fix(attio): use code subblock type for JSON input fields

fix(attio): use timestamp generationType for date wandConfig fields
update docs
2026-03-15 03:00:33 -04:00 · 2026-02-24 15:25:47 -08:00 · 2026-02-24 13:52:40 -08:00 · 2026-02-24 13:50:36 -08:00 · 2026-02-24 13:43:48 -08:00 · 2026-02-24 11:55:59 -08:00
438 changed files with 66033 additions and 3813 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -144,7 +144,6 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          provenance: false
          sbom: false
-          no-cache: true

  # Build ARM64 images for GHCR (main branch only, runs in parallel)
  build-ghcr-arm64:
@@ -205,7 +204,6 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          provenance: false
          sbom: false
-          no-cache: true

  # Create GHCR multi-arch manifests (only for main, after both builds)
  create-ghcr-manifests:
--- a/.github/workflows/images.yml
+++ b/.github/workflows/images.yml
@@ -97,7 +97,6 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          provenance: false
          sbom: false
-          no-cache: true

  build-ghcr-arm64:
    name: Build ARM64 (GHCR Only)
@@ -144,11 +143,10 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          provenance: false
          sbom: false
-          no-cache: true

  create-ghcr-manifests:
    name: Create GHCR Manifests
-    runs-on: blacksmith-8vcpu-ubuntu-2404
+    runs-on: blacksmith-2vcpu-ubuntu-2404
    needs: [build-amd64, build-ghcr-arm64]
    if: github.ref == 'refs/heads/main'
    strategy:
--- a/.github/workflows/test-build.yml
+++ b/.github/workflows/test-build.yml
@@ -110,7 +110,7 @@ jobs:
          RESEND_API_KEY: 'dummy_key_for_ci_only'
          AWS_REGION: 'us-west-2'
          ENCRYPTION_KEY: '7cf672e460e430c1fba707575c2b0e2ad5a99dddf9b7b7e3b5646e630861db1c' # dummy key for CI only
-        run: bun run build
+        run: bunx turbo run build --filter=sim

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v5
--- a/apps/docs/components/icons.tsx
+++ b/apps/docs/components/icons.tsx
@@ -710,6 +710,17 @@ export function NotionIcon(props: SVGProps<SVGSVGElement>) {
  )
 }

+export function GongIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} viewBox='0 0 55.4 60' fill='none' xmlns='http://www.w3.org/2000/svg'>
+      <path
+        fill='currentColor'
+        d='M54.1,25.7H37.8c-0.9,0-1.6,1-1.3,1.8l3.9,10.1c0.2,0.4-0.2,0.9-0.7,0.9l-5-0.3c-0.2,0-0.4,0.1-0.6,0.3L30.3,44c-0.2,0.3-0.6,0.4-1,0.2l-5.8-3.9c-0.2-0.2-0.5-0.2-0.8,0l-8,5.4c-0.5,0.4-1.2-0.1-1-0.7L16,37c0.1-0.3-0.1-0.7-0.4-0.8l-4.2-1.7c-0.4-0.2-0.6-0.7-0.3-1l3.7-4.6c0.2-0.2,0.2-0.6,0-0.8l-3.1-4.5c-0.3-0.4,0-1,0.5-1l4.9-0.4c0.4,0,0.6-0.3,0.6-0.7l-0.4-6.8c0-0.5,0.5-0.8,0.9-0.7l6,2.5c0.3,0.1,0.6,0,0.8-0.2l4.2-4.6c0.3-0.4,0.9-0.3,1.1,0.2l2.5,6.4c0.3,0.8,1.3,1.1,2,0.6l9.8-7.3c1.1-0.8,0.4-2.6-1-2.4L37.3,10c-0.3,0-0.6-0.1-0.7-0.4l-3.4-8.7c-0.4-0.9-1.5-1.1-2.2-0.4l-7.4,8c-0.2,0.2-0.5,0.3-0.8,0.2l-9.7-4.1c-0.9-0.4-1.8,0.2-1.9,1.2l-0.4,10c0,0.4-0.3,0.6-0.6,0.6l-8.9,0.6c-1,0.1-1.6,1.2-1,2.1l5.9,8.7c0.2,0.2,0.2,0.6,0,0.8l-6,6.9C-0.3,36,0,37.1,0.8,37.4l6.9,3c0.3,0.1,0.5,0.5,0.4,0.8L3.7,58.3c-0.3,1.2,1.1,2.1,2.1,1.4l16.5-11.8c0.2-0.2,0.5-0.2,0.8,0l7.5,5.3c0.6,0.4,1.5,0.3,1.9-0.4l4.7-7.2c0.1-0.2,0.4-0.3,0.6-0.3l11.2,1.4c0.9,0.1,1.8-0.6,1.5-1.5l-4.7-12.1c-0.1-0.3,0-0.7,0.4-0.9l8.5-4C55.9,27.6,55.5,25.7,54.1,25.7z'
+      />
+    </svg>
+  )
+}
+
 export function GmailIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
@@ -3541,6 +3552,15 @@ export function TrelloIcon(props: SVGProps<SVGSVGElement>) {
  )
 }

