(workflowId, requestId)
-
    logger.info(`Admin API: Undeployed workflow ${workflowId}`)

    const response: AdminUndeployResult = {
--- a/apps/sim/app/api/v1/admin/workflows/[id]/versions/[versionId]/activate/route.ts
+++ b/apps/sim/app/api/v1/admin/workflows/[id]/versions/[versionId]/activate/route.ts
@@ -1,15 +1,7 @@
-import { db, workflow, workflowDeploymentVersion } from '@sim/db'
+import { db, workflow } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
-import { generateRequestId } from '@/lib/core/utils/request'
-import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
+import { eq } from 'drizzle-orm'
 import { activateWorkflowVersion } from '@/lib/workflows/persistence/utils'
-import {
-  cleanupDeploymentVersion,
-  createSchedulesForDeploy,
-  validateWorkflowSchedules,
-} from '@/lib/workflows/schedules'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
@@ -17,7 +9,6 @@ import {
  notFoundResponse,
  singleResponse,
 } from '@/app/api/v1/admin/responses'
-import type { BlockState } from '@/stores/workflows/workflow/types'

 const logger = createLogger('AdminWorkflowActivateVersionAPI')

@@ -27,12 +18,11 @@ interface RouteParams {
 }

 export const POST = withAdminAuthParams<RouteParams>(async (request, context) => {
-  const requestId = generateRequestId()
  const { id: workflowId, versionId } = await context.params

  try {
    const [workflowRecord] = await db
-      .select()
+      .select({ id: workflow.id })
      .from(workflow)
      .where(eq(workflow.id, workflowId))
      .limit(1)
@@ -46,161 +36,23 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
      return badRequestResponse('Invalid version number')
    }

-    const [versionRow] = await db
-      .select({
-        id: workflowDeploymentVersion.id,
-        state: workflowDeploymentVersion.state,
-      })
-      .from(workflowDeploymentVersion)
-      .where(
-        and(
-          eq(workflowDeploymentVersion.workflowId, workflowId),
-          eq(workflowDeploymentVersion.version, versionNum)
-        )
-      )
-      .limit(1)
-
-    if (!versionRow?.state) {
-      return notFoundResponse('Deployment version')
-    }
-
-    const [currentActiveVersion] = await db
-      .select({ id: workflowDeploymentVersion.id })
-      .from(workflowDeploymentVersion)
-      .where(
-        and(
-          eq(workflowDeploymentVersion.workflowId, workflowId),
-          eq(workflowDeploymentVersion.isActive, true)
-        )
-      )
-      .limit(1)
-
-    const previousVersionId = currentActiveVersion?.id
-
-    const deployedState = versionRow.state as { blocks?: Record<string, BlockState> }
-    const blocks = deployedState.blocks
-    if (!blocks || typeof blocks !== 'object') {
-      return internalErrorResponse('Invalid deployed state structure')
-    }
-
-    const workflowData = workflowRecord as Record<string, unknown>
-
-    const scheduleValidation = validateWorkflowSchedules(blocks)
-    if (!scheduleValidation.isValid) {
-      return badRequestResponse(`Invalid schedule configuration: ${scheduleValidation.error}`)
-    }
-
-    const triggerSaveResult = await saveTriggerWebhooksForDeploy({
-      request,
-      workflowId,
-      workflow: workflowData,
-      userId: workflowRecord.userId,
-      blocks,
-      requestId,
-      deploymentVersionId: versionRow.id,
-      previousVersionId,
-      forceRecreateSubscriptions: true,
-    })
-
-    if (!triggerSaveResult.success) {
-      logger.error(
-        `[${requestId}] Admin API: Failed to sync triggers for workflow ${workflowId}`,
-        triggerSaveResult.error
-      )
-      return internalErrorResponse(
-        triggerSaveResult.error?.message || 'Failed to sync trigger configuration'
-      )
-    }
-
-    const scheduleResult = await createSchedulesForDeploy(workflowId, blocks, db, versionRow.id)
-
-    if (!scheduleResult.success) {
-      await cleanupDeploymentVersion({
-        workflowId,
-        workflow: workflowData,
-        requestId,
-        deploymentVersionId: versionRow.id,
-      })
-      if (previousVersionId) {
-        await restorePreviousVersionWebhooks({
-          request,
-          workflow: workflowData,
-          userId: workflowRecord.userId,
-          previousVersionId,
-          requestId,
-        })
-      }
-      return internalErrorResponse(scheduleResult.error || 'Failed to sync schedules')
-    }
-
    const result = await activateWorkflowVersion({ workflowId, version: versionNum })
    if (!result.success) {
-      await cleanupDeploymentVersion({
-        workflowId,
-        workflow: workflowData,
-        requestId,
-        deploymentVersionId: versionRow.id,
-      })
-      if (previousVersionId) {
-        await restorePreviousVersionWebhooks({
-          request,
-          workflow: workflowData,
-          userId: workflowRecord.userId,
-          previousVersionId,
-          requestId,
-        })
-      }
      if (result.error === 'Deployment version not found') {
        return notFoundResponse('Deployment version')
      }
      return internalErrorResponse(result.error || 'Failed to activate version')
    }

-    if (previousVersionId && previousVersionId !== versionRow.id) {
-      try {
-        logger.info(
-          `[${requestId}] Admin API: Cleaning up previous version ${previousVersionId} webhooks/schedules`
-        )
-        await cleanupDeploymentVersion({
-          workflowId,
-          workflow: workflowData,
-          requestId,
-          deploymentVersionId: previousVersionId,
-          skipExternalCleanup: true,
-        })
-        logger.info(`[${requestId}] Admin API: Previous version cleanup completed`)
-      } catch (cleanupError) {
-        logger.error(
-          `[${requestId}] Admin API: Failed to clean up previous version ${previousVersionId}`,
-          cleanupError
-        )
-      }
-    }
-
-    await syncMcpToolsForWorkflow({
-      workflowId,
-      requestId,
-      state: versionRow.state,
-      context: 'activate',
-    })
-
-    logger.info(
-      `[${requestId}] Admin API: Activated version ${versionNum} for workflow ${workflowId}`
-    )
+    logger.info(`Admin API: Activated version ${versionNum} for workflow ${workflowId}`)

    return singleResponse({
      success: true,
      version: versionNum,
      deployedAt: result.deployedAt!.toISOString(),
-      warnings: triggerSaveResult.warnings,
    })
  } catch (error) {
-    logger.error(
-      `[${requestId}] Admin API: Failed to activate version for workflow ${workflowId}`,
-      {
-        error,
-      }
-    )
+    logger.error(`Admin API: Failed to activate version for workflow ${workflowId}`, { error })
    return internalErrorResponse('Failed to activate deployment version')
  }
 })
--- a/apps/sim/app/api/webhooks/[id]/route.ts
+++ b/apps/sim/app/api/webhooks/[id]/route.ts
@@ -7,7 +7,11 @@ import { getSession } from '@/lib/auth'
 import { validateInteger } from '@/lib/core/security/input-validation'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { cleanupExternalWebhook } from '@/lib/webhooks/provider-subscriptions'
+import {
+  cleanupExternalWebhook,
+  createExternalWebhookSubscription,
+  shouldRecreateExternalWebhookSubscription,
+} from '@/lib/webhooks/provider-subscriptions'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'

 const logger = createLogger('WebhookAPI')
@@ -83,6 +87,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
  }
 }

+// Update a webhook
 export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
  const requestId = generateRequestId()

@@ -97,7 +102,7 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
    }

    const body = await request.json()
-    const { isActive, failedCount } = body
+    const { path, provider, providerConfig, isActive, failedCount } = body

    if (failedCount !== undefined) {
      const validation = validateInteger(failedCount, 'failedCount', { min: 0 })
@@ -107,6 +112,28 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
      }
    }