+export function AttioIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 60.9 50' fill='currentColor'>
+      <path d='M60.3,34.8l-5.1-8.1c0,0,0,0,0,0L54.7,26c-0.8-1.2-2.1-1.9-3.5-1.9L43,24L42.5,25l-9.8,15.7l-0.5,0.9l4.1,6.6c0.8,1.2,2.1,1.9,3.5,1.9h11.5c1.4,0,2.8-0.7,3.5-1.9l0.4-0.6c0,0,0,0,0,0l5.1-8.2C61.1,37.9,61.1,36.2,60.3,34.8L60.3,34.8z M58.7,38.3l-5.1,8.2c0,0,0,0.1-0.1,0.1c-0.2,0.2-0.4,0.2-0.5,0.2c-0.1,0-0.4,0-0.6-0.3l-5.1-8.2c-0.1-0.1-0.1-0.2-0.2-0.3c0-0.1-0.1-0.2-0.1-0.3c-0.1-0.4-0.1-0.8,0-1.3c0.1-0.2,0.1-0.4,0.3-0.6l5.1-8.1c0,0,0,0,0,0c0.1-0.2,0.3-0.3,0.4-0.3c0.1,0,0.1,0,0.1,0c0,0,0,0,0.1,0c0.1,0,0.4,0,0.6,0.3l5.1,8.1C59.2,36.6,59.2,37.5,58.7,38.3L58.7,38.3z' />
+      <path d='M45.2,15.1c0.8-1.3,0.8-3.1,0-4.4l-5.1-8.1l-0.4-0.7C38.9,0.7,37.6,0,36.2,0H24.7c-1.4,0-2.7,0.7-3.5,1.9L0.6,34.9C0.2,35.5,0,36.3,0,37c0,0.8,0.2,1.5,0.6,2.2l5.5,8.8C6.9,49.3,8.2,50,9.7,50h11.5c1.4,0,2.8-0.7,3.5-1.9l0.4-0.7c0,0,0,0,0,0c0,0,0,0,0,0l4.1-6.6l12.1-19.4L45.2,15.1L45.2,15.1z M44,13c0,0.4-0.1,0.8-0.4,1.2L23.5,46.4c-0.2,0.3-0.5,0.3-0.6,0.3c-0.1,0-0.4,0-0.6-0.3l-5.1-8.2c-0.5-0.7-0.5-1.7,0-2.4L37.4,3.6c0.2-0.3,0.5-0.3,0.6-0.3c0.1,0,0.4,0,0.6,0.3l5.1,8.1C43.9,12.1,44,12.5,44,13z' />
+    </svg>
+  )
+}
+
 export function AsanaIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 24 24' fill='none'>
@@ -5819,3 +5839,15 @@ export function RedisIcon(props: SVGProps<SVGSVGElement>) {
    </svg>
  )
 }
+
+export function HexIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg {...props} xmlns='http://www.w3.org/2000/svg' viewBox='0 0 1450.3 600'>
+      <path
+        fill='#EDB9B8'
+        fillRule='evenodd'
+        d='m250.11,0v199.49h-50V0H0v600h200.11v-300.69h50v300.69h200.18V0h-200.18Zm249.9,0v600h450.29v-250.23h-200.2v149h-50v-199.46h250.2V0h-450.29Zm200.09,199.49v-99.49h50v99.49h-50Zm550.02,0V0h200.18v150l-100,100.09,100,100.09v249.82h-200.18v-300.69h-50v300.69h-200.11v-249.82l100.11-100.09-100.11-100.09V0h200.11v199.49h50Z'
+      />
+    </svg>
+  )
+}
--- a/apps/docs/components/ui/icon-mapping.ts
+++ b/apps/docs/components/ui/icon-mapping.ts
@@ -13,6 +13,7 @@ import {
  ApolloIcon,
  ArxivIcon,
  AsanaIcon,
+  AttioIcon,
  BrainIcon,
  BrowserUseIcon,
  CalComIcon,
@@ -40,6 +41,7 @@ import {
  GithubIcon,
  GitLabIcon,
  GmailIcon,
+  GongIcon,
  GoogleBooksIcon,
  GoogleCalendarIcon,
  GoogleDocsIcon,
@@ -54,6 +56,7 @@ import {
  GrafanaIcon,
  GrainIcon,
  GreptileIcon,
+  HexIcon,
  HubspotIcon,
  HuggingFaceIcon,
  HunterIOIcon,
@@ -157,6 +160,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  apollo: ApolloIcon,
  arxiv: ArxivIcon,
  asana: AsanaIcon,
+  attio: AttioIcon,
  browser_use: BrowserUseIcon,
  calcom: CalComIcon,
  calendly: CalendlyIcon,
@@ -182,6 +186,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  github_v2: GithubIcon,
  gitlab: GitLabIcon,
  gmail_v2: GmailIcon,
+  gong: GongIcon,
  google_books: GoogleBooksIcon,
  google_calendar_v2: GoogleCalendarIcon,
  google_docs: GoogleDocsIcon,
@@ -196,6 +201,7 @@ export const blockTypeToIconMap: Record<string, IconComponent> = {
  grafana: GrafanaIcon,
  grain: GrainIcon,
  greptile: GreptileIcon,
+  hex: HexIcon,
  hubspot: HubspotIcon,
  huggingface: HuggingFaceIcon,
  hunter: HunterIOIcon,
--- a/apps/docs/content/docs/en/tools/attio.mdx
+++ b/apps/docs/content/docs/en/tools/attio.mdx
--- a/apps/docs/content/docs/en/tools/gong.mdx
+++ b/apps/docs/content/docs/en/tools/gong.mdx
@@ -0,0 +1,774 @@
+---
+title: Gong
+description: Revenue intelligence and conversation analytics
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="gong"
+  color="#8039DF"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[Gong](https://www.gong.io/) is a revenue intelligence platform that captures and analyzes customer interactions across calls, emails, and meetings. By integrating Gong with Sim, your agents can access conversation data, user analytics, coaching metrics, and more through automated workflows.
+
+The Gong integration in Sim provides tools to:
+
+- **List and retrieve calls:** Fetch calls by date range, get individual call details, or retrieve extensive call data including trackers, topics, interaction stats, and points of interest.
+- **Access call transcripts:** Retrieve full transcripts with speaker turns, topics, and sentence-level timestamps for any recorded call.
+- **Manage users:** List all Gong users in your account or retrieve detailed information for a specific user, including settings, spoken languages, and contact details.
+- **Analyze activity and performance:** Pull aggregated activity statistics, interaction stats (longest monologue, interactivity, patience, question rate), and answered scorecard data for your team.
+- **Work with scorecards and trackers:** List scorecard definitions and keyword tracker configurations to understand how your team's conversations are being evaluated and monitored.
+- **Browse the call library:** List library folders and retrieve their contents, including call snippets and notes curated by your team.
+- **Access coaching metrics:** Retrieve coaching data for managers and their direct reports to track team development.
+- **List Engage flows:** Fetch sales engagement sequences (flows) with visibility and ownership details.
+- **Look up contacts by email or phone:** Find all Gong references to a specific email address or phone number, including related calls, emails, meetings, CRM data, and customer engagement events.
+
+By combining these capabilities, you can automate sales coaching workflows, extract conversation insights, monitor team performance, sync Gong data with other systems, and build intelligent pipelines around your organization's revenue conversations -- all securely using your Gong API credentials.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Integrate Gong into your workflow. Access call recordings, transcripts, user data, activity stats, scorecards, trackers, library content, coaching metrics, and more via the Gong API.
+
+
+
+## Tools
+
+### `gong_list_calls`
+
+Retrieve call data by date range from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `fromDateTime` | string | Yes | Start date/time in ISO-8601 format \(e.g., 2024-01-01T00:00:00Z\) |
+| `toDateTime` | string | No | End date/time in ISO-8601 format \(e.g., 2024-01-31T23:59:59Z\). If omitted, lists calls up to the most recent. |
+| `cursor` | string | No | Pagination cursor from a previous response |
+| `workspaceId` | string | No | Gong workspace ID to filter calls |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `calls` | array | List of calls matching the date range |
+|   ↳ `id` | string | Gong's unique numeric identifier for the call |
+|   ↳ `title` | string | Call title |
+|   ↳ `scheduled` | string | Scheduled call time in ISO-8601 format |
+|   ↳ `started` | string | Recording start time in ISO-8601 format |
+|   ↳ `duration` | number | Call duration in seconds |
+|   ↳ `direction` | string | Call direction \(Inbound/Outbound\) |
+|   ↳ `system` | string | Communication platform used \(e.g., Outreach\) |
+|   ↳ `scope` | string | Call scope: 'Internal', 'External', or 'Unknown' |
+|   ↳ `media` | string | Media type \(e.g., Video\) |
+|   ↳ `language` | string | Language code in ISO-639-2B format |
+|   ↳ `url` | string | URL to the call in the Gong web app |
+|   ↳ `primaryUserId` | string | Host team member identifier |
+|   ↳ `workspaceId` | string | Workspace identifier |
+|   ↳ `sdrDisposition` | string | SDR disposition classification |
+|   ↳ `clientUniqueId` | string | Call identifier from the origin recording system |
+|   ↳ `customData` | string | Metadata provided during call creation |
+|   ↳ `purpose` | string | Call purpose |
+|   ↳ `meetingUrl` | string | Web conference provider URL |
+|   ↳ `isPrivate` | boolean | Whether the call is private |
+|   ↳ `calendarEventId` | string | Calendar event identifier |
+| `cursor` | string | Pagination cursor for the next page |
+| `totalRecords` | number | Total number of records matching the filter |
+
+### `gong_get_call`
+
+Retrieve detailed data for a specific call from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `callId` | string | Yes | The Gong call ID to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Gong's unique numeric identifier for the call |
+| `title` | string | Call title |
+| `url` | string | URL to the call in the Gong web app |
+| `scheduled` | string | Scheduled call time in ISO-8601 format |
+| `started` | string | Recording start time in ISO-8601 format |
+| `duration` | number | Call duration in seconds |
+| `direction` | string | Call direction \(Inbound/Outbound\) |
+| `system` | string | Communication platform used \(e.g., Outreach\) |
+| `scope` | string | Call scope: 'Internal', 'External', or 'Unknown' |
+| `media` | string | Media type \(e.g., Video\) |
+| `language` | string | Language code in ISO-639-2B format |
+| `primaryUserId` | string | Host team member identifier |
+| `workspaceId` | string | Workspace identifier |
+| `sdrDisposition` | string | SDR disposition classification |
+| `clientUniqueId` | string | Call identifier from the origin recording system |
+| `customData` | string | Metadata provided during call creation |
+| `purpose` | string | Call purpose |
+| `meetingUrl` | string | Web conference provider URL |
+| `isPrivate` | boolean | Whether the call is private |
+| `calendarEventId` | string | Calendar event identifier |
+
+### `gong_get_call_transcript`
+
+Retrieve transcripts of calls from Gong by call IDs or date range.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `callIds` | string | No | Comma-separated list of call IDs to retrieve transcripts for |
+| `fromDateTime` | string | No | Start date/time filter in ISO-8601 format |
+| `toDateTime` | string | No | End date/time filter in ISO-8601 format |
+| `workspaceId` | string | No | Gong workspace ID to filter calls |
+| `cursor` | string | No | Pagination cursor from a previous response |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `callTranscripts` | array | List of call transcripts with speaker turns and sentences |
+|   ↳ `callId` | string | Gong's unique numeric identifier for the call |
+|   ↳ `transcript` | array | List of monologues in the call |
+|     ↳ `speakerId` | string | Unique ID of the speaker, cross-reference with parties |
+|     ↳ `topic` | string | Name of the topic being discussed |
+|     ↳ `sentences` | array | List of sentences spoken in the monologue |
+|       ↳ `start` | number | Start time of the sentence in milliseconds from call start |
+|       ↳ `end` | number | End time of the sentence in milliseconds from call start |
+|       ↳ `text` | string | The sentence text |
+| `cursor` | string | Pagination cursor for the next page |
+
+### `gong_get_extensive_calls`
+
+Retrieve detailed call data including trackers, topics, and highlights from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `callIds` | string | No | Comma-separated list of call IDs to retrieve detailed data for |
+| `fromDateTime` | string | No | Start date/time filter in ISO-8601 format |
+| `toDateTime` | string | No | End date/time filter in ISO-8601 format |
+| `workspaceId` | string | No | Gong workspace ID to filter calls |
+| `primaryUserIds` | string | No | Comma-separated list of user IDs to filter calls by host |
+| `cursor` | string | No | Pagination cursor from a previous response |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `calls` | array | List of detailed call objects with metadata, content, interaction stats, and collaboration data |
+|   ↳ `metaData` | object | Call metadata \(same fields as CallBasicData\) |
+|     ↳ `id` | string | Call ID |
+|     ↳ `title` | string | Call title |
+|     ↳ `scheduled` | string | Scheduled time in ISO-8601 |
+|     ↳ `started` | string | Start time in ISO-8601 |
+|     ↳ `duration` | number | Duration in seconds |
+|     ↳ `direction` | string | Call direction |
+|     ↳ `system` | string | Communication platform |
+|     ↳ `scope` | string | Internal/External/Unknown |
+|     ↳ `media` | string | Media type |
+|     ↳ `language` | string | Language code \(ISO-639-2B\) |
+|     ↳ `url` | string | Gong web app URL |
+|     ↳ `primaryUserId` | string | Host user ID |
+|     ↳ `workspaceId` | string | Workspace ID |
+|     ↳ `sdrDisposition` | string | SDR disposition |
+|     ↳ `clientUniqueId` | string | Origin system call ID |
+|     ↳ `customData` | string | Custom metadata |
+|     ↳ `purpose` | string | Call purpose |
+|     ↳ `meetingUrl` | string | Meeting URL |
+|     ↳ `isPrivate` | boolean | Whether call is private |
+|     ↳ `calendarEventId` | string | Calendar event ID |
+|   ↳ `context` | array | Links to external systems \(CRM, Dialer, etc.\) |
+|     ↳ `system` | string | External system name \(e.g., Salesforce\) |
+|     ↳ `objects` | array | List of objects within the external system |
+|   ↳ `parties` | array | List of call participants |
+|     ↳ `id` | string | Unique participant ID in the call |
+|     ↳ `name` | string | Participant name |
+|     ↳ `emailAddress` | string | Email address |
+|     ↳ `title` | string | Job title |
+|     ↳ `phoneNumber` | string | Phone number |
+|     ↳ `speakerId` | string | Speaker ID for transcript cross-reference |
+|     ↳ `userId` | string | Gong user ID |
+|     ↳ `affiliation` | string | Company or non-company |
+|     ↳ `methods` | array | Whether invited or attended |
+|     ↳ `context` | array | Links to external systems for this party |
+|   ↳ `content` | object | Call content data |
+|     ↳ `structure` | array | Call agenda parts |
+|       ↳ `name` | string | Agenda name |
+|       ↳ `duration` | number | Duration of this part in seconds |
+|     ↳ `topics` | array | Topics and their durations |
+|       ↳ `name` | string | Topic name \(e.g., Pricing\) |
+|       ↳ `duration` | number | Time spent on topic in seconds |
+|     ↳ `trackers` | array | Trackers found in the call |
+|       ↳ `id` | string | Tracker ID |
+|       ↳ `name` | string | Tracker name |
+|       ↳ `count` | number | Number of occurrences |
+|       ↳ `type` | string | Keyword or Smart |
+|       ↳ `occurrences` | array | Details for each occurrence |
+|         ↳ `speakerId` | string | Speaker who said it |
+|         ↳ `startTime` | number | Seconds from call start |
+|       ↳ `phrases` | array | Per-phrase occurrence counts |
+|         ↳ `phrase` | string | Specific phrase |
+|         ↳ `count` | number | Occurrences of this phrase |
+|         ↳ `occurrences` | array | Details per occurrence |
+|     ↳ `highlights` | array | AI-generated highlights including next steps, action items, and key moments |
+|       ↳ `title` | string | Title of the highlight |
+|   ↳ `interaction` | object | Interaction statistics |
+|     ↳ `interactionStats` | array | Interaction stats per user |
+|       ↳ `userId` | string | Gong user ID |
+|       ↳ `userEmailAddress` | string | User email |
+|       ↳ `personInteractionStats` | array | Stats list \(Longest Monologue, Interactivity, Patience, etc.\) |
+|         ↳ `name` | string | Stat name |
+|         ↳ `value` | number | Stat value |
+|     ↳ `speakers` | array | Talk duration per speaker |
+|       ↳ `id` | string | Participant ID |
+|       ↳ `userId` | string | Gong user ID |
+|       ↳ `talkTime` | number | Talk duration in seconds |
+|     ↳ `video` | array | Video statistics |
+|       ↳ `name` | string | Segment type: Browser, Presentation, WebcamPrimaryUser, WebcamNonCompany, Webcam |
+|       ↳ `duration` | number | Total segment duration in seconds |
+|     ↳ `questions` | object | Question counts |
+|       ↳ `companyCount` | number | Questions by company speakers |
+|       ↳ `nonCompanyCount` | number | Questions by non-company speakers |
+|   ↳ `collaboration` | object | Collaboration data |
+|     ↳ `publicComments` | array | Public comments on the call |
+|       ↳ `id` | string | Comment ID |
+|       ↳ `commenterUserId` | string | Commenter user ID |
+|       ↳ `comment` | string | Comment text |
+|       ↳ `posted` | string | Posted time in ISO-8601 |
+|       ↳ `audioStartTime` | number | Seconds from call start the comment refers to |
+|       ↳ `audioEndTime` | number | Seconds from call start the comment end refers to |
+|       ↳ `duringCall` | boolean | Whether the comment was posted during the call |
+|       ↳ `inReplyTo` | string | ID of original comment if this is a reply |
+|   ↳ `media` | object | Media download URLs \(available for 8 hours\) |
+|     ↳ `audioUrl` | string | Audio download URL |
+|     ↳ `videoUrl` | string | Video download URL |
+| `cursor` | string | Pagination cursor for the next page |
+
+### `gong_list_users`
+
+List all users in your Gong account.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `cursor` | string | No | Pagination cursor from a previous response |
+| `includeAvatars` | string | No | Whether to include avatar URLs \(true/false\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `users` | array | List of Gong users |
+|   ↳ `id` | string | Unique numeric user ID \(up to 20 digits\) |
+|   ↳ `emailAddress` | string | User email address |
+|   ↳ `created` | string | User creation timestamp \(ISO-8601\) |
+|   ↳ `active` | boolean | Whether the user is active |
+|   ↳ `emailAliases` | array | Alternative email addresses for the user |
+|   ↳ `trustedEmailAddress` | string | Trusted email address for the user |
+|   ↳ `firstName` | string | First name |
+|   ↳ `lastName` | string | Last name |
+|   ↳ `title` | string | Job title |
+|   ↳ `phoneNumber` | string | Phone number |
+|   ↳ `extension` | string | Phone extension number |
+|   ↳ `personalMeetingUrls` | array | Personal meeting URLs |
+|   ↳ `settings` | object | User settings |
+|     ↳ `webConferencesRecorded` | boolean | Whether web conferences are recorded |
+|     ↳ `preventWebConferenceRecording` | boolean | Whether web conference recording is prevented |
+|     ↳ `telephonyCallsImported` | boolean | Whether telephony calls are imported |
+|     ↳ `emailsImported` | boolean | Whether emails are imported |
+|     ↳ `preventEmailImport` | boolean | Whether email import is prevented |
+|     ↳ `nonRecordedMeetingsImported` | boolean | Whether non-recorded meetings are imported |
+|     ↳ `gongConnectEnabled` | boolean | Whether Gong Connect is enabled |
+|   ↳ `managerId` | string | Manager user ID |
+|   ↳ `meetingConsentPageUrl` | string | Meeting consent page URL |
+|   ↳ `spokenLanguages` | array | Languages spoken by the user |
+|     ↳ `language` | string | Language code |
+|     ↳ `primary` | boolean | Whether this is the primary language |
+| `cursor` | string | Pagination cursor for the next page |
+| `totalRecords` | number | Total number of user records |
+| `currentPageSize` | number | Number of records in the current page |
+| `currentPageNumber` | number | Current page number |
+
+### `gong_get_user`
+
+Retrieve details for a specific user from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `userId` | string | Yes | The Gong user ID to retrieve |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Unique numeric user ID \(up to 20 digits\) |
+| `emailAddress` | string | User email address |
+| `created` | string | User creation timestamp \(ISO-8601\) |
+| `active` | boolean | Whether the user is active |
+| `emailAliases` | array | Alternative email addresses for the user |
+| `trustedEmailAddress` | string | Trusted email address for the user |
+| `firstName` | string | First name |
+| `lastName` | string | Last name |
+| `title` | string | Job title |
+| `phoneNumber` | string | Phone number |
+| `extension` | string | Phone extension number |
+| `personalMeetingUrls` | array | Personal meeting URLs |
+| `settings` | object | User settings |
+|   ↳ `webConferencesRecorded` | boolean | Whether web conferences are recorded |
+|   ↳ `preventWebConferenceRecording` | boolean | Whether web conference recording is prevented |
+|   ↳ `telephonyCallsImported` | boolean | Whether telephony calls are imported |
+|   ↳ `emailsImported` | boolean | Whether emails are imported |
+|   ↳ `preventEmailImport` | boolean | Whether email import is prevented |
+|   ↳ `nonRecordedMeetingsImported` | boolean | Whether non-recorded meetings are imported |
+|   ↳ `gongConnectEnabled` | boolean | Whether Gong Connect is enabled |
+| `managerId` | string | Manager user ID |
+| `meetingConsentPageUrl` | string | Meeting consent page URL |
+| `spokenLanguages` | array | Languages spoken by the user |
+|   ↳ `language` | string | Language code |
+|   ↳ `primary` | boolean | Whether this is the primary language |
+
+### `gong_aggregate_activity`
+
+Retrieve aggregated activity statistics for users by date range from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `userIds` | string | No | Comma-separated list of Gong user IDs \(up to 20 digits each\) |
+| `fromDate` | string | Yes | Start date in YYYY-MM-DD format \(inclusive, in company timezone\) |
+| `toDate` | string | Yes | End date in YYYY-MM-DD format \(exclusive, in company timezone, cannot exceed current day\) |
+| `cursor` | string | No | Pagination cursor from a previous response |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `usersActivity` | array | Aggregated activity statistics per user |
+|   ↳ `userId` | string | Gong's unique numeric identifier for the user |
+|   ↳ `userEmailAddress` | string | Email address of the Gong user |
+|   ↳ `callsAsHost` | number | Number of recorded calls this user hosted |
+|   ↳ `callsAttended` | number | Number of calls where this user was a participant \(not host\) |
+|   ↳ `callsGaveFeedback` | number | Number of recorded calls the user gave feedback on |
+|   ↳ `callsReceivedFeedback` | number | Number of recorded calls the user received feedback on |
+|   ↳ `callsRequestedFeedback` | number | Number of recorded calls the user requested feedback on |
+|   ↳ `callsScorecardsFilled` | number | Number of scorecards the user completed |
+|   ↳ `callsScorecardsReceived` | number | Number of calls where someone filled a scorecard on the user's calls |
+|   ↳ `ownCallsListenedTo` | number | Number of the user's own calls the user listened to |
+|   ↳ `othersCallsListenedTo` | number | Number of other users' calls the user listened to |
+|   ↳ `callsSharedInternally` | number | Number of calls the user shared internally |
+|   ↳ `callsSharedExternally` | number | Number of calls the user shared externally |
+|   ↳ `callsCommentsGiven` | number | Number of calls where the user provided at least one comment |
+|   ↳ `callsCommentsReceived` | number | Number of calls where the user received at least one comment |
+|   ↳ `callsMarkedAsFeedbackGiven` | number | Number of calls where the user selected Mark as reviewed |
+|   ↳ `callsMarkedAsFeedbackReceived` | number | Number of calls where others selected Mark as reviewed on the user's calls |
+| `timeZone` | string | The company's defined timezone in Gong |
+| `fromDateTime` | string | Start of results in ISO-8601 format |
+| `toDateTime` | string | End of results in ISO-8601 format |
+| `cursor` | string | Pagination cursor for the next page |
+
+### `gong_interaction_stats`
+
+Retrieve interaction statistics for users by date range from Gong. Only includes calls with Whisper enabled.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `userIds` | string | No | Comma-separated list of Gong user IDs \(up to 20 digits each\) |
+| `fromDate` | string | Yes | Start date in YYYY-MM-DD format \(inclusive, in company timezone\) |
+| `toDate` | string | Yes | End date in YYYY-MM-DD format \(exclusive, in company timezone, cannot exceed current day\) |
+| `cursor` | string | No | Pagination cursor from a previous response |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `peopleInteractionStats` | array | Email address of the Gong user |
+|   ↳ `userId` | string | Gong's unique numeric identifier for the user |
+|   ↳ `userEmailAddress` | string | Email address of the Gong user |
+|   ↳ `personInteractionStats` | array | List of interaction stat measurements for this user |
+|     ↳ `name` | string | Stat name \(e.g. Longest Monologue, Interactivity, Patience, Question Rate\) |
+|     ↳ `value` | number | Stat measurement value \(can be double or integer\) |
+| `timeZone` | string | The company's defined timezone in Gong |
+| `fromDateTime` | string | Start of results in ISO-8601 format |
+| `toDateTime` | string | End of results in ISO-8601 format |
+| `cursor` | string | Pagination cursor for the next page |
+
+### `gong_answered_scorecards`
+
+Retrieve answered scorecards for reviewed users or by date range from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `callFromDate` | string | No | Start date for calls in YYYY-MM-DD format \(inclusive, in company timezone\). Defaults to earliest recorded call. |
+| `callToDate` | string | No | End date for calls in YYYY-MM-DD format \(exclusive, in company timezone\). Defaults to latest recorded call. |
+| `reviewFromDate` | string | No | Start date for reviews in YYYY-MM-DD format \(inclusive, in company timezone\). Defaults to earliest reviewed call. |
+| `reviewToDate` | string | No | End date for reviews in YYYY-MM-DD format \(exclusive, in company timezone\). Defaults to latest reviewed call. |
+| `scorecardIds` | string | No | Comma-separated list of scorecard IDs to filter by |
+| `reviewedUserIds` | string | No | Comma-separated list of reviewed user IDs to filter by |
+| `cursor` | string | No | Pagination cursor from a previous response |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `answeredScorecards` | array | List of answered scorecards with scores and answers |
+|   ↳ `answeredScorecardId` | number | Identifier of the answered scorecard |
+|   ↳ `scorecardId` | number | Identifier of the scorecard |
+|   ↳ `scorecardName` | string | Scorecard name |
+|   ↳ `callId` | number | Gong's unique numeric identifier for the call |
+|   ↳ `callStartTime` | string | Date/time of the call in ISO-8601 format |
+|   ↳ `reviewedUserId` | number | User ID of the team member being reviewed |
+|   ↳ `reviewerUserId` | number | User ID of the team member who completed the scorecard |
+|   ↳ `reviewTime` | string | Date/time when the review was completed in ISO-8601 format |
+|   ↳ `visibilityType` | string | Visibility type of the scorecard answer |
+|   ↳ `answers` | array | Answers in the answered scorecard |
+|     ↳ `questionId` | number | Identifier of the question |
+|     ↳ `questionRevisionId` | number | Identifier of the revision version of the question |
+|     ↳ `isOverall` | boolean | Whether this is the overall question |
+|     ↳ `score` | number | Score between 1 to 5 if answered, null otherwise |
+|     ↳ `answerText` | string | The answer's text if answered, null otherwise |
+|     ↳ `notApplicable` | boolean | Whether the question is not applicable to this call |
+| `cursor` | string | Pagination cursor for the next page |
+
+### `gong_list_library_folders`
+
+Retrieve library folders from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `workspaceId` | string | No | Gong workspace ID to filter folders |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `folders` | array | List of library folders with id, name, and parent relationships |
+|   ↳ `id` | string | Gong unique numeric identifier for the folder |
+|   ↳ `name` | string | Display name of the folder |
+|   ↳ `parentFolderId` | string | Gong unique numeric identifier for the parent folder \(null for root folder\) |
+|   ↳ `createdBy` | string | Gong unique numeric identifier for the user who added the folder |
+|   ↳ `updated` | string | Folder's last update time in ISO-8601 format |
+
+### `gong_get_folder_content`
+
+Retrieve the list of calls in a specific library folder from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `folderId` | string | Yes | The library folder ID to retrieve content for |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `folderId` | string | Gong's unique numeric identifier for the folder |
+| `folderName` | string | Display name of the folder |
+| `createdBy` | string | Gong's unique numeric identifier for the user who added the folder |
+| `updated` | string | Folder's last update time in ISO-8601 format |
+| `calls` | array | List of calls in the library folder |
+|   ↳ `id` | string | Gong unique numeric identifier of the call |
+|   ↳ `title` | string | The title of the call |
+|   ↳ `note` | string | A note attached to the call in the folder |
+|   ↳ `addedBy` | string | Gong unique numeric identifier for the user who added the call |
+|   ↳ `created` | string | Date and time the call was added to folder in ISO-8601 format |
+|   ↳ `url` | string | URL of the call |
+|   ↳ `snippet` | object | Call snippet time range |
+|     ↳ `fromSec` | number | Snippet start in seconds relative to call start |
+|     ↳ `toSec` | number | Snippet end in seconds relative to call start |
+
+### `gong_list_scorecards`
+
+Retrieve scorecard definitions from Gong settings.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `scorecards` | array | List of scorecard definitions with questions |
+|   ↳ `scorecardId` | string | Unique identifier for the scorecard |
+|   ↳ `scorecardName` | string | Display name of the scorecard |
+|   ↳ `workspaceId` | string | Workspace identifier associated with this scorecard |
+|   ↳ `enabled` | boolean | Whether the scorecard is active |
+|   ↳ `updaterUserId` | string | ID of the user who last modified the scorecard |
+|   ↳ `created` | string | Creation timestamp in ISO-8601 format |
+|   ↳ `updated` | string | Last update timestamp in ISO-8601 format |
+|   ↳ `questions` | array | List of questions in the scorecard |
+|     ↳ `questionId` | string | Unique identifier for the question |
+|     ↳ `questionText` | string | The text content of the question |
+|     ↳ `questionRevisionId` | string | Identifier for the specific revision of the question |
+|     ↳ `isOverall` | boolean | Whether this is the primary overall question |
+|     ↳ `created` | string | Question creation timestamp in ISO-8601 format |
+|     ↳ `updated` | string | Question last update timestamp in ISO-8601 format |
+|     ↳ `updaterUserId` | string | ID of the user who last modified the question |
+
+### `gong_list_trackers`
+
+Retrieve smart tracker and keyword tracker definitions from Gong settings.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `workspaceId` | string | No | The ID of the workspace the keyword trackers are in. When empty, all trackers in all workspaces are returned. |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `trackers` | array | List of keyword tracker definitions |
+|   ↳ `trackerId` | string | Unique identifier for the tracker |
+|   ↳ `trackerName` | string | Display name of the tracker |
+|   ↳ `workspaceId` | string | ID of the workspace containing the tracker |
+|   ↳ `languageKeywords` | array | Keywords organized by language |
+|     ↳ `language` | string | ISO 639-2/B language code \("mul" means keywords apply across all languages\) |
+|     ↳ `keywords` | array | Words and phrases in the designated language |
+|     ↳ `includeRelatedForms` | boolean | Whether to include different word forms |
+|   ↳ `affiliation` | string | Speaker affiliation filter: "Anyone", "Company", or "NonCompany" |
+|   ↳ `partOfQuestion` | boolean | Whether to track keywords only within questions |
+|   ↳ `saidAt` | string | Position in call: "Anytime", "First", or "Last" |
+|   ↳ `saidAtInterval` | number | Duration to search \(in minutes or percentage\) |
+|   ↳ `saidAtUnit` | string | Unit for saidAtInterval |
+|   ↳ `saidInTopics` | array | Topics where keywords should be detected |
+|   ↳ `saidInCallParts` | array | Specific call segments to monitor |
+|   ↳ `filterQuery` | string | JSON-formatted call filtering criteria |
+|   ↳ `created` | string | Creation timestamp in ISO-8601 format |
+|   ↳ `creatorUserId` | string | ID of the user who created the tracker \(null for built-in trackers\) |
+|   ↳ `updated` | string | Last modification timestamp in ISO-8601 format |
+|   ↳ `updaterUserId` | string | ID of the user who last modified the tracker |
+
+### `gong_list_workspaces`
+
+List all company workspaces in Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `workspaces` | array | List of Gong workspaces |
+|   ↳ `id` | string | Gong unique numeric identifier for the workspace |
+|   ↳ `name` | string | Display name of the workspace |
+|   ↳ `description` | string | Description of the workspace's purpose or content |
+
+### `gong_list_flows`
+
+List Gong Engage flows (sales engagement sequences).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `flowOwnerEmail` | string | Yes | Email of a Gong user. The API will return 'PERSONAL' flows belonging to this user in addition to 'COMPANY' flows. |
+| `workspaceId` | string | No | Optional workspace ID to filter flows to a specific workspace |
+| `cursor` | string | No | Pagination cursor from a previous API call to retrieve the next page of records |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `requestId` | string | A Gong request reference ID for troubleshooting purposes |
+| `flows` | array | List of Gong Engage flows |
+|   ↳ `id` | string | The ID of the flow |
+|   ↳ `name` | string | The name of the flow |
+|   ↳ `folderId` | string | The ID of the folder this flow is under |
+|   ↳ `folderName` | string | The name of the folder this flow is under |
+|   ↳ `visibility` | string | The flow visibility type \(COMPANY, PERSONAL, or SHARED\) |
+|   ↳ `creationDate` | string | Creation time of the flow in ISO-8601 format |
+|   ↳ `exclusive` | boolean | Indicates whether a prospect in this flow can be added to other flows |
+| `totalRecords` | number | Total number of flow records available |
+| `currentPageSize` | number | Number of records returned in the current page |
+| `currentPageNumber` | number | Current page number |
+| `cursor` | string | Pagination cursor for retrieving the next page of records |
+
+### `gong_get_coaching`
+
+Retrieve coaching metrics for a manager from Gong.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `managerId` | string | Yes | Gong user ID of the manager |
+| `workspaceId` | string | Yes | Gong workspace ID |
+| `fromDate` | string | Yes | Start date in ISO-8601 format |
+| `toDate` | string | Yes | End date in ISO-8601 format |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `requestId` | string | A Gong request reference ID for troubleshooting purposes |
+| `coachingData` | array | The manager user information |
+|   ↳ `manager` | object | The manager user information |
+|     ↳ `id` | string | Gong unique numeric identifier for the user |
+|     ↳ `emailAddress` | string | Email address of the Gong user |
+|     ↳ `firstName` | string | First name of the Gong user |
+|     ↳ `lastName` | string | Last name of the Gong user |
+|     ↳ `title` | string | Job title of the Gong user |
+|   ↳ `directReportsMetrics` | array | Coaching metrics for each direct report |
+|     ↳ `report` | object | The direct report user information |
+|       ↳ `id` | string | Gong unique numeric identifier for the user |
+|       ↳ `emailAddress` | string | Email address of the Gong user |
+|       ↳ `firstName` | string | First name of the Gong user |
+|       ↳ `lastName` | string | Last name of the Gong user |
+|       ↳ `title` | string | Job title of the Gong user |
+|     ↳ `metrics` | json | A map of metric names to arrays of string values representing coaching metrics |
+
+### `gong_lookup_email`
+
+Find all references to an email address in Gong (calls, email messages, meetings, CRM data, engagement).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `emailAddress` | string | Yes | Email address to look up |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `requestId` | string | Gong request reference ID for troubleshooting |
+| `calls` | array | Related calls referencing this email address |
+|   ↳ `id` | string | Gong's unique numeric identifier for the call \(up to 20 digits\) |
+|   ↳ `status` | string | Call status |
+|   ↳ `externalSystems` | array | Links to external systems such as CRM, Telephony System, etc. |
+|     ↳ `system` | string | External system name |
+|     ↳ `objects` | array | List of objects within the external system |
+|       ↳ `objectType` | string | Object type |
+|       ↳ `externalId` | string | External ID |
+| `emails` | array | Related email messages referencing this email address |
+|   ↳ `id` | string | Gong's unique 32 character identifier for the email message |
+|   ↳ `from` | string | The sender's email address |
+|   ↳ `sentTime` | string | Date and time the email was sent in ISO-8601 format |
+|   ↳ `mailbox` | string | The mailbox from which the email was retrieved |
+|   ↳ `messageHash` | string | Hash code of the email message |
+| `meetings` | array | Related meetings referencing this email address |
+|   ↳ `id` | string | Gong's unique identifier for the meeting |
+| `customerData` | array | Links to data from external systems \(CRM, Telephony, etc.\) that reference this email |
+|   ↳ `system` | string | External system name |
+|   ↳ `objects` | array | List of objects in the external system |
+|     ↳ `id` | string | Gong's unique numeric identifier for the Lead or Contact \(up to 20 digits\) |
+|     ↳ `objectType` | string | Object type |
+|     ↳ `externalId` | string | External ID |
+|     ↳ `mirrorId` | string | CRM Mirror ID |
+|     ↳ `fields` | array | Object fields |
+|       ↳ `name` | string | Field name |
+|       ↳ `value` | json | Field value |
+| `customerEngagement` | array | Customer engagement events \(such as viewing external shared calls\) |
+|   ↳ `eventType` | string | Event type |
+|   ↳ `eventName` | string | Event name |
+|   ↳ `timestamp` | string | Date and time the event occurred in ISO-8601 format |
+|   ↳ `contentId` | string | Event content ID |
+|   ↳ `contentUrl` | string | Event content URL |
+|   ↳ `reportingSystem` | string | Event reporting system |
+|   ↳ `sourceEventId` | string | Source event ID |
+
+### `gong_lookup_phone`
+
+Find all references to a phone number in Gong (calls, email messages, meetings, CRM data, and associated contacts).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `accessKey` | string | Yes | Gong API Access Key |
+| `accessKeySecret` | string | Yes | Gong API Access Key Secret |
+| `phoneNumber` | string | Yes | Phone number to look up \(must start with + followed by country code\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `requestId` | string | Gong request reference ID for troubleshooting |
+| `suppliedPhoneNumber` | string | The phone number that was supplied in the request |
+| `matchingPhoneNumbers` | array | Phone numbers found in the system that match the supplied number |
+| `emailAddresses` | array | Email addresses associated with the phone number |
+| `calls` | array | Related calls referencing this phone number |
+|   ↳ `id` | string | Gong's unique numeric identifier for the call \(up to 20 digits\) |
+|   ↳ `status` | string | Call status |
+|   ↳ `externalSystems` | array | Links to external systems such as CRM, Telephony System, etc. |
+|     ↳ `system` | string | External system name |
+|     ↳ `objects` | array | List of objects within the external system |
+|       ↳ `objectType` | string | Object type |
+|       ↳ `externalId` | string | External ID |
+| `emails` | array | Related email messages associated with contacts matching this phone number |
+|   ↳ `id` | string | Gong's unique 32 character identifier for the email message |
+|   ↳ `from` | string | The sender's email address |
+|   ↳ `sentTime` | string | Date and time the email was sent in ISO-8601 format |
+|   ↳ `mailbox` | string | The mailbox from which the email was retrieved |
+|   ↳ `messageHash` | string | Hash code of the email message |
+| `meetings` | array | Related meetings associated with this phone number |
+|   ↳ `id` | string | Gong's unique identifier for the meeting |
+| `customerData` | array | Links to data from external systems \(CRM, Telephony, etc.\) that reference this phone number |
+|   ↳ `system` | string | External system name |
+|   ↳ `objects` | array | List of objects in the external system |
+|     ↳ `id` | string | Gong's unique numeric identifier for the Lead or Contact \(up to 20 digits\) |
+|     ↳ `objectType` | string | Object type |
+|     ↳ `externalId` | string | External ID |
+|     ↳ `mirrorId` | string | CRM Mirror ID |
+|     ↳ `fields` | array | Object fields |
+|       ↳ `name` | string | Field name |
+|       ↳ `value` | json | Field value |
+
+
--- a/apps/docs/content/docs/en/tools/hex.mdx
+++ b/apps/docs/content/docs/en/tools/hex.mdx
@@ -0,0 +1,459 @@
+---
+title: Hex
+description: Run and manage Hex projects
+---
+
+import { BlockInfoCard } from "@/components/ui/block-info-card"
+
+<BlockInfoCard 
+  type="hex"
+  color="#14151A"
+/>
+
+{/* MANUAL-CONTENT-START:intro */}
+[Hex](https://hex.tech/) is a collaborative platform for analytics and data science that allows you to build, run, and share interactive data projects and notebooks. Hex lets teams work together on data exploration, transformation, and visualization, making it easy to turn analysis into shareable insights.
+
+With Hex, you can:
+
+- **Create and run powerful notebooks**: Blend SQL, Python, and visualizations in a single, interactive workspace.
+- **Collaborate and share**: Work together with teammates in real time and publish interactive data apps for broader audiences.
+- **Automate and orchestrate workflows**: Schedule notebook runs, parameterize runs with inputs, and automate data tasks.
+- **Visualize and communicate results**: Turn analysis results into dashboards or interactive apps that anyone can use.
+- **Integrate with your data stack**: Connect easily to data warehouses, APIs, and other sources.
+
+The Sim Hex integration allows your AI agents or workflows to:
+
+- List, get, and manage Hex projects directly from Sim.
+- Trigger and monitor notebook runs, check their statuses, or cancel them as part of larger automation flows.
+- Retrieve run results and use them within Sim-powered processes and decision-making.
+- Leverage Hex’s interactive analytics capabilities right inside your automated Sim workflows.
+
+Whether you’re empowering analysts, automating reporting, or embedding actionable data into your processes, Hex and Sim provide a seamless way to operationalize analytics and bring data-driven insights to your team.
+{/* MANUAL-CONTENT-END */}
+
+
+## Usage Instructions
+
+Integrate Hex into your workflow. Run projects, check run status, manage collections and groups, list users, and view data connections. Requires a Hex API token.
+
+
+
+## Tools
+
+### `hex_cancel_run`
+
+Cancel an active Hex project run.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `runId` | string | Yes | The UUID of the run to cancel |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `success` | boolean | Whether the run was successfully cancelled |
+| `projectId` | string | Project UUID |
+| `runId` | string | Run UUID that was cancelled |
+
+### `hex_create_collection`
+
+Create a new collection in the Hex workspace to organize projects.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `name` | string | Yes | Name for the new collection |
+| `description` | string | No | Optional description for the collection |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Newly created collection UUID |
+| `name` | string | Collection name |
+| `description` | string | Collection description |
+| `creator` | object | Collection creator |
+|   ↳ `email` | string | Creator email |
+|   ↳ `id` | string | Creator UUID |
+
+### `hex_get_collection`
+
+Retrieve details for a specific Hex collection by its ID.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `collectionId` | string | Yes | The UUID of the collection |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Collection UUID |
+| `name` | string | Collection name |
+| `description` | string | Collection description |
+| `creator` | object | Collection creator |
+|   ↳ `email` | string | Creator email |
+|   ↳ `id` | string | Creator UUID |
+
+### `hex_get_data_connection`
+
+Retrieve details for a specific data connection including type, description, and configuration flags.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `dataConnectionId` | string | Yes | The UUID of the data connection |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Connection UUID |
+| `name` | string | Connection name |
+| `type` | string | Connection type \(e.g., snowflake, postgres, bigquery\) |
+| `description` | string | Connection description |
+| `connectViaSsh` | boolean | Whether SSH tunneling is enabled |
+| `includeMagic` | boolean | Whether Magic AI features are enabled |
+| `allowWritebackCells` | boolean | Whether writeback cells are allowed |
+
+### `hex_get_group`
+
+Retrieve details for a specific Hex group.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `groupId` | string | Yes | The UUID of the group |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Group UUID |
+| `name` | string | Group name |
+| `createdAt` | string | Creation timestamp |
+
+### `hex_get_project`
+
+Get metadata and details for a specific Hex project by its ID.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Project UUID |
+| `title` | string | Project title |
+| `description` | string | Project description |
+| `status` | object | Project status |
+|   ↳ `name` | string | Status name \(e.g., PUBLISHED, DRAFT\) |
+| `type` | string | Project type \(PROJECT or COMPONENT\) |
+| `creator` | object | Project creator |
+|   ↳ `email` | string | Creator email |
+| `owner` | object | Project owner |
+|   ↳ `email` | string | Owner email |
+| `categories` | array | Project categories |
+|   ↳ `name` | string | Category name |
+|   ↳ `description` | string | Category description |
+| `lastEditedAt` | string | ISO 8601 last edited timestamp |
+| `lastPublishedAt` | string | ISO 8601 last published timestamp |
+| `createdAt` | string | ISO 8601 creation timestamp |
+| `archivedAt` | string | ISO 8601 archived timestamp |
+| `trashedAt` | string | ISO 8601 trashed timestamp |
+
+### `hex_get_project_runs`
+
+Retrieve API-triggered runs for a Hex project with optional filtering by status and pagination.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `limit` | number | No | Maximum number of runs to return \(1-100, default: 25\) |
+| `offset` | number | No | Offset for paginated results \(default: 0\) |
+| `statusFilter` | string | No | Filter by run status: PENDING, RUNNING, ERRORED, COMPLETED, KILLED, UNABLE_TO_ALLOCATE_KERNEL |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `runs` | array | List of project runs |
+|   ↳ `projectId` | string | Project UUID |
+|   ↳ `runId` | string | Run UUID |
+|   ↳ `runUrl` | string | URL to view the run |
+|   ↳ `status` | string | Run status \(PENDING, RUNNING, COMPLETED, ERRORED, KILLED, UNABLE_TO_ALLOCATE_KERNEL\) |
+|   ↳ `startTime` | string | Run start time |
+|   ↳ `endTime` | string | Run end time |
+|   ↳ `elapsedTime` | number | Elapsed time in seconds |
+|   ↳ `traceId` | string | Trace ID |
+|   ↳ `projectVersion` | number | Project version number |
+| `total` | number | Total number of runs returned |
+| `traceId` | string | Top-level trace ID |
+
+### `hex_get_queried_tables`
+
+Return the warehouse tables queried by a Hex project, including data connection and table names.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `limit` | number | No | Maximum number of tables to return \(1-100\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `tables` | array | List of warehouse tables queried by the project |
+|   ↳ `dataConnectionId` | string | Data connection UUID |
+|   ↳ `dataConnectionName` | string | Data connection name |
+|   ↳ `tableName` | string | Table name |
+| `total` | number | Total number of tables returned |
+
+### `hex_get_run_status`
+
+Check the status of a Hex project run by its run ID.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project |
+| `runId` | string | Yes | The UUID of the run to check |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `projectId` | string | Project UUID |
+| `runId` | string | Run UUID |
+| `runUrl` | string | URL to view the run |
+| `status` | string | Run status \(PENDING, RUNNING, COMPLETED, ERRORED, KILLED, UNABLE_TO_ALLOCATE_KERNEL\) |
+| `startTime` | string | ISO 8601 run start time |
+| `endTime` | string | ISO 8601 run end time |
+| `elapsedTime` | number | Elapsed time in seconds |
+| `traceId` | string | Trace ID for debugging |
+| `projectVersion` | number | Project version number |
+
+### `hex_list_collections`
+
+List all collections in the Hex workspace.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of collections to return \(1-500, default: 25\) |
+| `sortBy` | string | No | Sort by field: NAME |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `collections` | array | List of collections |
+|   ↳ `id` | string | Collection UUID |
+|   ↳ `name` | string | Collection name |
+|   ↳ `description` | string | Collection description |
+|   ↳ `creator` | object | Collection creator |
+|     ↳ `email` | string | Creator email |
+|     ↳ `id` | string | Creator UUID |
+| `total` | number | Total number of collections returned |
+
+### `hex_list_data_connections`
+
+List all data connections in the Hex workspace (e.g., Snowflake, PostgreSQL, BigQuery).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of connections to return \(1-500, default: 25\) |
+| `sortBy` | string | No | Sort by field: CREATED_AT or NAME |
+| `sortDirection` | string | No | Sort direction: ASC or DESC |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `connections` | array | List of data connections |
+|   ↳ `id` | string | Connection UUID |
+|   ↳ `name` | string | Connection name |
+|   ↳ `type` | string | Connection type \(e.g., athena, bigquery, databricks, postgres, redshift, snowflake\) |
+|   ↳ `description` | string | Connection description |
+|   ↳ `connectViaSsh` | boolean | Whether SSH tunneling is enabled |
+|   ↳ `includeMagic` | boolean | Whether Magic AI features are enabled |
+|   ↳ `allowWritebackCells` | boolean | Whether writeback cells are allowed |
+| `total` | number | Total number of connections returned |
+
+### `hex_list_groups`
+
+List all groups in the Hex workspace with optional sorting.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of groups to return \(1-500, default: 25\) |
+| `sortBy` | string | No | Sort by field: CREATED_AT or NAME |
+| `sortDirection` | string | No | Sort direction: ASC or DESC |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `groups` | array | List of workspace groups |
+|   ↳ `id` | string | Group UUID |
+|   ↳ `name` | string | Group name |
+|   ↳ `createdAt` | string | Creation timestamp |
+| `total` | number | Total number of groups returned |
+
+### `hex_list_projects`
+
+List all projects in your Hex workspace with optional filtering by status.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of projects to return \(1-100\) |
+| `includeArchived` | boolean | No | Include archived projects in results |
+| `statusFilter` | string | No | Filter by status: PUBLISHED, DRAFT, or ALL |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `projects` | array | List of Hex projects |
+|   ↳ `id` | string | Project UUID |
+|   ↳ `title` | string | Project title |
+|   ↳ `description` | string | Project description |
+|   ↳ `status` | object | Project status |
+|     ↳ `name` | string | Status name \(e.g., PUBLISHED, DRAFT\) |
+|   ↳ `type` | string | Project type \(PROJECT or COMPONENT\) |
+|   ↳ `creator` | object | Project creator |
+|     ↳ `email` | string | Creator email |
+|   ↳ `owner` | object | Project owner |
+|     ↳ `email` | string | Owner email |
+|   ↳ `lastEditedAt` | string | Last edited timestamp |
+|   ↳ `lastPublishedAt` | string | Last published timestamp |
+|   ↳ `createdAt` | string | Creation timestamp |
+|   ↳ `archivedAt` | string | Archived timestamp |
+| `total` | number | Total number of projects returned |
+
+### `hex_list_users`
+
+List all users in the Hex workspace with optional filtering and sorting.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `limit` | number | No | Maximum number of users to return \(1-100, default: 25\) |
+| `sortBy` | string | No | Sort by field: NAME or EMAIL |
+| `sortDirection` | string | No | Sort direction: ASC or DESC |
+| `groupId` | string | No | Filter users by group UUID |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `users` | array | List of workspace users |
+|   ↳ `id` | string | User UUID |
+|   ↳ `name` | string | User name |
+|   ↳ `email` | string | User email |
+|   ↳ `role` | string | User role \(ADMIN, MANAGER, EDITOR, EXPLORER, MEMBER, GUEST, EMBEDDED_USER, ANONYMOUS\) |
+| `total` | number | Total number of users returned |
+
+### `hex_run_project`
+
+Execute a published Hex project. Optionally pass input parameters and control caching behavior.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project to run |
+| `inputParams` | json | No | JSON object of input parameters for the project \(e.g., \{"date": "2024-01-01"\}\) |
+| `dryRun` | boolean | No | If true, perform a dry run without executing the project |
+| `updateCache` | boolean | No | \(Deprecated\) If true, update the cached results after execution |
+| `updatePublishedResults` | boolean | No | If true, update the published app results after execution |
+| `useCachedSqlResults` | boolean | No | If true, use cached SQL results instead of re-running queries |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `projectId` | string | Project UUID |
+| `runId` | string | Run UUID |
+| `runUrl` | string | URL to view the run |
+| `runStatusUrl` | string | URL to check run status |
+| `traceId` | string | Trace ID for debugging |
+| `projectVersion` | number | Project version number |
+
+### `hex_update_project`
+
+Update a Hex project status label (e.g., endorsement or custom workspace statuses).
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `apiKey` | string | Yes | Hex API token \(Personal or Workspace\) |
+| `projectId` | string | Yes | The UUID of the Hex project to update |
+| `status` | string | Yes | New project status name \(custom workspace status label\) |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `id` | string | Project UUID |
+| `title` | string | Project title |
+| `description` | string | Project description |
+| `status` | object | Updated project status |
+|   ↳ `name` | string | Status name \(e.g., PUBLISHED, DRAFT\) |
+| `type` | string | Project type \(PROJECT or COMPONENT\) |
+| `creator` | object | Project creator |
+|   ↳ `email` | string | Creator email |
+| `owner` | object | Project owner |
+|   ↳ `email` | string | Owner email |
+| `categories` | array | Project categories |
+|   ↳ `name` | string | Category name |
+|   ↳ `description` | string | Category description |
+| `lastEditedAt` | string | Last edited timestamp |
+| `lastPublishedAt` | string | Last published timestamp |
+| `createdAt` | string | Creation timestamp |
+| `archivedAt` | string | Archived timestamp |
+| `trashedAt` | string | Trashed timestamp |
+
+
--- a/apps/docs/content/docs/en/tools/jira_service_management.mdx
+++ b/apps/docs/content/docs/en/tools/jira_service_management.mdx
@@ -116,7 +116,7 @@ Create a new service request in Jira Service Management
 | `summary` | string | Yes | Summary/title for the service request |
 | `description` | string | No | Description for the service request |
 | `raiseOnBehalfOf` | string | No | Account ID of customer to raise request on behalf of |
-| `requestFieldValues` | json | No | Custom field values as key-value pairs \(overrides summary/description if provided\) |
+| `requestFieldValues` | json | No | Request field values as key-value pairs \(overrides summary/description if provided\) |
 | `requestParticipants` | string | No | Comma-separated account IDs to add as request participants |
 | `channel` | string | No | Channel the request originates from \(e.g., portal, email\) |