+    let resolvedProviderConfig = providerConfig
+    if (providerConfig) {
+      const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
+      const webhookDataForResolve = await db
+        .select({
+          workspaceId: workflow.workspaceId,
+        })
+        .from(webhook)
+        .innerJoin(workflow, eq(webhook.workflowId, workflow.id))
+        .where(eq(webhook.id, id))
+        .limit(1)
+
+      if (webhookDataForResolve.length > 0) {
+        resolvedProviderConfig = await resolveEnvVarsInObject(
+          providerConfig,
+          session.user.id,
+          webhookDataForResolve[0].workspaceId || undefined
+        )
+      }
+    }
+
+    // Find the webhook and check permissions
    const webhooks = await db
      .select({
        webhook: webhook,
@@ -127,12 +154,16 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
    }

    const webhookData = webhooks[0]
+
+    // Check if user has permission to modify this webhook
    let canModify = false

+    // Case 1: User owns the workflow
    if (webhookData.workflow.userId === session.user.id) {
      canModify = true
    }

+    // Case 2: Workflow belongs to a workspace and user has write or admin permission
    if (!canModify && webhookData.workflow.workspaceId) {
      const userPermission = await getUserEntityPermissions(
        session.user.id,
@@ -151,14 +182,76 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
    }

+    const existingProviderConfig =
+      (webhookData.webhook.providerConfig as Record<string, unknown>) || {}
+    let nextProviderConfig =
+      providerConfig !== undefined &&
+      resolvedProviderConfig &&
+      typeof resolvedProviderConfig === 'object'
+        ? (resolvedProviderConfig as Record<string, unknown>)
+        : existingProviderConfig
+    const nextProvider = (provider ?? webhookData.webhook.provider) as string
+
+    if (
+      providerConfig !== undefined &&
+      shouldRecreateExternalWebhookSubscription({
+        previousProvider: webhookData.webhook.provider as string,
+        nextProvider,
+        previousConfig: existingProviderConfig,
+        nextConfig: nextProviderConfig,
+      })
+    ) {
+      await cleanupExternalWebhook(
+        { ...webhookData.webhook, providerConfig: existingProviderConfig },
+        webhookData.workflow,
+        requestId
+      )
+
+      const result = await createExternalWebhookSubscription(
+        request,
+        {
+          ...webhookData.webhook,
+          provider: nextProvider,
+          providerConfig: nextProviderConfig,
+        },
+        webhookData.workflow,
+        session.user.id,
+        requestId
+      )
+
+      nextProviderConfig = result.updatedProviderConfig as Record<string, unknown>
+    }
+
    logger.debug(`[${requestId}] Updating webhook properties`, {
+      hasPathUpdate: path !== undefined,
+      hasProviderUpdate: provider !== undefined,
+      hasConfigUpdate: providerConfig !== undefined,
      hasActiveUpdate: isActive !== undefined,
      hasFailedCountUpdate: failedCount !== undefined,
    })

+    // Merge providerConfig to preserve credential-related fields
+    let finalProviderConfig = webhooks[0].webhook.providerConfig
+    if (providerConfig !== undefined) {
+      const existingConfig = existingProviderConfig
+      finalProviderConfig = {
+        ...nextProviderConfig,
+        credentialId: existingConfig.credentialId,
+        credentialSetId: existingConfig.credentialSetId,
+        userId: existingConfig.userId,
+        historyId: existingConfig.historyId,
+        lastCheckedTimestamp: existingConfig.lastCheckedTimestamp,
+        setupCompleted: existingConfig.setupCompleted,
+        externalId: nextProviderConfig.externalId ?? existingConfig.externalId,
+      }
+    }
+
    const updatedWebhook = await db
      .update(webhook)
      .set({
+        path: path !== undefined ? path : webhooks[0].webhook.path,
+        provider: provider !== undefined ? provider : webhooks[0].webhook.provider,
+        providerConfig: finalProviderConfig,
        isActive: isActive !== undefined ? isActive : webhooks[0].webhook.isActive,
        failedCount: failedCount !== undefined ? failedCount : webhooks[0].webhook.failedCount,
        updatedAt: new Date(),
@@ -241,8 +334,11 @@ export async function DELETE(
    }

    const foundWebhook = webhookData.webhook
-    const credentialSetId = foundWebhook.credentialSetId as string | undefined
-    const blockId = foundWebhook.blockId as string | undefined
+    const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
+
+    const providerConfig = foundWebhook.providerConfig as Record<string, unknown> | null
+    const credentialSetId = providerConfig?.credentialSetId as string | undefined
+    const blockId = providerConfig?.blockId as string | undefined

    if (credentialSetId && blockId) {
      const allCredentialSetWebhooks = await db
@@ -250,9 +346,10 @@ export async function DELETE(
        .from(webhook)
        .where(and(eq(webhook.workflowId, webhookData.workflow.id), eq(webhook.blockId, blockId)))

-      const webhooksToDelete = allCredentialSetWebhooks.filter(
-        (w) => w.credentialSetId === credentialSetId
-      )
+      const webhooksToDelete = allCredentialSetWebhooks.filter((w) => {
+        const config = w.providerConfig as Record<string, unknown> | null
+        return config?.credentialSetId === credentialSetId
+      })

      for (const w of webhooksToDelete) {
        await cleanupExternalWebhook(w, webhookData.workflow, requestId)
--- a/apps/sim/app/api/webhooks/route.ts
+++ b/apps/sim/app/api/webhooks/route.ts
@@ -7,21 +7,8 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { PlatformEvents } from '@/lib/core/telemetry'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { getProviderIdFromServiceId } from '@/lib/oauth'
-import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
-import {
-  cleanupExternalWebhook,
-  createExternalWebhookSubscription,
-} from '@/lib/webhooks/provider-subscriptions'
-import { mergeNonUserFields } from '@/lib/webhooks/utils'
-import {
-  configureGmailPolling,
-  configureOutlookPolling,
-  configureRssPolling,
-  syncWebhooksForCredentialSet,
-} from '@/lib/webhooks/utils.server'
+import { createExternalWebhookSubscription } from '@/lib/webhooks/provider-subscriptions'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
-import { extractCredentialSetId, isCredentialSetValue } from '@/executor/constants'

 const logger = createLogger('WebhooksAPI')

@@ -311,10 +298,14 @@ export async function POST(request: NextRequest) {
      }
    }

-    let savedWebhook: any = null
-    const originalProviderConfig = providerConfig || {}
+    let savedWebhook: any = null // Variable to hold the result of save/update
+
+    // Use the original provider config - Gmail/Outlook configuration functions will inject userId automatically
+    const finalProviderConfig = providerConfig || {}
+
+    const { resolveEnvVarsInObject } = await import('@/lib/webhooks/env-resolver')
    let resolvedProviderConfig = await resolveEnvVarsInObject(
-      originalProviderConfig,
+      finalProviderConfig,
      userId,
      workflowRecord.workspaceId || undefined
    )
@@ -328,6 +319,8 @@ export async function POST(request: NextRequest) {
    const directCredentialSetId = resolvedProviderConfig?.credentialSetId as string | undefined

    if (directCredentialSetId || rawCredentialId) {
+      const { isCredentialSetValue, extractCredentialSetId } = await import('@/executor/constants')
+
      const credentialSetId =
        directCredentialSetId ||
        (rawCredentialId && isCredentialSetValue(rawCredentialId)
@@ -339,6 +332,11 @@ export async function POST(request: NextRequest) {
          `[${requestId}] Credential set detected for ${provider} trigger. Syncing webhooks for set ${credentialSetId}`
        )

+        const { getProviderIdFromServiceId } = await import('@/lib/oauth')
+        const { syncWebhooksForCredentialSet, configureGmailPolling, configureOutlookPolling } =
+          await import('@/lib/webhooks/utils.server')
+
+        // Map provider to OAuth provider ID
        const oauthProviderId = getProviderIdFromServiceId(provider)

        const {
@@ -471,9 +469,6 @@ export async function POST(request: NextRequest) {
      providerConfig: providerConfigOverride,
    })