--- a/apps/docs/content/docs/en/tools/meta.json
+++ b/apps/docs/content/docs/en/tools/meta.json
@@ -10,6 +10,7 @@
    "apollo",
    "arxiv",
    "asana",
+    "attio",
    "browser_use",
    "calcom",
    "calendly",
@@ -35,6 +36,7 @@
    "github",
    "gitlab",
    "gmail",
+    "gong",
    "google_books",
    "google_calendar",
    "google_docs",
@@ -49,6 +51,7 @@
    "grafana",
    "grain",
    "greptile",
+    "hex",
    "hubspot",
    "huggingface",
    "hunter",
--- a/apps/docs/content/docs/en/tools/slack.mdx
+++ b/apps/docs/content/docs/en/tools/slack.mdx
@@ -1,6 +1,6 @@
 ---
 title: Slack
-description: Send, update, delete messages, add reactions in Slack or trigger workflows from Slack events
+description: Send, update, delete messages, send ephemeral messages, add reactions in Slack or trigger workflows from Slack events
 ---

 import { BlockInfoCard } from "@/components/ui/block-info-card"
@@ -59,7 +59,7 @@ If you encounter issues with the Slack integration, contact us at [help@sim.ai](

 ## Usage Instructions

-Integrate Slack into the workflow. Can send, update, and delete messages, create canvases, read messages, and add reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.
+Integrate Slack into the workflow. Can send, update, and delete messages, send ephemeral messages visible only to a specific user, create canvases, read messages, and add reactions. Requires Bot Token instead of OAuth in advanced mode. Can be used in trigger mode to trigger a workflow when a message is sent to a channel.



@@ -80,6 +80,7 @@ Send messages to Slack channels or direct messages. Supports Slack mrkdwn format
 | `dmUserId` | string | No | Slack user ID for direct messages \(e.g., U1234567890\) |
 | `text` | string | Yes | Message text to send \(supports Slack mrkdwn formatting\) |
 | `threadTs` | string | No | Thread timestamp to reply to \(creates thread reply\) |
+| `blocks` | json | No | Block Kit layout blocks as a JSON array. When provided, text becomes the fallback notification text. |
 | `files` | file[] | No | Files to attach to the message |

 #### Output
@@ -146,6 +147,29 @@ Send messages to Slack channels or direct messages. Supports Slack mrkdwn format
 | `fileCount` | number | Number of files uploaded \(when files are attached\) |
 | `files` | file[] | Files attached to the message |

+### `slack_ephemeral_message`
+
+Send an ephemeral message visible only to a specific user in a channel. Optionally reply in a thread. The message does not persist across sessions.
+
+#### Input
+
+| Parameter | Type | Required | Description |
+| --------- | ---- | -------- | ----------- |
+| `authMethod` | string | No | Authentication method: oauth or bot_token |
+| `botToken` | string | No | Bot token for Custom Bot |
+| `channel` | string | Yes | Slack channel ID \(e.g., C1234567890\) |
+| `user` | string | Yes | User ID who will see the ephemeral message \(e.g., U1234567890\). Must be a member of the channel. |
+| `text` | string | Yes | Message text to send \(supports Slack mrkdwn formatting\) |
+| `threadTs` | string | No | Thread timestamp to reply in. When provided, the ephemeral message appears as a thread reply. |
+| `blocks` | json | No | Block Kit layout blocks as a JSON array. When provided, text becomes the fallback notification text. |
+
+#### Output
+
+| Parameter | Type | Description |
+| --------- | ---- | ----------- |
+| `messageTs` | string | Timestamp of the ephemeral message \(cannot be used with chat.update\) |
+| `channel` | string | Channel ID where the ephemeral message was sent |
+
 ### `slack_canvas`

 Create and share Slack canvases in channels. Canvases are collaborative documents within Slack.
@@ -682,6 +706,7 @@ Update a message previously sent by the bot in Slack
 | `channel` | string | Yes | Channel ID where the message was posted \(e.g., C1234567890\) |
 | `timestamp` | string | Yes | Timestamp of the message to update \(e.g., 1405894322.002768\) |
 | `text` | string | Yes | New message text \(supports Slack mrkdwn formatting\) |
+| `blocks` | json | No | Block Kit layout blocks as a JSON array. When provided, text becomes the fallback notification text. |

 #### Output

--- a/apps/sim/app/(auth)/oauth/consent/page.tsx
+++ b/apps/sim/app/(auth)/oauth/consent/page.tsx
@@ -0,0 +1,274 @@
+'use client'
+
+import { useCallback, useEffect, useState } from 'react'
+import { ArrowLeftRight } from 'lucide-react'
+import Image from 'next/image'
+import { useRouter, useSearchParams } from 'next/navigation'
+import { Button } from '@/components/emcn'
+import { signOut, useSession } from '@/lib/auth/auth-client'
+import { inter } from '@/app/_styles/fonts/inter/inter'
+import { soehne } from '@/app/_styles/fonts/soehne/soehne'
+import { BrandedButton } from '@/app/(auth)/components/branded-button'
+
+const SCOPE_DESCRIPTIONS: Record<string, string> = {
+  openid: 'Verify your identity',
+  profile: 'Access your basic profile information',
+  email: 'View your email address',
+  offline_access: 'Maintain access when you are not actively using the app',
+  'mcp:tools': 'Use Sim workflows and tools on your behalf',
+} as const
+
+interface ClientInfo {
+  clientId: string
+  name: string
+  icon: string
+}
+
+export default function OAuthConsentPage() {
+  const router = useRouter()
+  const searchParams = useSearchParams()
+  const { data: session } = useSession()
+  const consentCode = searchParams.get('consent_code')
+  const clientId = searchParams.get('client_id')
+  const scope = searchParams.get('scope')
+
+  const [clientInfo, setClientInfo] = useState<ClientInfo | null>(null)
+  const [loading, setLoading] = useState(true)
+  const [submitting, setSubmitting] = useState(false)
+  const [error, setError] = useState<string | null>(null)
+
+  const scopes = scope?.split(' ').filter(Boolean) ?? []
+
+  useEffect(() => {
+    if (!clientId) {
+      setLoading(false)
+      setError('The authorization request is missing a required client identifier.')
+      return
+    }
+
+    fetch(`/api/auth/oauth2/client/${encodeURIComponent(clientId)}`, { credentials: 'include' })
+      .then(async (res) => {
+        if (!res.ok) return
+        const data = await res.json()
+        setClientInfo(data)
+      })
+      .catch(() => {})
+      .finally(() => {
+        setLoading(false)
+      })
+  }, [clientId])
+
+  const handleConsent = useCallback(
+    async (accept: boolean) => {
+      if (!consentCode) {
+        setError('The authorization request is missing a required consent code.')
+        return
+      }
+
+      setSubmitting(true)
+      try {
+        const res = await fetch('/api/auth/oauth2/consent', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          credentials: 'include',
+          body: JSON.stringify({ accept, consent_code: consentCode }),
+        })
+
+        if (!res.ok) {
+          const body = await res.json().catch(() => null)
+          setError(
+            (body as Record<string, string> | null)?.message ??
+              'The consent request could not be processed. Please try again.'
+          )
+          setSubmitting(false)
+          return
+        }
+
+        const data = (await res.json()) as { redirectURI?: string }
+        if (data.redirectURI) {
+          window.location.href = data.redirectURI
+        } else {
+          setError('The server did not return a redirect. Please try again.')
+          setSubmitting(false)
+        }
+      } catch {
+        setError('Something went wrong. Please try again.')
+        setSubmitting(false)
+      }
+    },
+    [consentCode]
+  )
+
+  const handleSwitchAccount = useCallback(async () => {
+    if (!consentCode) return
+
+    const res = await fetch(`/api/auth/oauth2/authorize-params?consent_code=${consentCode}`, {
+      credentials: 'include',
+    })
+    if (!res.ok) {
+      setError('Unable to switch accounts. Please re-initiate the connection.')
+      return
+    }
+
+    const params = (await res.json()) as Record<string, string | null>
+    const authorizeUrl = new URL('/api/auth/oauth2/authorize', window.location.origin)
+    for (const [key, value] of Object.entries(params)) {
+      if (value) authorizeUrl.searchParams.set(key, value)
+    }
+
+    await signOut({
+      fetchOptions: {
+        onSuccess: () => {
+          window.location.href = authorizeUrl.toString()
+        },
+      },
+    })
+  }, [consentCode])
+
+  if (loading) {
+    return (
+      <div className='flex flex-col items-center justify-center'>
+        <div className='space-y-1 text-center'>
+          <h1 className={`${soehne.className} font-medium text-[32px] text-black tracking-tight`}>
+            Authorize Application
+          </h1>
+          <p className={`${inter.className} font-[380] text-[16px] text-muted-foreground`}>
+            Loading application details...
+          </p>
+        </div>
+      </div>
+    )
+  }
+
+  if (error) {
+    return (
+      <div className='flex flex-col items-center justify-center'>
+        <div className='space-y-1 text-center'>
+          <h1 className={`${soehne.className} font-medium text-[32px] text-black tracking-tight`}>
+            Authorization Error
+          </h1>
+          <p className={`${inter.className} font-[380] text-[16px] text-muted-foreground`}>
+            {error}
+          </p>
+        </div>
+        <div className={`${inter.className} mt-8 w-full max-w-[410px] space-y-3`}>
+          <BrandedButton onClick={() => router.push('/')}>Return to Home</BrandedButton>
+        </div>
+      </div>
+    )
+  }
+
+  const clientName = clientInfo?.name ?? clientId
+
+  return (
+    <div className='flex flex-col items-center justify-center'>
+      <div className='mb-6 flex items-center gap-4'>
+        {clientInfo?.icon ? (
+          <img
+            src={clientInfo.icon}
+            alt={clientName ?? 'Application'}
+            width={48}
+            height={48}
+            className='rounded-[10px]'
+          />
+        ) : (
+          <div className='flex h-12 w-12 items-center justify-center rounded-[10px] bg-muted font-medium text-[18px] text-muted-foreground'>
+            {(clientName ?? '?').charAt(0).toUpperCase()}
+          </div>
+        )}
+        <ArrowLeftRight className='h-5 w-5 text-muted-foreground' />
+        <Image
+          src='/new/logo/colorized-bg.svg'
+          alt='Sim'
+          width={48}
+          height={48}
+          className='rounded-[10px]'
+        />
+      </div>
+
+      <div className='space-y-1 text-center'>
+        <h1 className={`${soehne.className} font-medium text-[32px] text-black tracking-tight`}>
+          Authorize Application
+        </h1>
+        <p className={`${inter.className} font-[380] text-[16px] text-muted-foreground`}>
+          <span className='font-medium text-foreground'>{clientName}</span> is requesting access to
+          your account
+        </p>
+      </div>
+
+      {session?.user && (
+        <div
+          className={`${inter.className} mt-5 flex items-center gap-3 rounded-lg border px-4 py-3`}
+        >
+          {session.user.image ? (
+            <Image
+              src={session.user.image}
+              alt={session.user.name ?? 'User'}
+              width={32}
+              height={32}
+              className='rounded-full'
+              unoptimized
+            />
+          ) : (
+            <div className='flex h-8 w-8 items-center justify-center rounded-full bg-muted font-medium text-[13px] text-muted-foreground'>
+              {(session.user.name ?? session.user.email ?? '?').charAt(0).toUpperCase()}
+            </div>
+          )}
+          <div className='min-w-0'>
+            {session.user.name && (
+              <p className='truncate font-medium text-[14px]'>{session.user.name}</p>
+            )}
+            <p className='truncate text-[13px] text-muted-foreground'>{session.user.email}</p>
+          </div>
+          <button
+            type='button'
+            onClick={handleSwitchAccount}
+            className='ml-auto text-[13px] text-muted-foreground underline-offset-2 transition-colors hover:text-foreground hover:underline'
+          >
+            Switch
+          </button>
+        </div>
+      )}
+
+      {scopes.length > 0 && (
+        <div className={`${inter.className} mt-5 w-full max-w-[410px]`}>
+          <div className='rounded-lg border p-4'>
+            <p className='mb-3 font-medium text-[14px]'>This will allow the application to:</p>
+            <ul className='space-y-2'>
+              {scopes.map((s) => (
+                <li
+                  key={s}
+                  className='flex items-start gap-2 font-normal text-[13px] text-muted-foreground'
+                >
+                  <span className='mt-0.5 text-green-500'>&#10003;</span>
+                  <span>{SCOPE_DESCRIPTIONS[s] ?? s}</span>
+                </li>
+              ))}
+            </ul>
+          </div>
+        </div>
+      )}
+
+      <div className={`${inter.className} mt-6 flex w-full max-w-[410px] gap-3`}>
+        <Button
+          variant='outline'
+          size='md'
+          className='px-6 py-2'
+          disabled={submitting}
+          onClick={() => handleConsent(false)}
+        >
+          Deny
+        </Button>
+        <BrandedButton
+          fullWidth
+          showArrow={false}
+          loading={submitting}
+          loadingText='Authorizing'
+          onClick={() => handleConsent(true)}
+        >
+          Allow
+        </BrandedButton>
+      </div>
+    </div>
+  )
+}
--- a/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/[...issuer]/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'

-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
--- a/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/api/mcp/copilot/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'

-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
--- a/apps/sim/app/.well-known/oauth-authorization-server/route.ts
+++ b/apps/sim/app/.well-known/oauth-authorization-server/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'

-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
--- a/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts
+++ b/apps/sim/app/.well-known/oauth-protected-resource/api/mcp/copilot/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'

-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }
--- a/apps/sim/app/.well-known/oauth-protected-resource/route.ts
+++ b/apps/sim/app/.well-known/oauth-protected-resource/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'