-    const userProvided = originalProviderConfig as Record<string, unknown>
-    const configToSave: Record<string, unknown> = { ...userProvided }
-
    try {
      const result = await createExternalWebhookSubscription(
        request,
@@ -482,9 +477,7 @@ export async function POST(request: NextRequest) {
        userId,
        requestId
      )
-      const updatedConfig = result.updatedProviderConfig as Record<string, unknown>
-      mergeNonUserFields(configToSave, updatedConfig, userProvided)
-      resolvedProviderConfig = updatedConfig
+      resolvedProviderConfig = result.updatedProviderConfig as Record<string, unknown>
      externalSubscriptionCreated = result.externalSubscriptionCreated
    } catch (err) {
      logger.error(`[${requestId}] Error creating external webhook subscription`, err)
@@ -497,22 +490,25 @@ export async function POST(request: NextRequest) {
      )
    }

+    // Now save to database (only if subscription succeeded or provider doesn't need external subscription)
    try {
      if (targetWebhookId) {
        logger.info(`[${requestId}] Updating existing webhook for path: ${finalPath}`, {
          webhookId: targetWebhookId,
          provider,
-          hasCredentialId: !!(configToSave as any)?.credentialId,
-          credentialId: (configToSave as any)?.credentialId,
+          hasCredentialId: !!(resolvedProviderConfig as any)?.credentialId,
+          credentialId: (resolvedProviderConfig as any)?.credentialId,
        })
        const updatedResult = await db
          .update(webhook)
          .set({
            blockId,
            provider,
-            providerConfig: configToSave,
+            providerConfig: resolvedProviderConfig,
            credentialSetId:
-              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
+              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
+                | string
+                | null) || null,
            isActive: true,
            updatedAt: new Date(),
          })
@@ -535,9 +531,11 @@ export async function POST(request: NextRequest) {
            blockId,
            path: finalPath,
            provider,
-            providerConfig: configToSave,
+            providerConfig: resolvedProviderConfig,
            credentialSetId:
-              ((configToSave as Record<string, unknown>)?.credentialSetId as string | null) || null,
+              ((resolvedProviderConfig as Record<string, unknown>)?.credentialSetId as
+                | string
+                | null) || null,
            isActive: true,
            createdAt: new Date(),
            updatedAt: new Date(),
@@ -549,8 +547,9 @@ export async function POST(request: NextRequest) {
      if (externalSubscriptionCreated) {
        logger.error(`[${requestId}] DB save failed, cleaning up external subscription`, dbError)
        try {
+          const { cleanupExternalWebhook } = await import('@/lib/webhooks/provider-subscriptions')
          await cleanupExternalWebhook(
-            createTempWebhookData(configToSave),
+            createTempWebhookData(resolvedProviderConfig),
            workflowRecord,
            requestId
          )
@@ -568,6 +567,7 @@ export async function POST(request: NextRequest) {
    if (savedWebhook && provider === 'gmail') {
      logger.info(`[${requestId}] Gmail provider detected. Setting up Gmail webhook configuration.`)
      try {
+        const { configureGmailPolling } = await import('@/lib/webhooks/utils.server')
        const success = await configureGmailPolling(savedWebhook, requestId)

        if (!success) {
@@ -606,6 +606,7 @@ export async function POST(request: NextRequest) {
        `[${requestId}] Outlook provider detected. Setting up Outlook webhook configuration.`
      )
      try {
+        const { configureOutlookPolling } = await import('@/lib/webhooks/utils.server')
        const success = await configureOutlookPolling(savedWebhook, requestId)

        if (!success) {
@@ -642,6 +643,7 @@ export async function POST(request: NextRequest) {
    if (savedWebhook && provider === 'rss') {
      logger.info(`[${requestId}] RSS provider detected. Setting up RSS webhook configuration.`)
      try {
+        const { configureRssPolling } = await import('@/lib/webhooks/utils.server')
        const success = await configureRssPolling(savedWebhook, requestId)

        if (!success) {
--- a/apps/sim/app/api/workflows/[id]/deploy/route.ts
+++ b/apps/sim/app/api/workflows/[id]/deploy/route.ts
@@ -4,11 +4,7 @@ import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { removeMcpToolsForWorkflow, syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import {
-  cleanupWebhooksForWorkflow,
-  restorePreviousVersionWebhooks,
-  saveTriggerWebhooksForDeploy,
-} from '@/lib/webhooks/deploy'
+import { cleanupWebhooksForWorkflow, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
 import {
  deployWorkflow,
  loadWorkflowFromNormalizedTables,
@@ -139,18 +135,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
      return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
    }