-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }
--- a/apps/sim/app/_shell/providers/session-provider.tsx
+++ b/apps/sim/app/_shell/providers/session-provider.tsx
@@ -5,6 +5,7 @@ import { createContext, useCallback, useEffect, useMemo, useState } from 'react'
 import { useQueryClient } from '@tanstack/react-query'
 import posthog from 'posthog-js'
 import { client } from '@/lib/auth/auth-client'
+import { extractSessionDataFromAuthClientResult } from '@/lib/auth/session-response'

 export type AppSession = {
  user: {
@@ -45,7 +46,8 @@ export function SessionProvider({ children }: { children: React.ReactNode }) {
      const res = bypassCache
        ? await client.getSession({ query: { disableCookieCache: true } })
        : await client.getSession()
-      setData(res?.data ?? null)
+      const session = extractSessionDataFromAuthClientResult(res) as AppSession
+      setData(session)
    } catch (e) {
      setError(e instanceof Error ? e : new Error('Failed to fetch session'))
    } finally {
--- a/apps/sim/app/_shell/providers/theme-provider.tsx
+++ b/apps/sim/app/_shell/providers/theme-provider.tsx
@@ -23,7 +23,8 @@ export function ThemeProvider({ children, ...props }: ThemeProviderProps) {
    pathname.startsWith('/chat') ||
    pathname.startsWith('/studio') ||
    pathname.startsWith('/resume') ||
-    pathname.startsWith('/form')
+    pathname.startsWith('/form') ||
+    pathname.startsWith('/oauth')

  return (
    <NextThemesProvider
--- a/apps/sim/app/api/auth/[...all]/route.test.ts
+++ b/apps/sim/app/api/auth/[...all]/route.test.ts
@@ -0,0 +1,93 @@
+/**
+ * @vitest-environment node
+ */
+import { createMockRequest, setupCommonApiMocks } from '@sim/testing'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const handlerMocks = vi.hoisted(() => ({
+  betterAuthGET: vi.fn(),
+  betterAuthPOST: vi.fn(),
+  ensureAnonymousUserExists: vi.fn(),
+  createAnonymousGetSessionResponse: vi.fn(() => ({
+    data: {
+      user: { id: 'anon' },
+      session: { id: 'anon-session' },
+    },
+  })),
+}))
+
+vi.mock('better-auth/next-js', () => ({
+  toNextJsHandler: () => ({
+    GET: handlerMocks.betterAuthGET,
+    POST: handlerMocks.betterAuthPOST,
+  }),
+}))
+
+vi.mock('@/lib/auth', () => ({
+  auth: { handler: {} },
+}))
+
+vi.mock('@/lib/auth/anonymous', () => ({
+  ensureAnonymousUserExists: handlerMocks.ensureAnonymousUserExists,
+  createAnonymousGetSessionResponse: handlerMocks.createAnonymousGetSessionResponse,
+}))
+
+describe('auth catch-all route (DISABLE_AUTH get-session)', () => {
+  beforeEach(() => {
+    vi.resetModules()
+    setupCommonApiMocks()
+    handlerMocks.betterAuthGET.mockReset()
+    handlerMocks.betterAuthPOST.mockReset()
+    handlerMocks.ensureAnonymousUserExists.mockReset()
+    handlerMocks.createAnonymousGetSessionResponse.mockClear()
+  })
+
+  it('returns anonymous session in better-auth response envelope when auth is disabled', async () => {
+    vi.doMock('@/lib/core/config/feature-flags', () => ({ isAuthDisabled: true }))
+
+    const req = createMockRequest(
+      'GET',
+      undefined,
+      {},
+      'http://localhost:3000/api/auth/get-session'
+    )
+    const { GET } = await import('@/app/api/auth/[...all]/route')
+
+    const res = await GET(req as any)
+    const json = await res.json()
+
+    expect(handlerMocks.ensureAnonymousUserExists).toHaveBeenCalledTimes(1)
+    expect(handlerMocks.betterAuthGET).not.toHaveBeenCalled()
+    expect(json).toEqual({
+      data: {
+        user: { id: 'anon' },
+        session: { id: 'anon-session' },
+      },
+    })
+  })
+
+  it('delegates to better-auth handler when auth is enabled', async () => {
+    vi.doMock('@/lib/core/config/feature-flags', () => ({ isAuthDisabled: false }))
+
+    handlerMocks.betterAuthGET.mockResolvedValueOnce(
+      new (await import('next/server')).NextResponse(JSON.stringify({ data: { ok: true } }), {
+        headers: { 'content-type': 'application/json' },
+      }) as any
+    )
+
+    const req = createMockRequest(
+      'GET',
+      undefined,
+      {},
+      'http://localhost:3000/api/auth/get-session'
+    )
+    const { GET } = await import('@/app/api/auth/[...all]/route')
+
+    const res = await GET(req as any)
+    const json = await res.json()
+
+    expect(handlerMocks.ensureAnonymousUserExists).not.toHaveBeenCalled()
+    expect(handlerMocks.betterAuthGET).toHaveBeenCalledTimes(1)
+    expect(json).toEqual({ data: { ok: true } })
+  })
+})
--- a/apps/sim/app/api/auth/[...all]/route.ts
+++ b/apps/sim/app/api/auth/[...all]/route.ts
@@ -1,7 +1,7 @@
 import { toNextJsHandler } from 'better-auth/next-js'
 import { type NextRequest, NextResponse } from 'next/server'
 import { auth } from '@/lib/auth'
-import { createAnonymousSession, ensureAnonymousUserExists } from '@/lib/auth/anonymous'
+import { createAnonymousGetSessionResponse, ensureAnonymousUserExists } from '@/lib/auth/anonymous'
 import { isAuthDisabled } from '@/lib/core/config/feature-flags'

 export const dynamic = 'force-dynamic'
@@ -14,7 +14,7 @@ export async function GET(request: NextRequest) {

  if (path === 'get-session' && isAuthDisabled) {
    await ensureAnonymousUserExists()
-    return NextResponse.json(createAnonymousSession())
+    return NextResponse.json(createAnonymousGetSessionResponse())
  }

  return betterAuthGET(request)
--- a/apps/sim/app/api/auth/accounts/route.ts
+++ b/apps/sim/app/api/auth/accounts/route.ts
@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { and, desc, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'

@@ -31,15 +31,13 @@ export async function GET(request: NextRequest) {
      })
      .from(account)
      .where(and(...whereConditions))
-
-    // Use the user's email as the display name (consistent with credential selector)
-    const userEmail = session.user.email
+      .orderBy(desc(account.updatedAt))

    const accountsWithDisplayName = accounts.map((acc) => ({
      id: acc.id,
      accountId: acc.accountId,
      providerId: acc.providerId,
-      displayName: userEmail || acc.providerId,
+      displayName: acc.accountId || acc.providerId,
    }))

    return NextResponse.json({ accounts: accountsWithDisplayName })
--- a/apps/sim/app/api/auth/oauth/credentials/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.test.ts
@@ -57,10 +57,6 @@ describe('OAuth Credentials API Route', () => {
      eq: vi.fn((field, value) => ({ field, value, type: 'eq' })),
    }))

-    vi.doMock('jwt-decode', () => ({
-      jwtDecode: vi.fn(),
-    }))
-
    vi.doMock('@sim/logger', () => ({
      createLogger: vi.fn().mockReturnValue(mockLogger),
    }))
@@ -84,64 +80,6 @@ describe('OAuth Credentials API Route', () => {
    vi.clearAllMocks()
  })

-  it('should return credentials successfully', async () => {
-    mockGetSession.mockResolvedValueOnce({
-      user: { id: 'user-123' },
-    })
-
-    mockParseProvider.mockReturnValueOnce({
-      baseProvider: 'google',
-    })
-
-    const mockAccounts = [
-      {
-        id: 'credential-1',
-        userId: 'user-123',
-        providerId: 'google-email',
-        accountId: 'test@example.com',
-        updatedAt: new Date('2024-01-01'),
-        idToken: null,
-      },
-      {
-        id: 'credential-2',
-        userId: 'user-123',
-        providerId: 'google-default',
-        accountId: 'user-id',
-        updatedAt: new Date('2024-01-02'),
-        idToken: null,
-      },
-    ]
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockResolvedValueOnce(mockAccounts)
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockReturnValueOnce(mockDb)
-    mockDb.limit.mockResolvedValueOnce([{ email: 'user@example.com' }])
-
-    const req = createMockRequestWithQuery('GET', '?provider=google-email')
-
-    const { GET } = await import('@/app/api/auth/oauth/credentials/route')
-
-    const response = await GET(req)
-    const data = await response.json()
-
-    expect(response.status).toBe(200)
-    expect(data.credentials).toHaveLength(2)
-    expect(data.credentials[0]).toMatchObject({
-      id: 'credential-1',
-      provider: 'google-email',
-      isDefault: false,
-    })
-    expect(data.credentials[1]).toMatchObject({
-      id: 'credential-2',
-      provider: 'google-default',
-      isDefault: true,
-    })
-  })
-
  it('should handle unauthenticated user', async () => {
    mockGetSession.mockResolvedValueOnce(null)

@@ -198,39 +136,12 @@ describe('OAuth Credentials API Route', () => {
    expect(data.credentials).toHaveLength(0)
  })

-  it('should decode ID token for display name', async () => {
-    const { jwtDecode } = await import('jwt-decode')
-    const mockJwtDecode = jwtDecode as any
-
+  it('should return empty credentials when no workspace context', async () => {
    mockGetSession.mockResolvedValueOnce({
      user: { id: 'user-123' },
    })

-    mockParseProvider.mockReturnValueOnce({
-      baseProvider: 'google',
-    })
-
-    const mockAccounts = [
-      {
-        id: 'credential-1',
-        userId: 'user-123',
-        providerId: 'google-default',
-        accountId: 'google-user-id',
-        updatedAt: new Date('2024-01-01'),
-        idToken: 'mock-jwt-token',
-      },
-    ]
-
-    mockJwtDecode.mockReturnValueOnce({
-      email: 'decoded@example.com',
-      name: 'Decoded User',
-    })
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockResolvedValueOnce(mockAccounts)
-
-    const req = createMockRequestWithQuery('GET', '?provider=google')
+    const req = createMockRequestWithQuery('GET', '?provider=google-email')

    const { GET } = await import('@/app/api/auth/oauth/credentials/route')

@@ -238,31 +149,6 @@ describe('OAuth Credentials API Route', () => {
    const data = await response.json()

    expect(response.status).toBe(200)
-    expect(data.credentials[0].name).toBe('decoded@example.com')
-  })
-
-  it('should handle database error', async () => {
-    mockGetSession.mockResolvedValueOnce({
-      user: { id: 'user-123' },
-    })
-
-    mockParseProvider.mockReturnValueOnce({
-      baseProvider: 'google',
-    })
-
-    mockDb.select.mockReturnValueOnce(mockDb)
-    mockDb.from.mockReturnValueOnce(mockDb)
-    mockDb.where.mockRejectedValueOnce(new Error('Database error'))
-
-    const req = createMockRequestWithQuery('GET', '?provider=google')
-
-    const { GET } = await import('@/app/api/auth/oauth/credentials/route')
-
-    const response = await GET(req)
-    const data = await response.json()
-
-    expect(response.status).toBe(500)
-    expect(data.error).toBe('Internal server error')
-    expect(mockLogger.error).toHaveBeenCalled()
+    expect(data.credentials).toHaveLength(0)
  })
 })
--- a/apps/sim/app/api/auth/oauth/credentials/route.ts
+++ b/apps/sim/app/api/auth/oauth/credentials/route.ts
@@ -1,14 +1,15 @@
 import { db } from '@sim/db'
-import { account, user } from '@sim/db/schema'
+import { account, credential, credentialMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
-import { jwtDecode } from 'jwt-decode'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { evaluateScopeCoverage, type OAuthProvider, parseProvider } from '@/lib/oauth'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
+import { evaluateScopeCoverage } from '@/lib/oauth'
 import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'

 export const dynamic = 'force-dynamic'

@@ -18,6 +19,7 @@ const credentialsQuerySchema = z
  .object({
    provider: z.string().nullish(),
    workflowId: z.string().uuid('Workflow ID must be a valid UUID').nullish(),
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID').nullish(),
    credentialId: z
      .string()
      .min(1, 'Credential ID must not be empty')
@@ -29,10 +31,30 @@ const credentialsQuerySchema = z
    path: ['provider'],
  })

-interface GoogleIdToken {
-  email?: string
-  sub?: string
-  name?: string
+function toCredentialResponse(
+  id: string,
+  displayName: string,
+  providerId: string,
+  updatedAt: Date,
+  scope: string | null
+) {
+  const storedScope = scope?.trim()
+  const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
+  const scopeEvaluation = evaluateScopeCoverage(providerId, grantedScopes)
+  const [_, featureType = 'default'] = providerId.split('-')
+
+  return {
+    id,
+    name: displayName,
+    provider: providerId,
+    lastUsed: updatedAt.toISOString(),
+    isDefault: featureType === 'default',
+    scopes: scopeEvaluation.grantedScopes,
+    canonicalScopes: scopeEvaluation.canonicalScopes,
+    missingScopes: scopeEvaluation.missingScopes,
+    extraScopes: scopeEvaluation.extraScopes,
+    requiresReauthorization: scopeEvaluation.requiresReauthorization,
+  }
 }

 /**
@@ -46,6 +68,7 @@ export async function GET(request: NextRequest) {
    const rawQuery = {
      provider: searchParams.get('provider'),
      workflowId: searchParams.get('workflowId'),
+      workspaceId: searchParams.get('workspaceId'),
      credentialId: searchParams.get('credentialId'),
    }

@@ -78,7 +101,7 @@ export async function GET(request: NextRequest) {
      )
    }

-    const { provider: providerParam, workflowId, credentialId } = parseResult.data
+    const { provider: providerParam, workflowId, workspaceId, credentialId } = parseResult.data

    // Authenticate requester (supports session and internal JWT)
    const authResult = await checkSessionOrInternalAuth(request)
@@ -88,7 +111,7 @@ export async function GET(request: NextRequest) {
    }
    const requesterUserId = authResult.userId

-    const effectiveUserId = requesterUserId
+    let effectiveWorkspaceId = workspaceId ?? undefined
    if (workflowId) {
      const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
        workflowId,
@@ -106,105 +129,125 @@ export async function GET(request: NextRequest) {
          { status: workflowAuthorization.status }
        )
      }
+      effectiveWorkspaceId = workflowAuthorization.workflow?.workspaceId || undefined
    }

-    // Parse the provider to get base provider and feature type (if provider is present)
-    const { baseProvider } = parseProvider((providerParam || 'google') as OAuthProvider)
-
-    let accountsData
-
-    if (credentialId && workflowId) {
-      // When both workflowId and credentialId are provided, fetch by ID only.
-      // Workspace authorization above already proves access; the credential
-      // may belong to another workspace member (e.g. for display name resolution).
-      accountsData = await db.select().from(account).where(eq(account.id, credentialId))
-    } else if (credentialId) {
-      accountsData = await db
-        .select()
-        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.id, credentialId)))
-    } else {
-      // Fetch all credentials for provider and effective user
-      accountsData = await db
-        .select()
-        .from(account)
-        .where(and(eq(account.userId, effectiveUserId), eq(account.providerId, providerParam!)))
+    if (effectiveWorkspaceId) {
+      const workspaceAccess = await checkWorkspaceAccess(effectiveWorkspaceId, requesterUserId)
+      if (!workspaceAccess.hasAccess) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
    }

-    // Transform accounts into credentials
-    const credentials = await Promise.all(
-      accountsData.map(async (acc) => {
-        // Extract the feature type from providerId (e.g., 'google-default' -> 'default')
-        const [_, featureType = 'default'] = acc.providerId.split('-')
+    if (credentialId) {
+      const [platformCredential] = await db
+        .select({
+          id: credential.id,
+          workspaceId: credential.workspaceId,
+          type: credential.type,
+          displayName: credential.displayName,
+          providerId: credential.providerId,
+          accountId: credential.accountId,
+          accountProviderId: account.providerId,
+          accountScope: account.scope,
+          accountUpdatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .leftJoin(account, eq(credential.accountId, account.id))
+        .where(eq(credential.id, credentialId))
+        .limit(1)

-        // Try multiple methods to get a user-friendly display name
-        let displayName = ''
+      if (platformCredential) {
+        if (platformCredential.type !== 'oauth' || !platformCredential.accountId) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
+        }

-        // Method 1: Try to extract email from ID token (works for Google, etc.)
-        if (acc.idToken) {
-          try {
-            const decoded = jwtDecode<GoogleIdToken>(acc.idToken)
-            if (decoded.email) {
-              displayName = decoded.email
-            } else if (decoded.name) {
-              displayName = decoded.name
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error decoding ID token`, {
-              accountId: acc.id,
-            })
+        if (workflowId) {
+          if (!effectiveWorkspaceId || platformCredential.workspaceId !== effectiveWorkspaceId) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+          }
+        } else {
+          const [membership] = await db
+            .select({ id: credentialMember.id })
+            .from(credentialMember)
+            .where(
+              and(
+                eq(credentialMember.credentialId, platformCredential.id),
+                eq(credentialMember.userId, requesterUserId),
+                eq(credentialMember.status, 'active')
+              )
+            )
+            .limit(1)
+
+          if (!membership) {
+            return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
          }
        }

-        // Method 2: For GitHub, the accountId might be the username
-        if (!displayName && baseProvider === 'github') {
-          displayName = `${acc.accountId} (GitHub)`
+        if (!platformCredential.accountProviderId || !platformCredential.accountUpdatedAt) {
+          return NextResponse.json({ credentials: [] }, { status: 200 })
        }

-        // Method 3: Try to get the user's email from our database
-        if (!displayName) {
-          try {
-            const userRecord = await db
-              .select({ email: user.email })
-              .from(user)
-              .where(eq(user.id, acc.userId))
-              .limit(1)
+        return NextResponse.json(
+          {
+            credentials: [
+              toCredentialResponse(
+                platformCredential.id,
+                platformCredential.displayName,
+                platformCredential.accountProviderId,
+                platformCredential.accountUpdatedAt,
+                platformCredential.accountScope
+              ),
+            ],
+          },
+          { status: 200 }
+        )
+      }
+    }

-            if (userRecord.length > 0) {
-              displayName = userRecord[0].email
-            }
-          } catch (_error) {
-            logger.warn(`[${requestId}] Error fetching user email`, {
-              userId: acc.userId,
-            })
-          }
-        }
-
-        // Fallback: Use accountId with provider type as context
-        if (!displayName) {
-          displayName = `${acc.accountId} (${baseProvider})`
-        }
-
-        const storedScope = acc.scope?.trim()
-        const grantedScopes = storedScope ? storedScope.split(/[\s,]+/).filter(Boolean) : []
-        const scopeEvaluation = evaluateScopeCoverage(acc.providerId, grantedScopes)
-
-        return {
-          id: acc.id,
-          name: displayName,
-          provider: acc.providerId,
-          lastUsed: acc.updatedAt.toISOString(),
-          isDefault: featureType === 'default',
-          scopes: scopeEvaluation.grantedScopes,
-          canonicalScopes: scopeEvaluation.canonicalScopes,
-          missingScopes: scopeEvaluation.missingScopes,
-          extraScopes: scopeEvaluation.extraScopes,
-          requiresReauthorization: scopeEvaluation.requiresReauthorization,
-        }
+    if (effectiveWorkspaceId && providerParam) {
+      await syncWorkspaceOAuthCredentialsForUser({
+        workspaceId: effectiveWorkspaceId,
+        userId: requesterUserId,
      })
-    )

-    return NextResponse.json({ credentials }, { status: 200 })
+      const credentialsData = await db
+        .select({
+          id: credential.id,
+          displayName: credential.displayName,
+          providerId: account.providerId,
+          scope: account.scope,
+          updatedAt: account.updatedAt,
+        })
+        .from(credential)
+        .innerJoin(account, eq(credential.accountId, account.id))
+        .innerJoin(
+          credentialMember,
+          and(
+            eq(credentialMember.credentialId, credential.id),
+            eq(credentialMember.userId, requesterUserId),
+            eq(credentialMember.status, 'active')
+          )
+        )
+        .where(
+          and(
+            eq(credential.workspaceId, effectiveWorkspaceId),
+            eq(credential.type, 'oauth'),
+            eq(account.providerId, providerParam)
+          )
+        )
+
+      return NextResponse.json(
+        {
+          credentials: credentialsData.map((row) =>
+            toCredentialResponse(row.id, row.displayName, row.providerId, row.updatedAt, row.scope)
+          ),
+        },
+        { status: 200 }
+      )
+    }
+
+    return NextResponse.json({ credentials: [] }, { status: 200 })
  } catch (error) {
    logger.error(`[${requestId}] Error fetching OAuth credentials`, error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
--- a/apps/sim/app/api/auth/oauth/disconnect/route.ts
+++ b/apps/sim/app/api/auth/oauth/disconnect/route.ts
@@ -16,6 +16,7 @@ const logger = createLogger('OAuthDisconnectAPI')
 const disconnectSchema = z.object({
  provider: z.string({ required_error: 'Provider is required' }).min(1, 'Provider is required'),
  providerId: z.string().optional(),
+  accountId: z.string().optional(),
 })

 /**
@@ -51,15 +52,20 @@ export async function POST(request: NextRequest) {
      )
    }

-    const { provider, providerId } = parseResult.data
+    const { provider, providerId, accountId } = parseResult.data

    logger.info(`[${requestId}] Processing OAuth disconnect request`, {
      provider,
      hasProviderId: !!providerId,
    })

-    // If a specific providerId is provided, delete only that account
-    if (providerId) {
+    // If a specific account row ID is provided, delete that exact account
+    if (accountId) {
+      await db
+        .delete(account)
+        .where(and(eq(account.userId, session.user.id), eq(account.id, accountId)))
+    } else if (providerId) {
+      // If a specific providerId is provided, delete accounts for that provider ID
      await db
        .delete(account)
        .where(and(eq(account.userId, session.user.id), eq(account.providerId, providerId)))
--- a/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/file/route.ts
@@ -38,13 +38,18 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }

-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

    const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
+++ b/apps/sim/app/api/auth/oauth/microsoft/files/route.ts
@@ -37,14 +37,19 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status })
    }

-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )
    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

    // Refresh access token if needed using the utility function
    const accessToken = await refreshAccessTokenIfNeeded(
-      credentialId,
+      resolvedCredentialId,
      authz.credentialOwnerUserId,
      requestId
    )
--- a/apps/sim/app/api/auth/oauth/token/route.test.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.test.ts
@@ -344,10 +344,11 @@ describe('OAuth Token API Routes', () => {
   */
  describe('GET handler', () => {
    it('should return access token successfully', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce({
        id: 'credential-id',
@@ -373,8 +374,8 @@ describe('OAuth Token API Routes', () => {
      expect(response.status).toBe(200)
      expect(data).toHaveProperty('accessToken', 'fresh-token')

-      expect(mockCheckSessionOrInternalAuth).toHaveBeenCalled()
-      expect(mockGetCredential).toHaveBeenCalledWith(mockRequestId, 'credential-id', 'test-user-id')
+      expect(mockAuthorizeCredentialUse).toHaveBeenCalled()
+      expect(mockGetCredential).toHaveBeenCalled()
      expect(mockRefreshTokenIfNeeded).toHaveBeenCalled()
    })

@@ -392,8 +393,8 @@ describe('OAuth Token API Routes', () => {
    })

    it('should handle authentication failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: false,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: false,
        error: 'Authentication required',
      })

@@ -406,15 +407,16 @@ describe('OAuth Token API Routes', () => {
      const response = await GET(req as any)
      const data = await response.json()

-      expect(response.status).toBe(401)
+      expect(response.status).toBe(403)
      expect(data).toHaveProperty('error')
    })

    it('should handle credential not found', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce(undefined)

@@ -432,10 +434,11 @@ describe('OAuth Token API Routes', () => {
    })

    it('should handle missing access token', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce({
        id: 'credential-id',
@@ -458,10 +461,11 @@ describe('OAuth Token API Routes', () => {
    })

    it('should handle token refresh failure', async () => {
-      mockCheckSessionOrInternalAuth.mockResolvedValueOnce({
-        success: true,
+      mockAuthorizeCredentialUse.mockResolvedValueOnce({
+        ok: true,
        authType: 'session',
-        userId: 'test-user-id',
+        requesterUserId: 'test-user-id',
+        credentialOwnerUserId: 'test-user-id',
      })
      mockGetCredential.mockResolvedValueOnce({
        id: 'credential-id',
--- a/apps/sim/app/api/auth/oauth/token/route.ts
+++ b/apps/sim/app/api/auth/oauth/token/route.ts
@@ -110,23 +110,35 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
    }

+    const callerUserId = new URL(request.url).searchParams.get('userId') || undefined
+
    const authz = await authorizeCredentialUse(request, {
      credentialId,
      workflowId: workflowId ?? undefined,
      requireWorkflowIdForInternal: false,
+      callerUserId,
    })
    if (!authz.ok || !authz.credentialOwnerUserId) {
      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }

-    const credential = await getCredential(requestId, credentialId, authz.credentialOwnerUserId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )

    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

    try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )

      let instanceUrl: string | undefined
      if (credential.providerId === 'salesforce' && credential.scope) {
@@ -186,13 +198,20 @@ export async function GET(request: NextRequest) {

    const { credentialId } = parseResult.data

-    // For GET requests, we only support session-based authentication
-    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
-    if (!auth.success || auth.authType !== 'session' || !auth.userId) {
-      return NextResponse.json({ error: 'User not authenticated' }, { status: 401 })
+    const authz = await authorizeCredentialUse(request, {
+      credentialId,
+      requireWorkflowIdForInternal: false,
+    })
+    if (!authz.ok || authz.authType !== 'session' || !authz.credentialOwnerUserId) {
+      return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
    }

-    const credential = await getCredential(requestId, credentialId, auth.userId)
+    const resolvedCredentialId = authz.resolvedCredentialId || credentialId
+    const credential = await getCredential(
+      requestId,
+      resolvedCredentialId,
+      authz.credentialOwnerUserId
+    )

    if (!credential) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -204,7 +223,11 @@ export async function GET(request: NextRequest) {
    }

    try {
-      const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+      const { accessToken } = await refreshTokenIfNeeded(
+        requestId,
+        credential,
+        resolvedCredentialId
+      )

      // For Salesforce, extract instanceUrl from the scope field
      let instanceUrl: string | undefined
--- a/apps/sim/app/api/auth/oauth/utils.test.ts
+++ b/apps/sim/app/api/auth/oauth/utils.test.ts
@@ -62,21 +62,23 @@ describe('OAuth Utils', () => {

  describe('getCredential', () => {
    it('should return credential when found', async () => {
-      const mockCredential = { id: 'credential-id', userId: 'test-user-id' }
-      const { mockFrom, mockWhere, mockLimit } = mockSelectChain([mockCredential])
+      const mockCredentialRow = { type: 'oauth', accountId: 'resolved-account-id' }
+      const mockAccountRow = { id: 'resolved-account-id', userId: 'test-user-id' }
+
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])

      const credential = await getCredential('request-id', 'credential-id', 'test-user-id')