-    const [currentActiveVersion] = await db
-      .select({ id: workflowDeploymentVersion.id })
-      .from(workflowDeploymentVersion)
-      .where(
-        and(
-          eq(workflowDeploymentVersion.workflowId, id),
-          eq(workflowDeploymentVersion.isActive, true)
-        )
-      )
-      .limit(1)
-    const previousVersionId = currentActiveVersion?.id
-
    const deployResult = await deployWorkflow({
      workflowId: id,
      deployedBy: actorUserId,
@@ -177,7 +161,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
      blocks: normalizedData.blocks,
      requestId,
      deploymentVersionId,
-      previousVersionId,
    })

    if (!triggerSaveResult.success) {
@@ -211,15 +194,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
        requestId,
        deploymentVersionId,
      })
-      if (previousVersionId) {
-        await restorePreviousVersionWebhooks({
-          request,
-          workflow: workflowData as Record<string, unknown>,
-          userId: actorUserId,
-          previousVersionId,
-          requestId,
-        })
-      }
      await undeployWorkflow({ workflowId: id })
      return createErrorResponse(scheduleResult.error || 'Failed to create schedule', 500)
    }
@@ -234,25 +208,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
      )
    }

-    if (previousVersionId && previousVersionId !== deploymentVersionId) {
-      try {
-        logger.info(`[${requestId}] Cleaning up previous version ${previousVersionId} DB records`)
-        await cleanupDeploymentVersion({
-          workflowId: id,
-          workflow: workflowData as Record<string, unknown>,
-          requestId,
-          deploymentVersionId: previousVersionId,
-          skipExternalCleanup: true,
-        })
-      } catch (cleanupError) {
-        logger.error(
-          `[${requestId}] Failed to clean up previous version ${previousVersionId}`,
-          cleanupError
-        )
-        // Non-fatal - continue with success response
-      }
-    }
-
    logger.info(`[${requestId}] Workflow deployed successfully: ${id}`)

    // Sync MCP tools with the latest parameter schema
@@ -273,7 +228,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
            nextRunAt: scheduleInfo.nextRunAt,
          }
        : undefined,
-      warnings: triggerSaveResult.warnings,
    })
  } catch (error: any) {
    logger.error(`[${requestId}] Error deploying workflow: ${id}`, {
--- a/apps/sim/app/api/workflows/[id]/deployments/[version]/activate/route.ts
+++ b/apps/sim/app/api/workflows/[id]/deployments/[version]/activate/route.ts
@@ -4,7 +4,7 @@ import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
-import { restorePreviousVersionWebhooks, saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
+import { saveTriggerWebhooksForDeploy } from '@/lib/webhooks/deploy'
 import { activateWorkflowVersion } from '@/lib/workflows/persistence/utils'
 import {
  cleanupDeploymentVersion,
@@ -85,11 +85,6 @@ export async function POST(
      return createErrorResponse('Invalid deployed state structure', 500)
    }

-    const scheduleValidation = validateWorkflowSchedules(blocks)
-    if (!scheduleValidation.isValid) {
-      return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
-    }
-
    const triggerSaveResult = await saveTriggerWebhooksForDeploy({
      request,
      workflowId: id,
@@ -98,8 +93,6 @@ export async function POST(
      blocks,
      requestId,
      deploymentVersionId: versionRow.id,
-      previousVersionId,
-      forceRecreateSubscriptions: true,
    })

    if (!triggerSaveResult.success) {
@@ -109,6 +102,11 @@ export async function POST(
      )
    }