-      expect(mockDb.select).toHaveBeenCalled()
-      expect(mockFrom).toHaveBeenCalled()
-      expect(mockWhere).toHaveBeenCalled()
-      expect(mockLimit).toHaveBeenCalledWith(1)
+      expect(mockDb.select).toHaveBeenCalledTimes(2)

-      expect(credential).toEqual(mockCredential)
+      expect(credential).toMatchObject(mockAccountRow)
+      expect(credential).toMatchObject({ resolvedCredentialId: 'resolved-account-id' })
    })

    it('should return undefined when credential is not found', async () => {
      mockSelectChain([])
+      mockSelectChain([])

      const credential = await getCredential('request-id', 'nonexistent-id', 'test-user-id')

@@ -158,15 +160,17 @@ describe('OAuth Utils', () => {

  describe('refreshAccessTokenIfNeeded', () => {
    it('should return valid access token without refresh if not expired', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
        accessToken: 'valid-token',
        refreshToken: 'refresh-token',
        accessTokenExpiresAt: new Date(Date.now() + 3600 * 1000),
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])

      const token = await refreshAccessTokenIfNeeded('credential-id', 'test-user-id', 'request-id')

@@ -175,15 +179,17 @@ describe('OAuth Utils', () => {
    })

    it('should refresh token when expired', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
        accessToken: 'expired-token',
        refreshToken: 'refresh-token',
        accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])
      mockUpdateChain()

      mockRefreshOAuthToken.mockResolvedValueOnce({
@@ -201,6 +207,7 @@ describe('OAuth Utils', () => {

    it('should return null if credential not found', async () => {
      mockSelectChain([])
+      mockSelectChain([])

      const token = await refreshAccessTokenIfNeeded('nonexistent-id', 'test-user-id', 'request-id')

@@ -208,15 +215,17 @@ describe('OAuth Utils', () => {
    })

    it('should return null if refresh fails', async () => {
-      const mockCredential = {
-        id: 'credential-id',
+      const mockCredentialRow = { type: 'oauth', accountId: 'account-id' }
+      const mockAccountRow = {
+        id: 'account-id',
        accessToken: 'expired-token',
        refreshToken: 'refresh-token',
        accessTokenExpiresAt: new Date(Date.now() - 3600 * 1000),
        providerId: 'google',
        userId: 'test-user-id',
      }
-      mockSelectChain([mockCredential])
+      mockSelectChain([mockCredentialRow])
+      mockSelectChain([mockAccountRow])

      mockRefreshOAuthToken.mockResolvedValueOnce(null)

--- a/apps/sim/app/api/auth/oauth/utils.ts
+++ b/apps/sim/app/api/auth/oauth/utils.ts
@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { account, credentialSetMember } from '@sim/db/schema'
+import { account, credential, credentialSetMember } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq, inArray } from 'drizzle-orm'
 import { refreshOAuthToken } from '@/lib/oauth'
@@ -25,6 +25,38 @@ interface AccountInsertData {
  accessTokenExpiresAt?: Date
 }

+/**
+ * Resolves a credential ID to its underlying account ID.
+ * If `credentialId` matches a `credential` row, returns its `accountId` and `workspaceId`.
+ * Otherwise assumes `credentialId` is already a raw `account.id` (legacy).
+ */
+export async function resolveOAuthAccountId(
+  credentialId: string
+): Promise<{ accountId: string; workspaceId?: string; usedCredentialTable: boolean } | null> {
+  const [credentialRow] = await db
+    .select({
+      type: credential.type,
+      accountId: credential.accountId,
+      workspaceId: credential.workspaceId,
+    })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (credentialRow) {
+    if (credentialRow.type !== 'oauth' || !credentialRow.accountId) {
+      return null
+    }
+    return {
+      accountId: credentialRow.accountId,
+      workspaceId: credentialRow.workspaceId,
+      usedCredentialTable: true,
+    }
+  }
+
+  return { accountId: credentialId, usedCredentialTable: false }
+}
+
 /**
 * Safely inserts an account record, handling duplicate constraint violations gracefully.
 * If a duplicate is detected (unique constraint violation), logs a warning and returns success.
@@ -52,10 +84,16 @@ export async function safeAccountInsert(
 * Get a credential by ID and verify it belongs to the user
 */
 export async function getCredential(requestId: string, credentialId: string, userId: string) {
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    logger.warn(`[${requestId}] Credential is not an OAuth credential`)
+    return undefined
+  }
+
  const credentials = await db
    .select()
    .from(account)
-    .where(and(eq(account.id, credentialId), eq(account.userId, userId)))
+    .where(and(eq(account.id, resolved.accountId), eq(account.userId, userId)))
    .limit(1)

  if (!credentials.length) {
@@ -63,7 +101,10 @@ export async function getCredential(requestId: string, credentialId: string, use
    return undefined
  }

-  return credentials[0]
+  return {
+    ...credentials[0],
+    resolvedCredentialId: resolved.accountId,
+  }
 }

 export async function getOAuthToken(userId: string, providerId: string): Promise<string | null> {
@@ -238,7 +279,9 @@ export async function refreshAccessTokenIfNeeded(
      }

      // Update the token in the database
-      await db.update(account).set(updateData).where(eq(account.id, credentialId))
+      const resolvedCredentialId =
+        (credential as { resolvedCredentialId?: string }).resolvedCredentialId ?? credentialId
+      await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))

      logger.info(`[${requestId}] Successfully refreshed access token for credential`)
      return refreshedToken.accessToken
@@ -274,6 +317,8 @@ export async function refreshTokenIfNeeded(
  credential: any,
  credentialId: string
 ): Promise<{ accessToken: string; refreshed: boolean }> {
+  const resolvedCredentialId = credential.resolvedCredentialId ?? credentialId
+
  // Decide if we should refresh: token missing OR expired
  const accessTokenExpiresAt = credential.accessTokenExpiresAt
  const refreshTokenExpiresAt = credential.refreshTokenExpiresAt
@@ -334,7 +379,7 @@ export async function refreshTokenIfNeeded(
      updateData.refreshTokenExpiresAt = getMicrosoftRefreshTokenExpiry()
    }

-    await db.update(account).set(updateData).where(eq(account.id, credentialId))
+    await db.update(account).set(updateData).where(eq(account.id, resolvedCredentialId))

    logger.info(`[${requestId}] Successfully refreshed access token`)
    return { accessToken: refreshedToken, refreshed: true }
@@ -343,7 +388,7 @@ export async function refreshTokenIfNeeded(
      `[${requestId}] Refresh attempt failed, checking if another concurrent request succeeded`
    )

-    const freshCredential = await getCredential(requestId, credentialId, credential.userId)
+    const freshCredential = await getCredential(requestId, resolvedCredentialId, credential.userId)
    if (freshCredential?.accessToken) {
      const freshExpiresAt = freshCredential.accessTokenExpiresAt
      const stillValid = !freshExpiresAt || freshExpiresAt > new Date()
--- a/apps/sim/app/api/auth/oauth/wealthbox/item/route.ts
+++ b/apps/sim/app/api/auth/oauth/wealthbox/item/route.ts
@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateEnum, validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -57,24 +57,41 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: itemIdValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)

    if (!credentials.length) {
      logger.warn(`[${requestId}] Credential not found`, { credentialId })
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
+    const accountRow = credentials[0]

-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )

    if (!accessToken) {
      logger.error(`[${requestId}] Failed to obtain valid access token`)
--- a/apps/sim/app/api/auth/oauth/wealthbox/items/route.ts
+++ b/apps/sim/app/api/auth/oauth/wealthbox/items/route.ts
@@ -5,7 +5,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -47,27 +47,41 @@ export async function GET(request: NextRequest) {
      )
    }

-    // Get the credential from the database
-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)

    if (!credentials.length) {
      logger.warn(`[${requestId}] Credential not found`, { credentialId })
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
+    const accountRow = credentials[0]

-    // Check if the credential belongs to the user
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    // Refresh access token if needed
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )

    if (!accessToken) {
      logger.error(`[${requestId}] Failed to obtain valid access token`)
--- a/apps/sim/app/api/auth/oauth2/authorize-params/route.ts
+++ b/apps/sim/app/api/auth/oauth2/authorize-params/route.ts
@@ -0,0 +1,59 @@
+import { db } from '@sim/db'
+import { verification } from '@sim/db/schema'
+import { and, eq, gt } from 'drizzle-orm'
+import type { NextRequest } from 'next/server'
+import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+
+/**
+ * Returns the original OAuth authorize parameters stored in the verification record
+ * for a given consent code. Used by the consent page to reconstruct the authorize URL
+ * when switching accounts.
+ */
+export async function GET(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const consentCode = request.nextUrl.searchParams.get('consent_code')
+  if (!consentCode) {
+    return NextResponse.json({ error: 'consent_code is required' }, { status: 400 })
+  }
+
+  const [record] = await db
+    .select({ value: verification.value })
+    .from(verification)
+    .where(and(eq(verification.identifier, consentCode), gt(verification.expiresAt, new Date())))
+    .limit(1)
+
+  if (!record) {
+    return NextResponse.json({ error: 'Invalid or expired consent code' }, { status: 404 })
+  }
+
+  const data = JSON.parse(record.value) as {
+    clientId: string
+    redirectURI: string
+    scope: string[]
+    userId: string
+    codeChallenge: string
+    codeChallengeMethod: string
+    state: string | null
+    nonce: string | null
+  }
+
+  if (data.userId !== session.user.id) {
+    return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+  }
+
+  return NextResponse.json({
+    client_id: data.clientId,
+    redirect_uri: data.redirectURI,
+    scope: data.scope.join(' '),
+    code_challenge: data.codeChallenge,
+    code_challenge_method: data.codeChallengeMethod,
+    state: data.state,
+    nonce: data.nonce,
+    response_type: 'code',
+  })
+}
--- a/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
+++ b/apps/sim/app/api/auth/oauth2/shopify/store/route.ts
@@ -48,16 +48,21 @@ export async function GET(request: NextRequest) {

    const shopData = await shopResponse.json()
    const shopInfo = shopData.shop
+    const stableAccountId = shopInfo.id?.toString() || shopDomain

    const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'shopify')),
+      where: and(
+        eq(account.userId, session.user.id),
+        eq(account.providerId, 'shopify'),
+        eq(account.accountId, stableAccountId)
+      ),
    })

    const now = new Date()

    const accountData = {
      accessToken: accessToken,
-      accountId: shopInfo.id?.toString() || shopDomain,
+      accountId: stableAccountId,
      scope: scope || '',
      updatedAt: now,
      idToken: shopDomain,
--- a/apps/sim/app/api/auth/trello/store/route.ts
+++ b/apps/sim/app/api/auth/trello/store/route.ts
@@ -52,7 +52,11 @@ export async function POST(request: NextRequest) {
    const trelloUser = await userResponse.json()

    const existing = await db.query.account.findFirst({
-      where: and(eq(account.userId, session.user.id), eq(account.providerId, 'trello')),
+      where: and(
+        eq(account.userId, session.user.id),
+        eq(account.providerId, 'trello'),
+        eq(account.accountId, trelloUser.id)
+      ),
    })

    const now = new Date()
--- a/apps/sim/app/api/billing/update-cost/route.ts
+++ b/apps/sim/app/api/billing/update-cost/route.ts
@@ -33,7 +33,6 @@ export async function POST(req: NextRequest) {
    logger.info(`[${requestId}] Update cost request started`)

    if (!isBillingEnabled) {
-      logger.debug(`[${requestId}] Billing is disabled, skipping cost update`)
      return NextResponse.json({
        success: true,
        message: 'Billing disabled, cost update skipped',
--- a/apps/sim/app/api/chat/[identifier]/otp/route.ts
+++ b/apps/sim/app/api/chat/[identifier]/otp/route.ts
@@ -117,8 +117,6 @@ export async function POST(
  const requestId = generateRequestId()

  try {
-    logger.debug(`[${requestId}] Processing OTP request for identifier: ${identifier}`)
-
    const body = await request.json()
    const { email } = otpRequestSchema.parse(body)

@@ -211,8 +209,6 @@ export async function PUT(
  const requestId = generateRequestId()

  try {
-    logger.debug(`[${requestId}] Verifying OTP for identifier: ${identifier}`)
-
    const body = await request.json()
    const { email, otp } = otpVerifySchema.parse(body)

--- a/apps/sim/app/api/chat/[identifier]/route.ts
+++ b/apps/sim/app/api/chat/[identifier]/route.ts
@@ -42,8 +42,6 @@ export async function POST(
  const requestId = generateRequestId()

  try {
-    logger.debug(`[${requestId}] Processing chat request for identifier: ${identifier}`)
-
    let parsedBody
    try {
      const rawBody = await request.json()
@@ -294,8 +292,6 @@ export async function GET(
  const requestId = generateRequestId()

  try {
-    logger.debug(`[${requestId}] Fetching chat info for identifier: ${identifier}`)
-
    const deploymentResult = await db
      .select({
        id: chat.id,
--- a/apps/sim/app/api/creators/route.ts
+++ b/apps/sim/app/api/creators/route.ts
@@ -95,11 +95,6 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const data = CreateCreatorProfileSchema.parse(body)

-    logger.debug(`[${requestId}] Creating creator profile:`, {
-      referenceType: data.referenceType,
-      referenceId: data.referenceId,
-    })
-
    // Validate permissions
    if (data.referenceType === 'user') {
      if (data.referenceId !== session.user.id) {
--- a/apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts
+++ b/apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts
@@ -150,6 +150,7 @@ export async function POST(
    })

    recordAudit({
+      workspaceId: null,
      actorId: session.user.id,
      actorName: session.user.name,
      actorEmail: session.user.email,
@@ -158,7 +159,7 @@ export async function POST(
      resourceId: id,
      resourceName: result.set.name,
      description: `Resent credential set invitation to ${invitation.email}`,
-      metadata: { invitationId, email: invitation.email },
+      metadata: { invitationId, targetEmail: invitation.email },
      request: req,
    })

--- a/apps/sim/app/api/credential-sets/[id]/invite/route.ts
+++ b/apps/sim/app/api/credential-sets/[id]/invite/route.ts
@@ -186,6 +186,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      actorEmail: session.user.email ?? undefined,
      resourceName: result.set.name,
      description: `Created invitation for credential set "${result.set.name}"${email ? ` to ${email}` : ''}`,
+      metadata: { targetEmail: email || undefined },
      request: req,
    })

@@ -239,7 +240,7 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
      return NextResponse.json({ error: 'Admin or owner permissions required' }, { status: 403 })
    }

-    await db
+    const [revokedInvitation] = await db
      .update(credentialSetInvitation)
      .set({ status: 'cancelled' })
      .where(
@@ -248,6 +249,7 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
          eq(credentialSetInvitation.credentialSetId, id)
        )
      )
+      .returning({ email: credentialSetInvitation.email })

    recordAudit({
      workspaceId: null,
@@ -259,6 +261,7 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
      actorEmail: session.user.email ?? undefined,
      resourceName: result.set.name,
      description: `Revoked invitation "${invitationId}" for credential set "${result.set.name}"`,
+      metadata: { targetEmail: revokedInvitation?.email ?? undefined },
      request: req,
    })

--- a/apps/sim/app/api/credential-sets/[id]/members/route.ts
+++ b/apps/sim/app/api/credential-sets/[id]/members/route.ts
@@ -151,8 +151,15 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
    }

    const [memberToRemove] = await db
-      .select()
+      .select({
+        id: credentialSetMember.id,
+        credentialSetId: credentialSetMember.credentialSetId,
+        userId: credentialSetMember.userId,
+        status: credentialSetMember.status,
+        email: user.email,
+      })
      .from(credentialSetMember)
+      .innerJoin(user, eq(credentialSetMember.userId, user.id))
      .where(and(eq(credentialSetMember.id, memberId), eq(credentialSetMember.credentialSetId, id)))
      .limit(1)

@@ -189,6 +196,7 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
      actorEmail: session.user.email ?? undefined,
      resourceName: result.set.name,
      description: `Removed member from credential set "${result.set.name}"`,
+      metadata: { targetEmail: memberToRemove.email ?? undefined },
      request: req,
    })

--- a/apps/sim/app/api/credentials/[id]/members/route.ts
+++ b/apps/sim/app/api/credentials/[id]/members/route.ts
@@ -0,0 +1,226 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, user } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialMembersAPI')
+
+interface RouteContext {
+  params: Promise<{ id: string }>
+}
+
+async function requireWorkspaceAdminMembership(credentialId: string, userId: string) {
+  const [cred] = await db
+    .select({ id: credential.id, workspaceId: credential.workspaceId })
+    .from(credential)
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  if (!cred) return null
+
+  const perm = await getUserEntityPermissions(userId, 'workspace', cred.workspaceId)
+  if (perm === null) return null
+
+  const [membership] = await db
+    .select({ role: credentialMember.role, status: credentialMember.status })
+    .from(credentialMember)
+    .where(
+      and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
+    )
+    .limit(1)
+
+  if (!membership || membership.status !== 'active' || membership.role !== 'admin') {
+    return null
+  }
+  return membership
+}
+
+export async function GET(_request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+
+    const [cred] = await db
+      .select({ id: credential.id, workspaceId: credential.workspaceId })
+      .from(credential)
+      .where(eq(credential.id, credentialId))
+      .limit(1)
+
+    if (!cred) {
+      return NextResponse.json({ members: [] }, { status: 200 })
+    }
+
+    const callerPerm = await getUserEntityPermissions(
+      session.user.id,
+      'workspace',
+      cred.workspaceId
+    )
+    if (callerPerm === null) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const members = await db
+      .select({
+        id: credentialMember.id,
+        userId: credentialMember.userId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+        userName: user.name,
+        userEmail: user.email,
+      })
+      .from(credentialMember)
+      .innerJoin(user, eq(credentialMember.userId, user.id))
+      .where(eq(credentialMember.credentialId, credentialId))
+
+    return NextResponse.json({ members })
+  } catch (error) {
+    logger.error('Failed to fetch credential members', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+const addMemberSchema = z.object({
+  userId: z.string().min(1),
+  role: z.enum(['admin', 'member']).default('member'),
+})
+
+export async function POST(request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+
+    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
+    if (!admin) {
+      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
+    }
+
+    const body = await request.json()
+    const parsed = addMemberSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
+    }
+
+    const { userId, role } = parsed.data
+    const now = new Date()
+
+    const [existing] = await db
+      .select({ id: credentialMember.id, status: credentialMember.status })
+      .from(credentialMember)
+      .where(
+        and(eq(credentialMember.credentialId, credentialId), eq(credentialMember.userId, userId))
+      )
+      .limit(1)
+
+    if (existing) {
+      await db
+        .update(credentialMember)
+        .set({ role, status: 'active', updatedAt: now })
+        .where(eq(credentialMember.id, existing.id))
+      return NextResponse.json({ success: true })
+    }
+
+    await db.insert(credentialMember).values({
+      id: crypto.randomUUID(),
+      credentialId,
+      userId,
+      role,
+      status: 'active',
+      joinedAt: now,
+      invitedBy: session.user.id,
+      createdAt: now,
+      updatedAt: now,
+    })
+
+    return NextResponse.json({ success: true }, { status: 201 })
+  } catch (error) {
+    logger.error('Failed to add credential member', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest, context: RouteContext) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { id: credentialId } = await context.params
+    const targetUserId = new URL(request.url).searchParams.get('userId')
+    if (!targetUserId) {
+      return NextResponse.json({ error: 'userId query parameter required' }, { status: 400 })
+    }
+
+    const admin = await requireWorkspaceAdminMembership(credentialId, session.user.id)
+    if (!admin) {
+      return NextResponse.json({ error: 'Admin access required' }, { status: 403 })
+    }
+
+    const [target] = await db
+      .select({
+        id: credentialMember.id,
+        role: credentialMember.role,
+      })
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, credentialId),
+          eq(credentialMember.userId, targetUserId),
+          eq(credentialMember.status, 'active')
+        )
+      )
+      .limit(1)
+
+    if (!target) {
+      return NextResponse.json({ error: 'Member not found' }, { status: 404 })
+    }
+
+    const revoked = await db.transaction(async (tx) => {
+      if (target.role === 'admin') {
+        const activeAdmins = await tx
+          .select({ id: credentialMember.id })
+          .from(credentialMember)
+          .where(
+            and(
+              eq(credentialMember.credentialId, credentialId),
+              eq(credentialMember.role, 'admin'),
+              eq(credentialMember.status, 'active')
+            )
+          )
+
+        if (activeAdmins.length <= 1) {
+          return false
+        }
+      }
+
+      await tx
+        .update(credentialMember)
+        .set({ status: 'revoked', updatedAt: new Date() })
+        .where(eq(credentialMember.id, target.id))
+
+      return true
+    })
+
+    if (!revoked) {
+      return NextResponse.json({ error: 'Cannot remove the last admin' }, { status: 400 })
+    }
+
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    logger.error('Failed to remove credential member', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/[id]/route.ts
+++ b/apps/sim/app/api/credentials/[id]/route.ts
@@ -0,0 +1,251 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, environment, workspaceEnvironment } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { getCredentialActorContext } from '@/lib/credentials/access'
+import {
+  syncPersonalEnvCredentialsForUser,
+  syncWorkspaceEnvCredentials,
+} from '@/lib/credentials/environment'
+
+const logger = createLogger('CredentialByIdAPI')
+
+const updateCredentialSchema = z
+  .object({
+    displayName: z.string().trim().min(1).max(255).optional(),
+    description: z.string().trim().max(500).nullish(),
+  })
+  .strict()
+  .refine((data) => data.displayName !== undefined || data.description !== undefined, {
+    message: 'At least one field must be provided',
+    path: ['displayName'],
+  })
+
+async function getCredentialResponse(credentialId: string, userId: string) {
+  const [row] = await db
+    .select({
+      id: credential.id,
+      workspaceId: credential.workspaceId,
+      type: credential.type,
+      displayName: credential.displayName,
+      description: credential.description,
+      providerId: credential.providerId,
+      accountId: credential.accountId,
+      envKey: credential.envKey,
+      envOwnerUserId: credential.envOwnerUserId,
+      createdBy: credential.createdBy,
+      createdAt: credential.createdAt,
+      updatedAt: credential.updatedAt,
+      role: credentialMember.role,
+      status: credentialMember.status,
+    })
+    .from(credential)
+    .innerJoin(
+      credentialMember,
+      and(eq(credentialMember.credentialId, credential.id), eq(credentialMember.userId, userId))
+    )
+    .where(eq(credential.id, credentialId))
+    .limit(1)
+
+  return row ?? null
+}
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.member) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    const row = await getCredentialResponse(id, session.user.id)
+    return NextResponse.json({ credential: row }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to fetch credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const parseResult = updateCredentialSchema.safeParse(await request.json())
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    const updates: Record<string, unknown> = {}
+
+    if (parseResult.data.description !== undefined) {
+      updates.description = parseResult.data.description ?? null
+    }
+
+    if (parseResult.data.displayName !== undefined && access.credential.type === 'oauth') {
+      updates.displayName = parseResult.data.displayName
+    }
+
+    if (Object.keys(updates).length === 0) {
+      if (access.credential.type === 'oauth') {
+        return NextResponse.json(
+          {
+            error: 'No updatable fields provided.',
+          },
+          { status: 400 }
+        )
+      }
+      return NextResponse.json(
+        {
+          error:
+            'Environment credentials cannot be updated via this endpoint. Use the environment value editor in credentials settings.',
+        },
+        { status: 400 }
+      )
+    }
+
+    updates.updatedAt = new Date()
+    await db.update(credential).set(updates).where(eq(credential.id, id))
+
+    const row = await getCredentialResponse(id, session.user.id)
+    return NextResponse.json({ credential: row }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to update credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { id } = await params
+
+  try {
+    const access = await getCredentialActorContext(id, session.user.id)
+    if (!access.credential) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+    if (!access.hasWorkspaceAccess || !access.isAdmin) {
+      return NextResponse.json({ error: 'Credential admin permission required' }, { status: 403 })
+    }
+
+    if (access.credential.type === 'env_personal' && access.credential.envKey) {
+      const ownerUserId = access.credential.envOwnerUserId
+      if (!ownerUserId) {
+        return NextResponse.json({ error: 'Invalid personal secret owner' }, { status: 400 })
+      }
+
+      const [personalRow] = await db
+        .select({ variables: environment.variables })
+        .from(environment)
+        .where(eq(environment.userId, ownerUserId))
+        .limit(1)
+
+      const current = ((personalRow?.variables as Record<string, string> | null) ?? {}) as Record<
+        string,
+        string
+      >
+      if (access.credential.envKey in current) {
+        delete current[access.credential.envKey]
+      }
+
+      await db
+        .insert(environment)
+        .values({
+          id: ownerUserId,
+          userId: ownerUserId,
+          variables: current,
+          updatedAt: new Date(),
+        })
+        .onConflictDoUpdate({
+          target: [environment.userId],
+          set: { variables: current, updatedAt: new Date() },
+        })
+
+      await syncPersonalEnvCredentialsForUser({
+        userId: ownerUserId,
+        envKeys: Object.keys(current),
+      })
+
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    if (access.credential.type === 'env_workspace' && access.credential.envKey) {
+      const [workspaceRow] = await db
+        .select({
+          id: workspaceEnvironment.id,
+          createdAt: workspaceEnvironment.createdAt,
+          variables: workspaceEnvironment.variables,
+        })
+        .from(workspaceEnvironment)
+        .where(eq(workspaceEnvironment.workspaceId, access.credential.workspaceId))
+        .limit(1)
+
+      const current = ((workspaceRow?.variables as Record<string, string> | null) ?? {}) as Record<
+        string,
+        string
+      >
+      if (access.credential.envKey in current) {
+        delete current[access.credential.envKey]
+      }
+
+      await db
+        .insert(workspaceEnvironment)
+        .values({
+          id: workspaceRow?.id || crypto.randomUUID(),
+          workspaceId: access.credential.workspaceId,
+          variables: current,
+          createdAt: workspaceRow?.createdAt || new Date(),
+          updatedAt: new Date(),
+        })
+        .onConflictDoUpdate({
+          target: [workspaceEnvironment.workspaceId],
+          set: { variables: current, updatedAt: new Date() },
+        })
+
+      await syncWorkspaceEnvCredentials({
+        workspaceId: access.credential.workspaceId,
+        envKeys: Object.keys(current),
+        actingUserId: session.user.id,
+      })
+
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    await db.delete(credential).where(eq(credential.id, id))
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to delete credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/draft/route.ts
+++ b/apps/sim/app/api/credentials/draft/route.ts
@@ -0,0 +1,116 @@
+import { db } from '@sim/db'
+import { credential, credentialMember, pendingCredentialDraft } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq, lt } from 'drizzle-orm'
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('CredentialDraftAPI')
+
+const DRAFT_TTL_MS = 15 * 60 * 1000
+
+const createDraftSchema = z.object({
+  workspaceId: z.string().min(1),
+  providerId: z.string().min(1),
+  displayName: z.string().min(1),
+  description: z.string().trim().max(500).optional(),
+  credentialId: z.string().min(1).optional(),
+})
+
+export async function POST(request: Request) {
+  try {
+    const session = await getSession()
+    if (!session?.user?.id) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const body = await request.json()
+    const parsed = createDraftSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: 'Invalid request body' }, { status: 400 })
+    }
+
+    const { workspaceId, providerId, displayName, description, credentialId } = parsed.data
+    const userId = session.user.id
+
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, userId)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    if (credentialId) {
+      const [membership] = await db
+        .select({ role: credentialMember.role, status: credentialMember.status })
+        .from(credentialMember)
+        .innerJoin(credential, eq(credential.id, credentialMember.credentialId))
+        .where(
+          and(
+            eq(credentialMember.credentialId, credentialId),
+            eq(credentialMember.userId, userId),
+            eq(credentialMember.status, 'active'),
+            eq(credentialMember.role, 'admin'),
+            eq(credential.workspaceId, workspaceId)
+          )
+        )
+        .limit(1)
+
+      if (!membership) {
+        return NextResponse.json(
+          { error: 'Admin access required on the target credential' },
+          { status: 403 }
+        )
+      }
+    }
+
+    const now = new Date()
+
+    await db
+      .delete(pendingCredentialDraft)
+      .where(
+        and(eq(pendingCredentialDraft.userId, userId), lt(pendingCredentialDraft.expiresAt, now))
+      )
+
+    await db
+      .insert(pendingCredentialDraft)
+      .values({
+        id: crypto.randomUUID(),
+        userId,
+        workspaceId,
+        providerId,
+        displayName,
+        description: description || null,
+        credentialId: credentialId || null,
+        expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
+        createdAt: now,
+      })
+      .onConflictDoUpdate({
+        target: [
+          pendingCredentialDraft.userId,
+          pendingCredentialDraft.providerId,
+          pendingCredentialDraft.workspaceId,
+        ],
+        set: {
+          displayName,
+          description: description || null,
+          credentialId: credentialId || null,
+          expiresAt: new Date(now.getTime() + DRAFT_TTL_MS),
+          createdAt: now,
+        },
+      })
+
+    logger.info('Credential draft saved', {
+      userId,
+      workspaceId,
+      providerId,
+      displayName,
+      credentialId: credentialId || null,
+    })
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to save credential draft', { error })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/memberships/route.ts
+++ b/apps/sim/app/api/credentials/memberships/route.ts
@@ -0,0 +1,120 @@
+import { db } from '@sim/db'
+import { credential, credentialMember } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+
+const logger = createLogger('CredentialMembershipsAPI')
+
+const leaveCredentialSchema = z.object({
+  credentialId: z.string().min(1),
+})
+
+export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const memberships = await db
+      .select({
+        membershipId: credentialMember.id,
+        credentialId: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        providerId: credential.providerId,
+        role: credentialMember.role,
+        status: credentialMember.status,
+        joinedAt: credentialMember.joinedAt,
+      })
+      .from(credentialMember)
+      .innerJoin(credential, eq(credentialMember.credentialId, credential.id))
+      .where(eq(credentialMember.userId, session.user.id))
+
+    return NextResponse.json({ memberships }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to list credential memberships', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const parseResult = leaveCredentialSchema.safeParse({
+      credentialId: new URL(request.url).searchParams.get('credentialId'),
+    })
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { credentialId } = parseResult.data
+    const [membership] = await db
+      .select()
+      .from(credentialMember)
+      .where(
+        and(
+          eq(credentialMember.credentialId, credentialId),
+          eq(credentialMember.userId, session.user.id)
+        )
+      )
+      .limit(1)
+
+    if (!membership) {
+      return NextResponse.json({ error: 'Membership not found' }, { status: 404 })
+    }
+
+    if (membership.status !== 'active') {
+      return NextResponse.json({ success: true }, { status: 200 })
+    }
+
+    const revoked = await db.transaction(async (tx) => {
+      if (membership.role === 'admin') {
+        const activeAdmins = await tx
+          .select({ id: credentialMember.id })
+          .from(credentialMember)
+          .where(
+            and(
+              eq(credentialMember.credentialId, credentialId),
+              eq(credentialMember.role, 'admin'),
+              eq(credentialMember.status, 'active')
+            )
+          )
+
+        if (activeAdmins.length <= 1) {
+          return false
+        }
+      }
+
+      await tx
+        .update(credentialMember)
+        .set({
+          status: 'revoked',
+          updatedAt: new Date(),
+        })
+        .where(eq(credentialMember.id, membership.id))
+
+      return true
+    })
+
+    if (!revoked) {
+      return NextResponse.json(
+        { error: 'Cannot leave credential as the last active admin' },
+        { status: 400 }
+      )
+    }
+
+    return NextResponse.json({ success: true }, { status: 200 })
+  } catch (error) {
+    logger.error('Failed to leave credential', error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/credentials/route.ts
+++ b/apps/sim/app/api/credentials/route.ts
@@ -0,0 +1,520 @@
+import { db } from '@sim/db'
+import { account, credential, credentialMember, workspace } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { getSession } from '@/lib/auth'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
+import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
+import { getServiceConfigByProviderId } from '@/lib/oauth'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
+import { isValidEnvVarName } from '@/executor/constants'
+
+const logger = createLogger('CredentialsAPI')
+
+const credentialTypeSchema = z.enum(['oauth', 'env_workspace', 'env_personal'])
+
+function normalizeEnvKeyInput(raw: string): string {
+  const trimmed = raw.trim()
+  const wrappedMatch = /^\{\{\s*([A-Za-z0-9_]+)\s*\}\}$/.exec(trimmed)
+  return wrappedMatch ? wrappedMatch[1] : trimmed
+}
+
+const listCredentialsSchema = z.object({
+  workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+  type: credentialTypeSchema.optional(),
+  providerId: z.string().optional(),
+  credentialId: z.string().optional(),
+})
+
+const createCredentialSchema = z
+  .object({
+    workspaceId: z.string().uuid('Workspace ID must be a valid UUID'),
+    type: credentialTypeSchema,
+    displayName: z.string().trim().min(1).max(255).optional(),
+    description: z.string().trim().max(500).optional(),
+    providerId: z.string().trim().min(1).optional(),
+    accountId: z.string().trim().min(1).optional(),
+    envKey: z.string().trim().min(1).optional(),
+    envOwnerUserId: z.string().trim().min(1).optional(),
+  })
+  .superRefine((data, ctx) => {
+    if (data.type === 'oauth') {
+      if (!data.accountId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'accountId is required for oauth credentials',
+          path: ['accountId'],
+        })
+      }
+      if (!data.providerId) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'providerId is required for oauth credentials',
+          path: ['providerId'],
+        })
+      }
+      if (!data.displayName) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: 'displayName is required for oauth credentials',
+          path: ['displayName'],
+        })
+      }
+      return
+    }
+
+    const normalizedEnvKey = data.envKey ? normalizeEnvKeyInput(data.envKey) : ''
+    if (!normalizedEnvKey) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey is required for env credentials',
+        path: ['envKey'],
+      })
+      return
+    }
+
+    if (!isValidEnvVarName(normalizedEnvKey)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'envKey must contain only letters, numbers, and underscores',
+        path: ['envKey'],
+      })
+    }
+  })
+
+interface ExistingCredentialSourceParams {
+  workspaceId: string
+  type: 'oauth' | 'env_workspace' | 'env_personal'
+  accountId?: string | null
+  envKey?: string | null
+  envOwnerUserId?: string | null
+}
+
+async function findExistingCredentialBySource(params: ExistingCredentialSourceParams) {
+  const { workspaceId, type, accountId, envKey, envOwnerUserId } = params
+
+  if (type === 'oauth' && accountId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'oauth'),
+          eq(credential.accountId, accountId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_workspace' && envKey) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_workspace'),
+          eq(credential.envKey, envKey)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  if (type === 'env_personal' && envKey && envOwnerUserId) {
+    const [row] = await db
+      .select()
+      .from(credential)
+      .where(
+        and(
+          eq(credential.workspaceId, workspaceId),
+          eq(credential.type, 'env_personal'),
+          eq(credential.envKey, envKey),
+          eq(credential.envOwnerUserId, envOwnerUserId)
+        )
+      )
+      .limit(1)
+    return row ?? null
+  }
+
+  return null
+}
+
+export async function GET(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const { searchParams } = new URL(request.url)
+    const rawWorkspaceId = searchParams.get('workspaceId')
+    const rawType = searchParams.get('type')
+    const rawProviderId = searchParams.get('providerId')
+    const rawCredentialId = searchParams.get('credentialId')
+    const parseResult = listCredentialsSchema.safeParse({
+      workspaceId: rawWorkspaceId?.trim(),
+      type: rawType?.trim() || undefined,
+      providerId: rawProviderId?.trim() || undefined,
+      credentialId: rawCredentialId?.trim() || undefined,
+    })
+
+    if (!parseResult.success) {
+      logger.warn(`[${requestId}] Invalid credential list request`, {
+        workspaceId: rawWorkspaceId,
+        type: rawType,
+        providerId: rawProviderId,
+        errors: parseResult.error.errors,
+      })
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const { workspaceId, type, providerId, credentialId: lookupCredentialId } = parseResult.data
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+
+    if (!workspaceAccess.hasAccess) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
+    if (lookupCredentialId) {
+      let [row] = await db
+        .select({
+          id: credential.id,
+          displayName: credential.displayName,
+          type: credential.type,
+          providerId: credential.providerId,
+        })
+        .from(credential)
+        .where(and(eq(credential.id, lookupCredentialId), eq(credential.workspaceId, workspaceId)))
+        .limit(1)
+
+      if (!row) {
+        ;[row] = await db
+          .select({
+            id: credential.id,
+            displayName: credential.displayName,
+            type: credential.type,
+            providerId: credential.providerId,
+          })
+          .from(credential)
+          .where(
+            and(
+              eq(credential.accountId, lookupCredentialId),
+              eq(credential.workspaceId, workspaceId)
+            )
+          )
+          .limit(1)
+      }
+
+      return NextResponse.json({ credential: row ?? null })
+    }
+
+    if (!type || type === 'oauth') {
+      await syncWorkspaceOAuthCredentialsForUser({ workspaceId, userId: session.user.id })
+    }
+
+    const whereClauses = [eq(credential.workspaceId, workspaceId)]
+
+    if (type) {
+      whereClauses.push(eq(credential.type, type))
+    }
+    if (providerId) {
+      whereClauses.push(eq(credential.providerId, providerId))
+    }
+
+    const credentials = await db
+      .select({
+        id: credential.id,
+        workspaceId: credential.workspaceId,
+        type: credential.type,
+        displayName: credential.displayName,
+        description: credential.description,
+        providerId: credential.providerId,
+        accountId: credential.accountId,
+        envKey: credential.envKey,
+        envOwnerUserId: credential.envOwnerUserId,
+        createdBy: credential.createdBy,
+        createdAt: credential.createdAt,
+        updatedAt: credential.updatedAt,
+        role: credentialMember.role,
+      })
+      .from(credential)
+      .innerJoin(
+        credentialMember,
+        and(
+          eq(credentialMember.credentialId, credential.id),
+          eq(credentialMember.userId, session.user.id),
+          eq(credentialMember.status, 'active')
+        )
+      )
+      .where(and(...whereClauses))
+
+    return NextResponse.json({ credentials })
+  } catch (error) {
+    logger.error(`[${requestId}] Failed to list credentials`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+  const session = await getSession()
+
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const body = await request.json()
+    const parseResult = createCredentialSchema.safeParse(body)
+
+    if (!parseResult.success) {
+      return NextResponse.json({ error: parseResult.error.errors[0]?.message }, { status: 400 })
+    }
+
+    const {
+      workspaceId,
+      type,
+      displayName,
+      description,
+      providerId,
+      accountId,
+      envKey,
+      envOwnerUserId,
+    } = parseResult.data
+
+    const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    let resolvedDisplayName = displayName?.trim() ?? ''
+    const resolvedDescription = description?.trim() || null
+    let resolvedProviderId: string | null = providerId ?? null
+    let resolvedAccountId: string | null = accountId ?? null
+    const resolvedEnvKey: string | null = envKey ? normalizeEnvKeyInput(envKey) : null
+    let resolvedEnvOwnerUserId: string | null = null
+
+    if (type === 'oauth') {
+      const [accountRow] = await db
+        .select({
+          id: account.id,
+          userId: account.userId,
+          providerId: account.providerId,
+          accountId: account.accountId,
+        })
+        .from(account)
+        .where(eq(account.id, accountId!))
+        .limit(1)
+
+      if (!accountRow) {
+        return NextResponse.json({ error: 'OAuth account not found' }, { status: 404 })
+      }
+
+      if (accountRow.userId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only account owners can create oauth credentials for an account' },
+          { status: 403 }
+        )
+      }
+
+      if (providerId !== accountRow.providerId) {
+        return NextResponse.json(
+          { error: 'providerId does not match the selected OAuth account' },
+          { status: 400 }
+        )
+      }
+      if (!resolvedDisplayName) {
+        resolvedDisplayName =
+          getServiceConfigByProviderId(accountRow.providerId)?.name || accountRow.providerId
+      }
+    } else if (type === 'env_personal') {
+      resolvedEnvOwnerUserId = envOwnerUserId ?? session.user.id
+      if (resolvedEnvOwnerUserId !== session.user.id) {
+        return NextResponse.json(
+          { error: 'Only the current user can create personal env credentials for themselves' },
+          { status: 403 }
+        )
+      }
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    } else {
+      resolvedProviderId = null
+      resolvedAccountId = null
+      resolvedEnvOwnerUserId = null
+      resolvedDisplayName = resolvedEnvKey || ''
+    }
+
+    if (!resolvedDisplayName) {
+      return NextResponse.json({ error: 'Display name is required' }, { status: 400 })
+    }
+
+    const existingCredential = await findExistingCredentialBySource({
+      workspaceId,
+      type,
+      accountId: resolvedAccountId,
+      envKey: resolvedEnvKey,
+      envOwnerUserId: resolvedEnvOwnerUserId,
+    })
+
+    if (existingCredential) {
+      const [membership] = await db
+        .select({
+          id: credentialMember.id,
+          status: credentialMember.status,
+          role: credentialMember.role,
+        })
+        .from(credentialMember)
+        .where(
+          and(
+            eq(credentialMember.credentialId, existingCredential.id),
+            eq(credentialMember.userId, session.user.id)
+          )
+        )
+        .limit(1)
+
+      if (!membership || membership.status !== 'active') {
+        return NextResponse.json(
+          { error: 'A credential with this source already exists in this workspace' },
+          { status: 409 }
+        )
+      }
+
+      const canUpdateExistingCredential = membership.role === 'admin'
+      const shouldUpdateDisplayName =
+        type === 'oauth' &&
+        resolvedDisplayName &&
+        resolvedDisplayName !== existingCredential.displayName
+      const shouldUpdateDescription =
+        typeof description !== 'undefined' &&
+        (existingCredential.description ?? null) !== resolvedDescription
+
+      if (canUpdateExistingCredential && (shouldUpdateDisplayName || shouldUpdateDescription)) {
+        await db
+          .update(credential)
+          .set({
+            ...(shouldUpdateDisplayName ? { displayName: resolvedDisplayName } : {}),
+            ...(shouldUpdateDescription ? { description: resolvedDescription } : {}),
+            updatedAt: new Date(),
+          })
+          .where(eq(credential.id, existingCredential.id))
+
+        const [updatedCredential] = await db
+          .select()
+          .from(credential)
+          .where(eq(credential.id, existingCredential.id))
+          .limit(1)
+
+        return NextResponse.json(
+          { credential: updatedCredential ?? existingCredential },
+          { status: 200 }
+        )
+      }
+
+      return NextResponse.json({ credential: existingCredential }, { status: 200 })
+    }
+
+    const now = new Date()
+    const credentialId = crypto.randomUUID()
+    const [workspaceRow] = await db
+      .select({ ownerId: workspace.ownerId })
+      .from(workspace)
+      .where(eq(workspace.id, workspaceId))
+      .limit(1)
+
+    await db.transaction(async (tx) => {
+      await tx.insert(credential).values({
+        id: credentialId,
+        workspaceId,
+        type,
+        displayName: resolvedDisplayName,
+        description: resolvedDescription,
+        providerId: resolvedProviderId,
+        accountId: resolvedAccountId,
+        envKey: resolvedEnvKey,
+        envOwnerUserId: resolvedEnvOwnerUserId,
+        createdBy: session.user.id,
+        createdAt: now,
+        updatedAt: now,
+      })
+
+      if (type === 'env_workspace' && workspaceRow?.ownerId) {
+        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
+        if (workspaceUserIds.length > 0) {
+          for (const memberUserId of workspaceUserIds) {
+            await tx.insert(credentialMember).values({
+              id: crypto.randomUUID(),
+              credentialId,
+              userId: memberUserId,
+              role:
+                memberUserId === workspaceRow.ownerId || memberUserId === session.user.id
+                  ? 'admin'
+                  : 'member',
+              status: 'active',
+              joinedAt: now,
+              invitedBy: session.user.id,
+              createdAt: now,
+              updatedAt: now,
+            })
+          }
+        }
+      } else {
+        await tx.insert(credentialMember).values({
+          id: crypto.randomUUID(),
+          credentialId,
+          userId: session.user.id,
+          role: 'admin',
+          status: 'active',
+          joinedAt: now,
+          invitedBy: session.user.id,
+          createdAt: now,
+          updatedAt: now,
+        })
+      }
+    })
+
+    const [created] = await db
+      .select()
+      .from(credential)
+      .where(eq(credential.id, credentialId))
+      .limit(1)
+
+    return NextResponse.json({ credential: created }, { status: 201 })
+  } catch (error: any) {
+    if (error?.code === '23505') {
+      return NextResponse.json(
+        { error: 'A credential with this source already exists' },
+        { status: 409 }
+      )
+    }
+    if (error?.code === '23503') {
+      return NextResponse.json(
+        { error: 'Invalid credential reference or membership target' },
+        { status: 400 }
+      )
+    }
+    if (error?.code === '23514') {
+      return NextResponse.json(
+        { error: 'Credential source data failed validation checks' },
+        { status: 400 }
+      )
+    }
+    logger.error(`[${requestId}] Credential create failure details`, {
+      code: error?.code,
+      detail: error?.detail,
+      constraint: error?.constraint,
+      table: error?.table,
+      message: error?.message,
+    })
+    logger.error(`[${requestId}] Failed to create credential`, error)
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/cron/renew-subscriptions/route.ts
+++ b/apps/sim/app/api/cron/renew-subscriptions/route.ts
@@ -4,18 +4,27 @@ import { createLogger } from '@sim/logger'
 import { and, eq, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { verifyCronAuth } from '@/lib/auth/internal'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 const logger = createLogger('TeamsSubscriptionRenewal')

-async function getCredentialOwnerUserId(credentialId: string): Promise<string | null> {
+async function getCredentialOwner(
+  credentialId: string
+): Promise<{ userId: string; accountId: string } | null> {
+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    logger.error(`Failed to resolve OAuth account for credential ${credentialId}`)
+    return null
+  }
  const [credentialRecord] = await db
    .select({ userId: account.userId })
    .from(account)
-    .where(eq(account.id, credentialId))
+    .where(eq(account.id, resolved.accountId))
    .limit(1)

-  return credentialRecord?.userId ?? null
+  return credentialRecord
+    ? { userId: credentialRecord.userId, accountId: resolved.accountId }
+    : null
 }

 /**
@@ -88,8 +97,8 @@ export async function GET(request: NextRequest) {
          continue
        }

-        const credentialOwnerUserId = await getCredentialOwnerUserId(credentialId)
-        if (!credentialOwnerUserId) {
+        const credentialOwner = await getCredentialOwner(credentialId)
+        if (!credentialOwner) {
          logger.error(`Credential owner not found for credential ${credentialId}`)
          totalFailed++
          continue
@@ -97,8 +106,8 @@ export async function GET(request: NextRequest) {

        // Get fresh access token
        const accessToken = await refreshAccessTokenIfNeeded(
-          credentialId,
-          credentialOwnerUserId,
+          credentialOwner.accountId,
+          credentialOwner.userId,
          `renewal-${webhook.id}`
        )

--- a/apps/sim/app/api/environment/route.ts
+++ b/apps/sim/app/api/environment/route.ts
@@ -8,6 +8,7 @@ import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { decryptSecret, encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
+import { syncPersonalEnvCredentialsForUser } from '@/lib/credentials/environment'
 import type { EnvironmentVariable } from '@/stores/settings/environment'

 const logger = createLogger('EnvironmentAPI')
@@ -54,6 +55,11 @@ export async function POST(req: NextRequest) {
          },
        })

+      await syncPersonalEnvCredentialsForUser({
+        userId: session.user.id,
+        envKeys: Object.keys(variables),
+      })
+
      recordAudit({
        actorId: session.user.id,
        actorName: session.user.name,
--- a/apps/sim/app/api/folders/[id]/duplicate/route.ts
+++ b/apps/sim/app/api/folders/[id]/duplicate/route.ts
@@ -148,6 +148,10 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      actorEmail: session.user.email ?? undefined,
      resourceName: name,
      description: `Duplicated folder "${sourceFolder.name}" as "${name}"`,
+      metadata: {
+        sourceId: sourceFolder.id,
+        affected: { workflows: workflowStats.succeeded, folders: folderMapping.size },
+      },
      request: req,
    })

--- a/apps/sim/app/api/folders/[id]/route.ts
+++ b/apps/sim/app/api/folders/[id]/route.ts
@@ -178,6 +178,12 @@ export async function DELETE(
      resourceId: id,
      resourceName: existingFolder.name,
      description: `Deleted folder "${existingFolder.name}"`,
+      metadata: {
+        affected: {
+          workflows: deletionStats.workflows,
+          subfolders: deletionStats.folders - 1,
+        },
+      },
      request,
    })

--- a/apps/sim/app/api/form/[identifier]/route.ts
+++ b/apps/sim/app/api/form/[identifier]/route.ts
@@ -58,8 +58,6 @@ export async function POST(
  const requestId = generateRequestId()

  try {
-    logger.debug(`[${requestId}] Processing form submission for identifier: ${identifier}`)
-
    let parsedBody
    try {
      const rawBody = await request.json()
@@ -300,8 +298,6 @@ export async function GET(
  const requestId = generateRequestId()

  try {
-    logger.debug(`[${requestId}] Fetching form info for identifier: ${identifier}`)
-
    const deploymentResult = await db
      .select({
        id: form.id,
--- a/apps/sim/app/api/function/execute/route.test.ts
+++ b/apps/sim/app/api/function/execute/route.test.ts
@@ -211,7 +211,7 @@ describe('Function Execute API Route', () => {

    it.concurrent('should block SSRF attacks through secure fetch wrapper', async () => {
      expect(validateProxyUrl('http://169.254.169.254/latest/meta-data/').isValid).toBe(false)
-      expect(validateProxyUrl('http://127.0.0.1:8080/admin').isValid).toBe(false)
+      expect(validateProxyUrl('http://127.0.0.1:8080/admin').isValid).toBe(true)
      expect(validateProxyUrl('http://192.168.1.1/config').isValid).toBe(false)
      expect(validateProxyUrl('http://10.0.0.1/internal').isValid).toBe(false)
    })
--- a/apps/sim/app/api/help/route.ts
+++ b/apps/sim/app/api/help/route.ts
@@ -77,8 +77,6 @@ export async function POST(req: NextRequest) {
      }
    }