+    const scheduleValidation = validateWorkflowSchedules(blocks)
+    if (!scheduleValidation.isValid) {
+      return createErrorResponse(`Invalid schedule configuration: ${scheduleValidation.error}`, 400)
+    }
+
    const scheduleResult = await createSchedulesForDeploy(id, blocks, db, versionRow.id)

    if (!scheduleResult.success) {
@@ -118,15 +116,6 @@ export async function POST(
        requestId,
        deploymentVersionId: versionRow.id,
      })
-      if (previousVersionId) {
-        await restorePreviousVersionWebhooks({
-          request,
-          workflow: workflowData as Record<string, unknown>,
-          userId: actorUserId,
-          previousVersionId,
-          requestId,
-        })
-      }
      return createErrorResponse(scheduleResult.error || 'Failed to sync schedules', 500)
    }

@@ -138,15 +127,6 @@ export async function POST(
        requestId,
        deploymentVersionId: versionRow.id,
      })
-      if (previousVersionId) {
-        await restorePreviousVersionWebhooks({
-          request,
-          workflow: workflowData as Record<string, unknown>,
-          userId: actorUserId,
-          previousVersionId,
-          requestId,
-        })
-      }
      return createErrorResponse(result.error || 'Failed to activate deployment', 400)
    }

@@ -160,7 +140,6 @@ export async function POST(
          workflow: workflowData as Record<string, unknown>,
          requestId,
          deploymentVersionId: previousVersionId,
-          skipExternalCleanup: true,
        })
        logger.info(`[${requestId}] Previous version cleanup completed`)
      } catch (cleanupError) {
@@ -178,11 +157,7 @@ export async function POST(
      context: 'activate',
    })

-    return createSuccessResponse({
-      success: true,
-      deployedAt: result.deployedAt,
-      warnings: triggerSaveResult.warnings,
-    })
+    return createSuccessResponse({ success: true, deployedAt: result.deployedAt })
  } catch (error: any) {
    logger.error(`[${requestId}] Error activating deployment for workflow: ${id}`, error)
    return createErrorResponse(error.message || 'Failed to activate deployment', 500)
--- a/apps/sim/app/api/workflows/[id]/execute/route.ts
+++ b/apps/sim/app/api/workflows/[id]/execute/route.ts
@@ -30,7 +30,6 @@ import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata, IterationContext } from '@/executor/execution/types'
 import type { NormalizedBlockOutput, StreamingExecution } from '@/executor/types'
-import { hasExecutionResult } from '@/executor/utils/errors'
 import { Serializer } from '@/serializer'
 import { CORE_TRIGGER_TYPES, type CoreTriggerType } from '@/stores/logs/filters/types'

@@ -117,6 +116,7 @@ type AsyncExecutionParams = {
  userId: string
  input: any
  triggerType: CoreTriggerType
+  preflighted?: boolean
 }

 /**
@@ -139,6 +139,7 @@ async function handleAsyncExecution(params: AsyncExecutionParams): Promise<NextR
    userId,
    input,
    triggerType,
+    preflighted: params.preflighted,
  }

  try {
@@ -275,6 +276,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      requestId
    )

+    const shouldPreflightEnvVars = isAsyncMode && isTriggerDevEnabled
    const preprocessResult = await preprocessExecution({
      workflowId,
      userId,
@@ -283,7 +285,9 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      requestId,
      checkDeployment: !shouldUseDraftState,
      loggingSession,
+      preflightEnvVars: shouldPreflightEnvVars,
      useDraftState: shouldUseDraftState,
+      envUserId: isClientSession ? userId : undefined,
    })

    if (!preprocessResult.success) {
@@ -315,6 +319,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
        userId: actorUserId,
        input,
        triggerType: loggingTriggerType,
+        preflighted: shouldPreflightEnvVars,
      })
    }

@@ -468,17 +473,17 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
        }

        return NextResponse.json(filteredResult)
-      } catch (error: unknown) {
-        const errorMessage = error instanceof Error ? error.message : 'Unknown error'
+      } catch (error: any) {
+        const errorMessage = error.message || 'Unknown error'
        logger.error(`[${requestId}] Non-SSE execution failed: ${errorMessage}`)