-    logger.debug(`[${requestId}] Help request includes ${images.length} images`)
-
    const userId = session.user.id
    let emailText = `
 Type: ${type}
--- a/apps/sim/app/api/knowledge/[id]/documents/[documentId]/route.ts
+++ b/apps/sim/app/api/knowledge/[id]/documents/[documentId]/route.ts
@@ -281,6 +281,7 @@ export async function DELETE(
      resourceId: documentId,
      resourceName: accessCheck.document?.filename,
      description: `Deleted document "${documentId}" from knowledge base "${knowledgeBaseId}"`,
+      metadata: { fileName: accessCheck.document?.filename },
      request: req,
    })

--- a/apps/sim/app/api/knowledge/[id]/documents/route.ts
+++ b/apps/sim/app/api/knowledge/[id]/documents/route.ts
@@ -255,6 +255,10 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
          resourceId: knowledgeBaseId,
          resourceName: `${createdDocuments.length} document(s)`,
          description: `Uploaded ${createdDocuments.length} document(s) to knowledge base "${knowledgeBaseId}"`,
+          metadata: {
+            fileCount: createdDocuments.length,
+            fileNames: createdDocuments.map((doc) => doc.filename),
+          },
          request: req,
        })

@@ -316,6 +320,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
          resourceId: knowledgeBaseId,
          resourceName: validatedData.filename,
          description: `Uploaded document "${validatedData.filename}" to knowledge base "${knowledgeBaseId}"`,
+          metadata: {
+            fileName: validatedData.filename,
+            fileType: validatedData.mimeType,
+            fileSize: validatedData.fileSize,
+          },
          request: req,
        })

--- a/apps/sim/app/api/knowledge/search/route.ts
+++ b/apps/sim/app/api/knowledge/search/route.ts
@@ -186,8 +186,6 @@ export async function POST(request: NextRequest) {
            valueTo: filter.valueTo,
          }
        })
-
-        logger.debug(`[${requestId}] Processed ${structuredFilters.length} structured filters`)
      }

      if (accessibleKbIds.length === 0) {
@@ -220,7 +218,6 @@ export async function POST(request: NextRequest) {

      if (!hasQuery && hasFilters) {
        // Tag-only search without vector similarity
-        logger.debug(`[${requestId}] Executing tag-only search with filters:`, structuredFilters)
        results = await handleTagOnlySearch({
          knowledgeBaseIds: accessibleKbIds,
          topK: validatedData.topK,
@@ -244,7 +241,6 @@ export async function POST(request: NextRequest) {
        })
      } else if (hasQuery && !hasFilters) {
        // Vector-only search
-        logger.debug(`[${requestId}] Executing vector-only search`)
        const strategy = getQueryStrategy(accessibleKbIds.length, validatedData.topK)
        const queryVector = JSON.stringify(await queryEmbeddingPromise)

--- a/apps/sim/app/api/knowledge/search/utils.ts
+++ b/apps/sim/app/api/knowledge/search/utils.ts
@@ -1,11 +1,8 @@
 import { db } from '@sim/db'
 import { document, embedding } from '@sim/db/schema'
-import { createLogger } from '@sim/logger'
 import { and, eq, inArray, isNull, sql } from 'drizzle-orm'
 import type { StructuredFilter } from '@/lib/knowledge/types'

-const logger = createLogger('KnowledgeSearchUtils')
-
 export async function getDocumentNamesByIds(
  documentIds: string[]
 ): Promise<Record<string, string>> {
@@ -140,17 +137,12 @@ function buildFilterCondition(filter: StructuredFilter, embeddingTable: any) {
  const { tagSlot, fieldType, operator, value, valueTo } = filter

  if (!isTagSlotKey(tagSlot)) {
-    logger.debug(`[getStructuredTagFilters] Unknown tag slot: ${tagSlot}`)
    return null
  }

  const column = embeddingTable[tagSlot]
  if (!column) return null

-  logger.debug(
-    `[getStructuredTagFilters] Processing ${tagSlot} (${fieldType}) ${operator} ${value}`
-  )
-
  // Handle text operators
  if (fieldType === 'text') {
    const stringValue = String(value)
@@ -208,7 +200,6 @@ function buildFilterCondition(filter: StructuredFilter, embeddingTable: any) {
    const dateStr = String(value)
    // Validate YYYY-MM-DD format
    if (!/^\d{4}-\d{2}-\d{2}$/.test(dateStr)) {
-      logger.debug(`[getStructuredTagFilters] Invalid date format: ${dateStr}, expected YYYY-MM-DD`)
      return null
    }

@@ -287,9 +278,6 @@ function getStructuredTagFilters(filters: StructuredFilter[], embeddingTable: an
      conditions.push(slotConditions[0])
    } else {
      // Multiple conditions for same slot - OR them together
-      logger.debug(
-        `[getStructuredTagFilters] OR'ing ${slotConditions.length} conditions for ${slot}`
-      )
      conditions.push(sql`(${sql.join(slotConditions, sql` OR `)})`)
    }
  }
@@ -380,8 +368,6 @@ export async function handleTagOnlySearch(params: SearchParams): Promise<SearchR
    throw new Error('Tag filters are required for tag-only search')
  }

-  logger.debug(`[handleTagOnlySearch] Executing tag-only search with filters:`, structuredFilters)
-
  const strategy = getQueryStrategy(knowledgeBaseIds.length, topK)
  const tagFilterConditions = getStructuredTagFilters(structuredFilters, embedding)

@@ -431,8 +417,6 @@ export async function handleVectorOnlySearch(params: SearchParams): Promise<Sear
    throw new Error('Query vector and distance threshold are required for vector-only search')
  }

-  logger.debug(`[handleVectorOnlySearch] Executing vector-only search`)
-
  const strategy = getQueryStrategy(knowledgeBaseIds.length, topK)

  const distanceExpr = sql<number>`${embedding.embedding} <=> ${queryVector}::vector`.as('distance')
@@ -489,23 +473,13 @@ export async function handleTagAndVectorSearch(params: SearchParams): Promise<Se
    throw new Error('Query vector and distance threshold are required for tag and vector search')
  }

-  logger.debug(
-    `[handleTagAndVectorSearch] Executing tag + vector search with filters:`,
-    structuredFilters
-  )
-
  // Step 1: Filter by tags first
  const tagFilteredIds = await executeTagFilterQuery(knowledgeBaseIds, structuredFilters)

  if (tagFilteredIds.length === 0) {
-    logger.debug(`[handleTagAndVectorSearch] No results found after tag filtering`)
    return []
  }

-  logger.debug(
-    `[handleTagAndVectorSearch] Found ${tagFilteredIds.length} results after tag filtering`
-  )
-
  // Step 2: Perform vector search only on tag-filtered results
  return await executeVectorSearchOnIds(
    tagFilteredIds.map((r) => r.id),
--- a/apps/sim/app/api/logs/execution/[executionId]/route.ts
+++ b/apps/sim/app/api/logs/execution/[executionId]/route.ts
@@ -34,10 +34,6 @@ export async function GET(

    const authenticatedUserId = authResult.userId

-    logger.debug(
-      `[${requestId}] Fetching execution data for: ${executionId} (auth: ${authResult.authType})`
-    )
-
    const [workflowLog] = await db
      .select({
        id: workflowExecutionLogs.id,
@@ -125,11 +121,6 @@ export async function GET(
      },
    }

-    logger.debug(`[${requestId}] Successfully fetched execution data for: ${executionId}`)
-    logger.debug(
-      `[${requestId}] Workflow state contains ${Object.keys((snapshot.stateData as any)?.blocks || {}).length} blocks`
-    )
-
    return NextResponse.json(response)
  } catch (error) {
    logger.error(`[${requestId}] Error fetching execution data:`, error)
--- a/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts
+++ b/apps/sim/app/api/mcp/copilot/.well-known/oauth-authorization-server/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpAuthorizationServerMetadataResponse } from '@/lib/mcp/oauth-discovery'

-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpAuthorizationServerMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpAuthorizationServerMetadataResponse()
 }
--- a/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts
+++ b/apps/sim/app/api/mcp/copilot/.well-known/oauth-protected-resource/route.ts
@@ -1,6 +1,6 @@
-import type { NextRequest, NextResponse } from 'next/server'
+import type { NextResponse } from 'next/server'
 import { createMcpProtectedResourceMetadataResponse } from '@/lib/mcp/oauth-discovery'

-export async function GET(request: NextRequest): Promise<NextResponse> {
-  return createMcpProtectedResourceMetadataResponse(request)
+export async function GET(): Promise<NextResponse> {
+  return createMcpProtectedResourceMetadataResponse()
 }
--- a/apps/sim/app/api/mcp/copilot/route.ts
+++ b/apps/sim/app/api/mcp/copilot/route.ts
@@ -16,6 +16,7 @@ import { userStats } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { validateOAuthAccessToken } from '@/lib/auth/oauth-token'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import {
  ORCHESTRATION_TIMEOUT_MS,
@@ -31,6 +32,7 @@ import {
 import { DIRECT_TOOL_DEFS, SUBAGENT_TOOL_DEFS } from '@/lib/copilot/tools/mcp/definitions'
 import { env } from '@/lib/core/config/env'
 import { RateLimiter } from '@/lib/core/rate-limiter'
+import { getBaseUrl } from '@/lib/core/utils/urls'
 import {
  authorizeWorkflowByWorkspacePermission,
  resolveWorkflowIdForUser,
@@ -384,12 +386,14 @@ function buildMcpServer(abortSignal?: AbortSignal): Server {
      name: tool.name,
      description: tool.description,
      inputSchema: tool.inputSchema,
+      ...(tool.annotations && { annotations: tool.annotations }),
    }))

    const subagentTools = SUBAGENT_TOOL_DEFS.map((tool) => ({
      name: tool.name,
      description: tool.description,
      inputSchema: tool.inputSchema,
+      ...(tool.annotations && { annotations: tool.annotations }),
    }))

    const result: ListToolsResult = {
@@ -402,27 +406,51 @@ function buildMcpServer(abortSignal?: AbortSignal): Server {
  server.setRequestHandler(CallToolRequestSchema, async (request, extra) => {
    const headers = (extra.requestInfo?.headers || {}) as HeaderMap
    const apiKeyHeader = readHeader(headers, 'x-api-key')
+    const authorizationHeader = readHeader(headers, 'authorization')

-    if (!apiKeyHeader) {
-      return {
-        content: [
-          {
-            type: 'text' as const,
-            text: 'AUTHENTICATION ERROR: No Copilot API key provided. The user must set their Copilot API key in the x-api-key header. They can generate one in the Sim app under Settings → Copilot. Do NOT retry — this will fail until the key is configured.',
-          },
-        ],
-        isError: true,
+    let authResult: CopilotKeyAuthResult = { success: false }
+
+    if (authorizationHeader?.startsWith('Bearer ')) {
+      const token = authorizationHeader.slice(7)
+      const oauthResult = await validateOAuthAccessToken(token)
+      if (oauthResult.success && oauthResult.userId) {
+        if (!oauthResult.scopes?.includes('mcp:tools')) {
+          return {
+            content: [
+              {
+                type: 'text' as const,
+                text: 'AUTHENTICATION ERROR: OAuth token is missing the required "mcp:tools" scope. Re-authorize with the correct scopes.',
+              },
+            ],
+            isError: true,
+          }
+        }
+        authResult = { success: true, userId: oauthResult.userId }
+      } else {
+        return {
+          content: [
+            {
+              type: 'text' as const,
+              text: `AUTHENTICATION ERROR: ${oauthResult.error ?? 'Invalid OAuth access token'} Do NOT retry — re-authorize via OAuth.`,
+            },
+          ],
+          isError: true,
+        }
      }
+    } else if (apiKeyHeader) {
+      authResult = await authenticateCopilotApiKey(apiKeyHeader)
    }

-    const authResult = await authenticateCopilotApiKey(apiKeyHeader)
    if (!authResult.success || !authResult.userId) {
-      logger.warn('MCP copilot key auth failed', { method: request.method })
+      const errorMsg = apiKeyHeader
+        ? `AUTHENTICATION ERROR: ${authResult.error} Do NOT retry — this will fail until the user fixes their Copilot API key.`
+        : 'AUTHENTICATION ERROR: No authentication provided. Provide a Bearer token (OAuth 2.1) or an x-api-key header. Generate a Copilot API key in Settings → Copilot.'
+      logger.warn('MCP copilot auth failed', { method: request.method })
      return {
        content: [
          {
            type: 'text' as const,
-            text: `AUTHENTICATION ERROR: ${authResult.error} Do NOT retry — this will fail until the user fixes their Copilot API key.`,
+            text: errorMsg,
          },
        ],
        isError: true,
@@ -512,6 +540,20 @@ export async function GET() {
 }

 export async function POST(request: NextRequest) {
+  const hasAuth = request.headers.has('authorization') || request.headers.has('x-api-key')
+
+  if (!hasAuth) {
+    const origin = getBaseUrl().replace(/\/$/, '')
+    const resourceMetadataUrl = `${origin}/.well-known/oauth-protected-resource/api/mcp/copilot`
+    return new NextResponse(JSON.stringify({ error: 'unauthorized' }), {
+      status: 401,
+      headers: {
+        'WWW-Authenticate': `Bearer resource_metadata="${resourceMetadataUrl}", scope="mcp:tools"`,
+        'Content-Type': 'application/json',
+      },
+    })
+  }
+
  try {
    let parsedBody: unknown

@@ -532,6 +574,19 @@ export async function POST(request: NextRequest) {
  }
 }

+export async function OPTIONS() {
+  return new NextResponse(null, {
+    status: 204,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': 'GET, POST, OPTIONS, DELETE',
+      'Access-Control-Allow-Headers':
+        'Content-Type, Authorization, X-API-Key, X-Requested-With, Accept',
+      'Access-Control-Max-Age': '86400',
+    },
+  })
+}
+
 export async function DELETE(request: NextRequest) {
  void request
  return NextResponse.json(createError(0, -32000, 'Method not allowed.'), { status: 405 })
--- a/apps/sim/app/api/mcp/serve/[serverId]/route.ts
+++ b/apps/sim/app/api/mcp/serve/[serverId]/route.ts
@@ -23,6 +23,7 @@ import { type AuthResult, checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateInternalToken } from '@/lib/auth/internal'
 import { getMaxExecutionTimeout } from '@/lib/core/execution-limits'
 import { getInternalApiBaseUrl } from '@/lib/core/utils/urls'
+import { SIM_VIA_HEADER } from '@/lib/execution/call-chain'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'

 const logger = createLogger('WorkflowMcpServeAPI')
@@ -181,7 +182,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<R
          serverId,
          rpcParams as { name: string; arguments?: Record<string, unknown> },
          executeAuthContext,
-          server.isPublic ? server.createdBy : undefined
+          server.isPublic ? server.createdBy : undefined,
+          request.headers.get(SIM_VIA_HEADER)
        )

      default:
@@ -244,7 +246,8 @@ async function handleToolsCall(
  serverId: string,
  params: { name: string; arguments?: Record<string, unknown> } | undefined,
  executeAuthContext?: ExecuteAuthContext | null,
-  publicServerOwnerId?: string
+  publicServerOwnerId?: string,
+  simViaHeader?: string | null
 ): Promise<NextResponse> {
  try {
    if (!params?.name) {
@@ -300,6 +303,10 @@ async function handleToolsCall(
      }
    }

+    if (simViaHeader) {
+      headers[SIM_VIA_HEADER] = simViaHeader
+    }
+
    logger.info(`Executing workflow ${tool.workflowId} via MCP tool ${params.name}`)

    const response = await fetch(executeUrl, {
--- a/apps/sim/app/api/mcp/tools/execute/route.ts
+++ b/apps/sim/app/api/mcp/tools/execute/route.ts
@@ -83,7 +83,6 @@ export const POST = withMcpAuth('read')(
            serverId: serverId,
            serverName: 'provided-schema',
          } as McpTool
-          logger.debug(`[${requestId}] Using provided schema for ${toolName}, skipping discovery`)
        } else {
          const tools = await mcpService.discoverServerTools(userId, serverId, workspaceId)
          tool = tools.find((t) => t.name === toolName) ?? null
--- a/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
+++ b/apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
@@ -11,6 +11,7 @@ import {
  user,
  userStats,
  type WorkspaceInvitationStatus,
+  workspaceEnvironment,
  workspaceInvitation,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
@@ -24,6 +25,7 @@ import { hasAccessControlAccess } from '@/lib/billing'
 import { syncUsageLimitsFromSubscription } from '@/lib/billing/core/usage'
 import { requireStripeClient } from '@/lib/billing/stripe-client'
 import { getBaseUrl } from '@/lib/core/utils/urls'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { sendEmail } from '@/lib/messaging/email/mailer'

 const logger = createLogger('OrganizationInvitation')
@@ -496,6 +498,34 @@ export async function PUT(
      }
    })

+    if (status === 'accepted') {
+      const acceptedWsInvitations = await db
+        .select({ workspaceId: workspaceInvitation.workspaceId })
+        .from(workspaceInvitation)
+        .where(
+          and(
+            eq(workspaceInvitation.orgInvitationId, invitationId),
+            eq(workspaceInvitation.status, 'accepted' as WorkspaceInvitationStatus)
+          )
+        )
+
+      for (const wsInv of acceptedWsInvitations) {
+        const [wsEnvRow] = await db
+          .select({ variables: workspaceEnvironment.variables })
+          .from(workspaceEnvironment)
+          .where(eq(workspaceEnvironment.workspaceId, wsInv.workspaceId))
+          .limit(1)
+        const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+        if (wsEnvKeys.length > 0) {
+          await syncWorkspaceEnvCredentials({
+            workspaceId: wsInv.workspaceId,
+            envKeys: wsEnvKeys,
+            actingUserId: session.user.id,
+          })
+        }
+      }
+    }
+
    // Handle Pro subscription cancellation after transaction commits
    if (personalProToCancel) {
      try {
@@ -568,7 +598,12 @@ export async function PUT(
      actorName: session.user.name ?? undefined,
      actorEmail: session.user.email ?? undefined,
      description: `Organization invitation ${status} for ${orgInvitation.email}`,
-      metadata: { invitationId, email: orgInvitation.email, status },
+      metadata: {
+        invitationId,
+        targetEmail: orgInvitation.email,
+        targetRole: orgInvitation.role,
+        status,
+      },
      request: req,
    })

--- a/apps/sim/app/api/organizations/[id]/invitations/route.ts
+++ b/apps/sim/app/api/organizations/[id]/invitations/route.ts
@@ -423,7 +423,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
        actorEmail: session.user.email ?? undefined,
        resourceName: organizationEntry[0]?.name,
        description: `Invited ${inv.email} to organization as ${role}`,
-        metadata: { invitationId: inv.id, email: inv.email, role },
+        metadata: { invitationId: inv.id, targetEmail: inv.email, targetRole: role },
        request,
      })
    }
@@ -558,7 +558,7 @@ export async function DELETE(
      actorName: session.user.name ?? undefined,
      actorEmail: session.user.email ?? undefined,
      description: `Revoked organization invitation for ${result[0].email}`,
-      metadata: { invitationId, email: result[0].email },
+      metadata: { invitationId, targetEmail: result[0].email },
      request,
    })

--- a/apps/sim/app/api/organizations/[id]/members/[memberId]/route.ts
+++ b/apps/sim/app/api/organizations/[id]/members/[memberId]/route.ts
@@ -173,8 +173,15 @@ export async function PUT(
    }

    const targetMember = await db
-      .select()
+      .select({
+        id: member.id,
+        role: member.role,
+        userId: member.userId,
+        email: user.email,
+        name: user.name,
+      })
      .from(member)
+      .innerJoin(user, eq(member.userId, user.id))
      .where(and(eq(member.organizationId, organizationId), eq(member.userId, memberId)))
      .limit(1)

@@ -223,7 +230,12 @@ export async function PUT(
      actorName: session.user.name ?? undefined,
      actorEmail: session.user.email ?? undefined,
      description: `Changed role for member ${memberId} to ${role}`,
-      metadata: { targetUserId: memberId, newRole: role },
+      metadata: {
+        targetUserId: memberId,
+        targetEmail: targetMember[0].email ?? undefined,
+        targetName: targetMember[0].name ?? undefined,
+        changes: [{ field: 'role', from: targetMember[0].role, to: role }],
+      },
      request,
    })

@@ -286,8 +298,9 @@ export async function DELETE(
    }

    const targetMember = await db
-      .select({ id: member.id, role: member.role })
+      .select({ id: member.id, role: member.role, email: user.email, name: user.name })
      .from(member)
+      .innerJoin(user, eq(member.userId, user.id))
      .where(and(eq(member.organizationId, organizationId), eq(member.userId, targetUserId)))
      .limit(1)

@@ -331,7 +344,12 @@ export async function DELETE(
        session.user.id === targetUserId
          ? 'Left the organization'
          : `Removed member ${targetUserId} from organization`,
-      metadata: { targetUserId, wasSelfRemoval: session.user.id === targetUserId },
+      metadata: {
+        targetUserId,
+        targetEmail: targetMember[0].email ?? undefined,
+        targetName: targetMember[0].name ?? undefined,
+        wasSelfRemoval: session.user.id === targetUserId,
+      },
      request,
    })

--- a/apps/sim/app/api/organizations/[id]/members/route.ts
+++ b/apps/sim/app/api/organizations/[id]/members/route.ts
@@ -295,7 +295,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
      actorName: session.user.name ?? undefined,
      actorEmail: session.user.email ?? undefined,
      description: `Invited ${normalizedEmail} to organization as ${role}`,
-      metadata: { invitationId, email: normalizedEmail, role },
+      metadata: { invitationId, targetEmail: normalizedEmail, targetRole: role },
      request,
    })

--- a/apps/sim/app/api/permission-groups/[id]/members/route.ts
+++ b/apps/sim/app/api/permission-groups/[id]/members/route.ts
@@ -100,8 +100,9 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
    const { userId } = addMemberSchema.parse(body)

    const [orgMember] = await db
-      .select({ id: member.id })
+      .select({ id: member.id, email: user.email })
      .from(member)
+      .innerJoin(user, eq(member.userId, user.id))
      .where(and(eq(member.userId, userId), eq(member.organizationId, result.group.organizationId)))
      .limit(1)

@@ -163,7 +164,11 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
      actorName: session.user.name ?? undefined,
      actorEmail: session.user.email ?? undefined,
      description: `Added member ${userId} to permission group "${result.group.name}"`,
-      metadata: { targetUserId: userId, permissionGroupId: id },
+      metadata: {
+        targetUserId: userId,
+        targetEmail: orgMember.email ?? undefined,
+        permissionGroupId: id,
+      },
      request: req,
    })

@@ -218,8 +223,14 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
    }

    const [memberToRemove] = await db
-      .select()
+      .select({
+        id: permissionGroupMember.id,
+        permissionGroupId: permissionGroupMember.permissionGroupId,
+        userId: permissionGroupMember.userId,
+        email: user.email,
+      })
      .from(permissionGroupMember)
+      .innerJoin(user, eq(permissionGroupMember.userId, user.id))
      .where(
        and(eq(permissionGroupMember.id, memberId), eq(permissionGroupMember.permissionGroupId, id))
      )
@@ -247,7 +258,12 @@ export async function DELETE(req: NextRequest, { params }: { params: Promise<{ i
      actorName: session.user.name ?? undefined,
      actorEmail: session.user.email ?? undefined,
      description: `Removed member ${memberToRemove.userId} from permission group "${result.group.name}"`,
-      metadata: { targetUserId: memberToRemove.userId, memberId, permissionGroupId: id },
+      metadata: {
+        targetUserId: memberToRemove.userId,
+        targetEmail: memberToRemove.email ?? undefined,
+        memberId,
+        permissionGroupId: id,
+      },
      request: req,
    })

--- a/apps/sim/app/api/providers/route.ts
+++ b/apps/sim/app/api/providers/route.ts
@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
-import { refreshTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'

@@ -360,15 +360,20 @@ function sanitizeObject(obj: any): any {
 async function resolveVertexCredential(requestId: string, credentialId: string): Promise<string> {
  logger.info(`[${requestId}] Resolving Vertex AI credential: ${credentialId}`)