-        const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
+        const executionResult = error.executionResult

        return NextResponse.json(
          {
            success: false,
            output: executionResult?.output,
-            error: executionResult?.error || errorMessage || 'Execution failed',
+            error: executionResult?.error || error.message || 'Execution failed',
            metadata: executionResult?.metadata
              ? {
                  duration: executionResult.metadata.duration,
@@ -789,11 +794,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:

          // Cleanup base64 cache for this execution
          await cleanupExecutionBase64Cache(executionId)
-        } catch (error: unknown) {
-          const errorMessage = error instanceof Error ? error.message : 'Unknown error'
+        } catch (error: any) {
+          const errorMessage = error.message || 'Unknown error'
          logger.error(`[${requestId}] SSE execution failed: ${errorMessage}`)

-          const executionResult = hasExecutionResult(error) ? error.executionResult : undefined
+          const executionResult = error.executionResult

          sendEvent({
            type: 'execution:error',
--- a/apps/sim/app/workspace/[workspaceId]/logs/logs.tsx
+++ b/apps/sim/app/workspace/[workspaceId]/logs/logs.tsx
@@ -94,9 +94,7 @@ export default function Logs() {
  const [previewLogId, setPreviewLogId] = useState<string | null>(null)

  const activeLogId = isPreviewOpen ? previewLogId : selectedLogId
-  const activeLogQuery = useLogDetail(activeLogId ?? undefined, {
-    refetchInterval: isLive ? 3000 : false,
-  })
+  const activeLogQuery = useLogDetail(activeLogId ?? undefined)

  const logFilters = useMemo(
    () => ({
@@ -115,7 +113,7 @@ export default function Logs() {

  const logsQuery = useLogsList(workspaceId, logFilters, {
    enabled: Boolean(workspaceId) && isInitialized.current,
-    refetchInterval: isLive ? 3000 : false,
+    refetchInterval: isLive ? 5000 : false,
  })

  const dashboardFilters = useMemo(
@@ -134,7 +132,7 @@ export default function Logs() {

  const dashboardStatsQuery = useDashboardStats(workspaceId, dashboardFilters, {
    enabled: Boolean(workspaceId) && isInitialized.current,
-    refetchInterval: isLive ? 3000 : false,
+    refetchInterval: isLive ? 5000 : false,
  })

  const logs = useMemo(() => {
@@ -162,6 +160,12 @@ export default function Logs() {
    }
  }, [debouncedSearchQuery, setStoreSearchQuery])

+  useEffect(() => {
+    if (!isLive || !selectedLogId) return
+    const interval = setInterval(() => activeLogQuery.refetch(), 5000)
+    return () => clearInterval(interval)
+  }, [isLive, selectedLogId, activeLogQuery])
+
  const handleLogClick = useCallback(
    (log: WorkflowLog) => {
      if (selectedLogId === log.id && isSidebarOpen) {
@@ -275,11 +279,8 @@ export default function Logs() {
      setIsVisuallyRefreshing(true)
      setTimeout(() => setIsVisuallyRefreshing(false), REFRESH_SPINNER_DURATION_MS)
      logsQuery.refetch()
-      if (selectedLogId) {
-        activeLogQuery.refetch()
-      }
    }
-  }, [isLive, logsQuery, activeLogQuery, selectedLogId])
+  }, [isLive, logsQuery])

  const prevIsFetchingRef = useRef(logsQuery.isFetching)
  useEffect(() => {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Waleed Latif	932aef3c1b	fix(admin): validate userId and email are strings	2026-01-23 11:07:41 -08:00
Waleed Latif	aed0766207	styling	2026-01-23 11:06:36 -08:00
Waleed Latif	4f09d07383	fix(admin): reject NaN and Infinity in amount validation	2026-01-23 10:46:29 -08:00
Waleed Latif	3bb85f2218	fix(admin): use existing credit functions and handle enterprise seats	2026-01-23 10:44:03 -08:00
Waleed Latif	1e89d147ed	feat(admin): add credits endpoint to issue credits to users	2026-01-23 09:59:10 -08:00