+  const resolved = await resolveOAuthAccountId(credentialId)
+  if (!resolved) {
+    throw new Error(`Vertex AI credential not found: ${credentialId}`)
+  }
+
  const credential = await db.query.account.findFirst({
-    where: eq(account.id, credentialId),
+    where: eq(account.id, resolved.accountId),
  })

  if (!credential) {
    throw new Error(`Vertex AI credential not found: ${credentialId}`)
  }

-  const { accessToken } = await refreshTokenIfNeeded(requestId, credential, credentialId)
+  const { accessToken } = await refreshTokenIfNeeded(requestId, credential, resolved.accountId)

  if (!accessToken) {
    throw new Error('Failed to get Vertex AI access token')
--- a/apps/sim/app/api/schedules/[id]/route.ts
+++ b/apps/sim/app/api/schedules/[id]/route.ts
@@ -26,7 +26,6 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{

  try {
    const { id: scheduleId } = await params
-    logger.debug(`[${requestId}] Reactivating schedule with ID: ${scheduleId}`)

    const session = await getSession()
    if (!session?.user?.id) {
@@ -116,6 +115,7 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
      actorName: session.user.name ?? undefined,
      actorEmail: session.user.email ?? undefined,
      description: `Reactivated schedule for workflow ${schedule.workflowId}`,
+      metadata: { cronExpression: schedule.cronExpression, timezone: schedule.timezone },
      request,
    })

--- a/apps/sim/app/api/schedules/execute/route.ts
+++ b/apps/sim/app/api/schedules/execute/route.ts
@@ -51,7 +51,6 @@ export async function GET(request: NextRequest) {
        lastQueuedAt: workflowSchedule.lastQueuedAt,
      })

-    logger.debug(`[${requestId}] Successfully queried schedules: ${dueSchedules.length} found`)
    logger.info(`[${requestId}] Processing ${dueSchedules.length} due scheduled workflows`)

    const jobQueue = await getJobQueue()
--- a/apps/sim/app/api/templates/[id]/route.ts
+++ b/apps/sim/app/api/templates/[id]/route.ts
@@ -24,8 +24,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
  try {
    const session = await getSession()

-    logger.debug(`[${requestId}] Fetching template: ${id}`)
-
    const result = await db
      .select({
        template: templates,
@@ -74,8 +72,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
            views: sql`${templates.views} + 1`,
          })
          .where(eq(templates.id, id))
-
-        logger.debug(`[${requestId}] Incremented view count for template: ${id}`)
      } catch (viewError) {
        logger.warn(`[${requestId}] Failed to increment view count for template: ${id}`, viewError)
      }
--- a/apps/sim/app/api/templates/[id]/star/route.ts
+++ b/apps/sim/app/api/templates/[id]/star/route.ts
@@ -58,8 +58,6 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

-    logger.debug(`[${requestId}] Adding star for template: ${id}, user: ${session.user.id}`)
-
    // Verify the template exists
    const templateExists = await db
      .select({ id: templates.id })
@@ -133,8 +131,6 @@ export async function DELETE(
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

-    logger.debug(`[${requestId}] Removing star for template: ${id}, user: ${session.user.id}`)
-
    // Check if the star exists
    const existingStar = await db
      .select({ id: templateStars.id })
--- a/apps/sim/app/api/templates/route.ts
+++ b/apps/sim/app/api/templates/route.ts
@@ -68,8 +68,6 @@ export async function GET(request: NextRequest) {
    const { searchParams } = new URL(request.url)
    const params = QueryParamsSchema.parse(Object.fromEntries(searchParams.entries()))

-    logger.debug(`[${requestId}] Fetching templates with params:`, params)
-
    // Check if user is a super user
    const { effectiveSuperUser } = await verifyEffectiveSuperUser(session.user.id)
    const isSuperUser = effectiveSuperUser
@@ -187,11 +185,6 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const data = CreateTemplateSchema.parse(body)

-    logger.debug(`[${requestId}] Creating template:`, {
-      name: data.name,
-      workflowId: data.workflowId,
-    })
-
    // Verify the workflow exists and belongs to the user
    const workflowExists = await db
      .select({ id: workflow.id })
--- a/apps/sim/app/api/tools/gmail/label/route.ts
+++ b/apps/sim/app/api/tools/gmail/label/route.ts
@@ -1,12 +1,12 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -41,10 +41,27 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: labelIdValidation.error }, { status: 400 })
    }

+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
    const credentials = await db
      .select()
      .from(account)
-      .where(and(eq(account.id, credentialId), eq(account.userId, session.user.id)))
+      .where(eq(account.id, resolved.accountId))
      .limit(1)

    if (!credentials.length) {
@@ -52,13 +69,17 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
+    const accountRow = credentials[0]

    logger.info(
-      `[${requestId}] Using credential: ${credential.id}, provider: ${credential.providerId}`
+      `[${requestId}] Using credential: ${accountRow.id}, provider: ${accountRow.providerId}`
    )

-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )

    if (!accessToken) {
      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
--- a/apps/sim/app/api/tools/gmail/labels/route.ts
+++ b/apps/sim/app/api/tools/gmail/labels/route.ts
@@ -1,12 +1,12 @@
 import { db } from '@sim/db'
 import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq } from 'drizzle-orm'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 export const dynamic = 'force-dynamic'

 const logger = createLogger('GmailLabelsAPI')
@@ -45,27 +45,45 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
    }

-    let credentials = await db
-      .select()
-      .from(account)
-      .where(and(eq(account.id, credentialId), eq(account.userId, session.user.id)))
-      .limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }

-    if (!credentials.length) {
-      credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
-      if (!credentials.length) {
-        logger.warn(`[${requestId}] Credential not found`)
-        return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
      }
    }

-    const credential = credentials[0]
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
+
+    if (!credentials.length) {
+      logger.warn(`[${requestId}] Credential not found`)
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    const accountRow = credentials[0]

    logger.info(
-      `[${requestId}] Using credential: ${credential.id}, provider: ${credential.providerId}`
+      `[${requestId}] Using credential: ${accountRow.id}, provider: ${accountRow.providerId}`
    )

-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, credential.userId, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )

    if (!accessToken) {
      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
--- a/apps/sim/app/api/tools/microsoft_planner/tasks/route.ts
+++ b/apps/sim/app/api/tools/microsoft_planner/tasks/route.ts
@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 import type { PlannerTask } from '@/tools/microsoft_planner/types'

 const logger = createLogger('MicrosoftPlannerTasksAPI')
@@ -42,24 +42,41 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: planIdValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)

    if (!credentials.length) {
      logger.warn(`[${requestId}] Credential not found`, { credentialId })
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
+    const accountRow = credentials[0]

-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )

    if (!accessToken) {
      logger.error(`[${requestId}] Failed to obtain valid access token`)
--- a/apps/sim/app/api/tools/onedrive/files/route.ts
+++ b/apps/sim/app/api/tools/onedrive/files/route.ts
@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -45,22 +45,40 @@ export async function GET(request: NextRequest) {

    logger.info(`[${requestId}] Fetching credential`, { credentialId })

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
    if (!credentials.length) {
      logger.warn(`[${requestId}] Credential not found`, { credentialId })
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]

-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
    if (!accessToken) {
      logger.error(`[${requestId}] Failed to obtain valid access token`)
      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
--- a/apps/sim/app/api/tools/onedrive/folder/route.ts
+++ b/apps/sim/app/api/tools/onedrive/folder/route.ts
@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -34,17 +34,39 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: fileIdValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
    if (!credentials.length) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]

-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
    if (!accessToken) {
      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/onedrive/folders/route.ts
+++ b/apps/sim/app/api/tools/onedrive/folders/route.ts
@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -40,17 +40,39 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
    if (!credentials.length) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]

-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
    if (!accessToken) {
      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/outlook/folders/route.ts
+++ b/apps/sim/app/api/tools/outlook/folders/route.ts
@@ -6,7 +6,7 @@ import { NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -44,7 +44,28 @@ export async function GET(request: Request) {
        return NextResponse.json({ error: 'Authentication required' }, { status: 401 })
      }

-      const creds = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+      const resolved = await resolveOAuthAccountId(credentialId)
+      if (!resolved) {
+        return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+      }
+
+      if (resolved.workspaceId) {
+        const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+        const perm = await getUserEntityPermissions(
+          session!.user!.id,
+          'workspace',
+          resolved.workspaceId
+        )
+        if (perm === null) {
+          return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+        }
+      }
+
+      const creds = await db
+        .select()
+        .from(account)
+        .where(eq(account.id, resolved.accountId))
+        .limit(1)
      if (!creds.length) {
        logger.warn('Credential not found', { credentialId })
        return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
@@ -52,7 +73,7 @@ export async function GET(request: Request) {
      const credentialOwnerUserId = creds[0].userId

      const accessToken = await refreshAccessTokenIfNeeded(
-        credentialId,
+        resolved.accountId,
        credentialOwnerUserId,
        generateRequestId()
      )
--- a/apps/sim/app/api/tools/sharepoint/site/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/site/route.ts
@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -34,17 +34,39 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: siteIdValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
    if (!credentials.length) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]

-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
    if (!accessToken) {
      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/sharepoint/sites/route.ts
+++ b/apps/sim/app/api/tools/sharepoint/sites/route.ts
@@ -6,7 +6,7 @@ import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'
 import type { SharepointSite } from '@/tools/sharepoint/types'

 export const dynamic = 'force-dynamic'
@@ -39,17 +39,39 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)
    if (!credentials.length) {
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
-    if (credential.userId !== session.user.id) {
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
+    const accountRow = credentials[0]

-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )
    if (!accessToken) {
      return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
    }
--- a/apps/sim/app/api/tools/slack/send-ephemeral/route.ts
+++ b/apps/sim/app/api/tools/slack/send-ephemeral/route.ts
@@ -0,0 +1,96 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('SlackSendEphemeralAPI')
+
+const SlackSendEphemeralSchema = z.object({
+  accessToken: z.string().min(1, 'Access token is required'),
+  channel: z.string().min(1, 'Channel ID is required'),
+  user: z.string().min(1, 'User ID is required'),
+  text: z.string().min(1, 'Message text is required'),
+  thread_ts: z.string().optional().nullable(),
+  blocks: z.array(z.record(z.unknown())).optional().nullable(),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized Slack ephemeral send attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    logger.info(
+      `[${requestId}] Authenticated Slack ephemeral send request via ${authResult.authType}`,
+      { userId: authResult.userId }
+    )
+
+    const body = await request.json()
+    const validatedData = SlackSendEphemeralSchema.parse(body)
+
+    logger.info(`[${requestId}] Sending ephemeral message`, {
+      channel: validatedData.channel,
+      user: validatedData.user,
+      threadTs: validatedData.thread_ts ?? undefined,
+    })
+
+    const response = await fetch('https://slack.com/api/chat.postEphemeral', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${validatedData.accessToken}`,
+      },
+      body: JSON.stringify({
+        channel: validatedData.channel,
+        user: validatedData.user,
+        text: validatedData.text,
+        ...(validatedData.thread_ts && { thread_ts: validatedData.thread_ts }),
+        ...(validatedData.blocks &&
+          validatedData.blocks.length > 0 && { blocks: validatedData.blocks }),
+      }),
+    })
+
+    const data = await response.json()
+
+    if (!data.ok) {
+      logger.error(`[${requestId}] Slack API error:`, data.error)
+      return NextResponse.json(
+        { success: false, error: data.error || 'Failed to send ephemeral message' },
+        { status: 400 }
+      )
+    }
+
+    logger.info(`[${requestId}] Ephemeral message sent successfully`)
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        messageTs: data.message_ts,
+        channel: validatedData.channel,
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error sending ephemeral message:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}
--- a/apps/sim/app/api/tools/slack/send-message/route.ts
+++ b/apps/sim/app/api/tools/slack/send-message/route.ts
@@ -17,6 +17,7 @@ const SlackSendMessageSchema = z
    userId: z.string().optional().nullable(),
    text: z.string().min(1, 'Message text is required'),
    thread_ts: z.string().optional().nullable(),
+    blocks: z.array(z.record(z.unknown())).optional().nullable(),
    files: RawFileInputArraySchema.optional().nullable(),
  })
  .refine((data) => data.channel || data.userId, {
@@ -63,6 +64,7 @@ export async function POST(request: NextRequest) {
        userId: validatedData.userId ?? undefined,
        text: validatedData.text,
        threadTs: validatedData.thread_ts ?? undefined,
+        blocks: validatedData.blocks ?? undefined,
        files: validatedData.files ?? undefined,
      },
      requestId,
--- a/apps/sim/app/api/tools/slack/update-message/route.ts
+++ b/apps/sim/app/api/tools/slack/update-message/route.ts
@@ -13,6 +13,7 @@ const SlackUpdateMessageSchema = z.object({
  channel: z.string().min(1, 'Channel is required'),
  timestamp: z.string().min(1, 'Message timestamp is required'),
  text: z.string().min(1, 'Message text is required'),
+  blocks: z.array(z.record(z.unknown())).optional().nullable(),
 })

 export async function POST(request: NextRequest) {
@@ -57,6 +58,8 @@ export async function POST(request: NextRequest) {
        channel: validatedData.channel,
        ts: validatedData.timestamp,
        text: validatedData.text,
+        ...(validatedData.blocks &&
+          validatedData.blocks.length > 0 && { blocks: validatedData.blocks }),
      }),
    })

--- a/apps/sim/app/api/tools/slack/utils.ts
+++ b/apps/sim/app/api/tools/slack/utils.ts
@@ -11,7 +11,8 @@ export async function postSlackMessage(
  accessToken: string,
  channel: string,
  text: string,
-  threadTs?: string | null
+  threadTs?: string | null,
+  blocks?: unknown[] | null
 ): Promise<{ ok: boolean; ts?: string; channel?: string; message?: any; error?: string }> {
  const response = await fetch('https://slack.com/api/chat.postMessage', {
    method: 'POST',
@@ -23,6 +24,7 @@ export async function postSlackMessage(
      channel,
      text,
      ...(threadTs && { thread_ts: threadTs }),
+      ...(blocks && blocks.length > 0 && { blocks }),
    }),
  })

@@ -220,6 +222,7 @@ export interface SlackMessageParams {
  userId?: string
  text: string
  threadTs?: string | null
+  blocks?: unknown[] | null
  files?: any[] | null
 }

@@ -242,7 +245,7 @@ export async function sendSlackMessage(
  }
  error?: string
 }> {
-  const { accessToken, text, threadTs, files } = params
+  const { accessToken, text, threadTs, blocks, files } = params
  let { channel } = params

  if (!channel && params.userId) {
@@ -258,7 +261,7 @@ export async function sendSlackMessage(
  if (!files || files.length === 0) {
    logger.info(`[${requestId}] No files, using chat.postMessage`)

-    const data = await postSlackMessage(accessToken, channel, text, threadTs)
+    const data = await postSlackMessage(accessToken, channel, text, threadTs, blocks)

    if (!data.ok) {
      logger.error(`[${requestId}] Slack API error:`, data.error)
@@ -282,7 +285,7 @@ export async function sendSlackMessage(
  if (fileIds.length === 0) {
    logger.warn(`[${requestId}] No valid files to upload, sending text-only message`)

-    const data = await postSlackMessage(accessToken, channel, text, threadTs)
+    const data = await postSlackMessage(accessToken, channel, text, threadTs, blocks)

    if (!data.ok) {
      return { success: false, error: data.error || 'Failed to send message' }
--- a/apps/sim/app/api/tools/stagehand/agent/route.ts
+++ b/apps/sim/app/api/tools/stagehand/agent/route.ts
@@ -165,7 +165,7 @@ export async function POST(request: NextRequest) {
    }

    const modelName =
-      provider === 'anthropic' ? 'anthropic/claude-3-7-sonnet-latest' : 'openai/gpt-4.1'
+      provider === 'anthropic' ? 'anthropic/claude-sonnet-4-5-20250929' : 'openai/gpt-5'

    try {
      logger.info('Initializing Stagehand with Browserbase (v3)', { provider, modelName })
--- a/apps/sim/app/api/tools/stagehand/extract/route.ts
+++ b/apps/sim/app/api/tools/stagehand/extract/route.ts
@@ -101,7 +101,7 @@ export async function POST(request: NextRequest) {

    try {
      const modelName =
-        provider === 'anthropic' ? 'anthropic/claude-3-7-sonnet-latest' : 'openai/gpt-4.1'
+        provider === 'anthropic' ? 'anthropic/claude-sonnet-4-5-20250929' : 'openai/gpt-5'

      logger.info('Initializing Stagehand with Browserbase (v3)', { provider, modelName })

--- a/apps/sim/app/api/tools/wealthbox/item/route.ts
+++ b/apps/sim/app/api/tools/wealthbox/item/route.ts
@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateEnum, validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -64,24 +64,41 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)

    if (!credentials.length) {
      logger.warn(`[${requestId}] Credential not found`, { credentialId })
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
+    const accountRow = credentials[0]

-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )

    if (!accessToken) {
      logger.error(`[${requestId}] Failed to obtain valid access token`)
--- a/apps/sim/app/api/tools/wealthbox/items/route.ts
+++ b/apps/sim/app/api/tools/wealthbox/items/route.ts
@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { validateEnum, validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
+import { refreshAccessTokenIfNeeded, resolveOAuthAccountId } from '@/app/api/auth/oauth/utils'

 export const dynamic = 'force-dynamic'

@@ -64,24 +64,41 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ error: typeValidation.error }, { status: 400 })
    }

-    const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)
+    const resolved = await resolveOAuthAccountId(credentialId)
+    if (!resolved) {
+      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
+    }
+
+    if (resolved.workspaceId) {
+      const { getUserEntityPermissions } = await import('@/lib/workspaces/permissions/utils')
+      const perm = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        resolved.workspaceId
+      )
+      if (perm === null) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+    }
+
+    const credentials = await db
+      .select()
+      .from(account)
+      .where(eq(account.id, resolved.accountId))
+      .limit(1)

    if (!credentials.length) {
      logger.warn(`[${requestId}] Credential not found`, { credentialId })
      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
    }

-    const credential = credentials[0]
+    const accountRow = credentials[0]

-    if (credential.userId !== session.user.id) {
-      logger.warn(`[${requestId}] Unauthorized credential access attempt`, {
-        credentialUserId: credential.userId,
-        requestUserId: session.user.id,
-      })
-      return NextResponse.json({ error: 'Unauthorized' }, { status: 403 })
-    }
-
-    const accessToken = await refreshAccessTokenIfNeeded(credentialId, session.user.id, requestId)
+    const accessToken = await refreshAccessTokenIfNeeded(
+      resolved.accountId,
+      accountRow.userId,
+      requestId
+    )

    if (!accessToken) {
      logger.error(`[${requestId}] Failed to obtain valid access token`)
--- a/apps/sim/app/api/users/me/api-keys/[id]/route.ts
+++ b/apps/sim/app/api/users/me/api-keys/[id]/route.ts
@@ -18,7 +18,6 @@ export async function DELETE(
  const { id } = await params

  try {
-    logger.debug(`[${requestId}] Deleting API key: ${id}`)
    const session = await getSession()
    if (!session?.user?.id) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
--- a/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts
+++ b/apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts
@@ -25,6 +25,7 @@ import { db } from '@sim/db'
 import { permissions, user, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
+import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
@@ -215,6 +216,8 @@ export const DELETE = withAdminAuthParams<RouteParams>(async (_, context) => {

    await db.delete(permissions).where(eq(permissions.id, memberId))

+    await revokeWorkspaceCredentialMemberships(workspaceId, existingMember.userId)
+
    logger.info(`Admin API: Removed member ${memberId} from workspace ${workspaceId}`, {
      userId: existingMember.userId,
    })
--- a/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts
+++ b/apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts
@@ -32,9 +32,10 @@

 import crypto from 'crypto'
 import { db } from '@sim/db'
-import { permissions, user, workspace } from '@sim/db/schema'
+import { permissions, user, workspace, workspaceEnvironment } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, count, eq } from 'drizzle-orm'
+import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
 import {
  badRequestResponse,
@@ -232,6 +233,20 @@ export const POST = withAdminAuthParams<RouteParams>(async (request, context) =>
      permissionId,
    })

+    const [wsEnvRow] = await db
+      .select({ variables: workspaceEnvironment.variables })
+      .from(workspaceEnvironment)
+      .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+      .limit(1)
+    const wsEnvKeys = Object.keys((wsEnvRow?.variables as Record<string, string>) || {})
+    if (wsEnvKeys.length > 0) {
+      await syncWorkspaceEnvCredentials({
+        workspaceId,
+        envKeys: wsEnvKeys,
+        actingUserId: body.userId,
+      })
+    }
+
    return singleResponse({
      id: permissionId,
      workspaceId,
--- a/apps/sim/app/api/wand/route.ts
+++ b/apps/sim/app/api/wand/route.ts
@@ -103,12 +103,10 @@ async function updateUserStatsForWand(
  isBYOK = false
 ): Promise<void> {
  if (!isBillingEnabled) {
-    logger.debug(`[${requestId}] Billing is disabled, skipping wand usage cost update`)
    return
  }

  if (!usage.total_tokens || usage.total_tokens <= 0) {
-    logger.debug(`[${requestId}] No tokens to update in user stats`)
    return
  }

@@ -146,13 +144,6 @@ async function updateUserStatsForWand(
      })
      .where(eq(userStats.userId, userId))

-    logger.debug(`[${requestId}] Updated user stats for wand usage`, {
-      userId,
-      tokensUsed: totalTokens,
-      costAdded: costToStore,
-      isBYOK,
-    })
-
    await logModelUsage({
      userId,
      source: 'wand',
@@ -291,23 +282,8 @@ export async function POST(req: NextRequest) {

    messages.push({ role: 'user', content: prompt })

-    logger.debug(
-      `[${requestId}] Calling ${useWandAzure ? 'Azure OpenAI' : 'OpenAI'} API for wand generation`,
-      {
-        stream,
-        historyLength: history.length,
-        endpoint: useWandAzure ? azureEndpoint : 'api.openai.com',
-        model: useWandAzure ? wandModelName : 'gpt-4o',
-        apiVersion: useWandAzure ? azureApiVersion : 'N/A',
-      }
-    )
-
    if (stream) {
      try {
-        logger.debug(
-          `[${requestId}] Starting streaming request to ${useWandAzure ? 'Azure OpenAI' : 'OpenAI'}`
-        )
-
        logger.info(
          `[${requestId}] About to create stream with model: ${useWandAzure ? wandModelName : 'gpt-4o'}`
        )
@@ -327,8 +303,6 @@ export async function POST(req: NextRequest) {
          headers.Authorization = `Bearer ${activeOpenAIKey}`
        }

-        logger.debug(`[${requestId}] Making streaming request to: ${apiUrl}`)
-
        const response = await fetch(apiUrl, {
          method: 'POST',
          headers,
@@ -429,7 +403,6 @@ export async function POST(req: NextRequest) {
                  try {
                    parsed = JSON.parse(data)
                  } catch (parseError) {
-                    logger.debug(`[${requestId}] Skipped non-JSON line: ${data.substring(0, 100)}`)
                    continue
                  }

--- a/apps/sim/app/api/webhooks/[id]/route.ts
+++ b/apps/sim/app/api/webhooks/[id]/route.ts
@@ -21,7 +21,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{

  try {
    const { id } = await params
-    logger.debug(`[${requestId}] Fetching webhook with ID: ${id}`)

    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
@@ -77,7 +76,6 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<

  try {
    const { id } = await params
-    logger.debug(`[${requestId}] Updating webhook with ID: ${id}`)

    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
@@ -129,11 +127,6 @@ export async function PATCH(request: NextRequest, { params }: { params: Promise<
      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
    }

-    logger.debug(`[${requestId}] Updating webhook properties`, {
-      hasActiveUpdate: isActive !== undefined,
-      hasFailedCountUpdate: failedCount !== undefined,
-    })
-
    const updatedWebhook = await db
      .update(webhook)
      .set({
@@ -161,7 +154,6 @@ export async function DELETE(

  try {
    const { id } = await params
-    logger.debug(`[${requestId}] Deleting webhook with ID: ${id}`)

    const auth = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
    if (!auth.success || !auth.userId) {
--- a/apps/sim/app/api/webhooks/route.ts
+++ b/apps/sim/app/api/webhooks/route.ts
@@ -112,7 +112,6 @@ export async function GET(request: NextRequest) {
      return NextResponse.json({ webhooks: [] }, { status: 200 })
    }

-    logger.debug(`[${requestId}] Fetching workspace-accessible webhooks for ${session.user.id}`)
    const workspacePermissionRows = await db
      .select({ workspaceId: permissions.entityId })
      .from(permissions)
--- a/apps/sim/app/api/workflows/[id]/chat/status/route.ts
+++ b/apps/sim/app/api/workflows/[id]/chat/status/route.ts
@@ -35,8 +35,6 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
      )
    }

-    logger.debug(`[${requestId}] Checking chat deployment status for workflow: ${id}`)
-
    // Find any active chat deployments for this workflow
    const deploymentResults = await db
      .select({
--- a/Show More
+++ b/Show More